Task
task1
Task
task2
General
-
Target
Exes_5b4bd24d6240f467bfbc74803c9f15b0.exe
-
Sample
190729-bmdfjqpyga
-
SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e
Score
N/A
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 1952 wrote to memory of 1984 1984 -
Suspicious use of WriteProcessMemory 1 TTPs 4 IoCs
description pid PID 1984 wrote to memory of 1776 1776 PID 1984 wrote to memory of 1804 1804 PID 1984 wrote to memory of 1284 1284 PID 1984 wrote to memory of 1908 1908 -
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeDebugPrivilege -
Suspicious behavior: EnumeratesProcesses
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7dc-0\Microsoft.PowerShell.Workflow.ServiceCore.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\798-0\Microsoft.Windows.DSC.CoreConfProviders.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7a4-0\Microsoft.WSMan.Management.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\5485e11ac0e4f0f52bde2b8cfdc783ae\Microsoft.WSMan.Management.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
powershell_execpolicy 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7f4-0\Microsoft.WSMan.Management.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\31442bf47481031d2ffc618719a526d4\Microsoft.WSMan.Management.Activities.ni.dll.aux.tmp -
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeDebugPrivilege -
Suspicious behavior: EnumeratesProcesses
-
powershell_execpolicy 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 1804 wrote to memory of 1916 1916 -
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeDebugPrivilege -
Suspicious behavior: EnumeratesProcesses
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\33c-0\Microsoft.WSMan.Runtime.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\c80373093de278b947eba63c75e1dc5c\Microsoft.WSMan.Runtime.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Deletes itself 1 TTPs
-
Drops file in system dir 8 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\788-0\System.Management.Automation.dll C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ed18cbebc219551b9c8751127acc37ae\System.Management.Automation.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\788-0\Microsoft.PowerShell.Diagnostics.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\8ef96b02ffb05e145d43e74e4ec4a4af\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\788-0\Microsoft.WSMan.Management.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#\eb8d35ee2ef448b0ac4b0e396927b26c\Microsoft.WSMan.Management.ni.dll.aux.tmp -
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\648-0\Microsoft.PowerShell.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\432c82e5ea155493fb0b1b8566d47ca0\Microsoft.PowerShell.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\340-0\Microsoft.PowerShell.Commands.Diagnostics.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\e7cff9a972c7e895395ce19219ee7e10\Microsoft.PowerShell.Commands.Diagnostics.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 5 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\768-0\Microsoft.PowerShell.Commands.Management.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#\94a50c309cab8fd0a7b9f3f9d30bfa7d\Microsoft.PowerShell.Commands.Management.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\768-0\Microsoft.WSMan.Management.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\c4b53787a23c4d79686fcc4ef7f58a65\Microsoft.WSMan.Management.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\7b4-0\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\3c31905935689790ae19814e443d0e69\Microsoft.PowerShell.Commands.Utility.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\784-0\Microsoft.PowerShell.ConsoleHost.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\199cfe0e93a1644147eeeb686532c57e\Microsoft.PowerShell.ConsoleHost.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\6b4-0\Microsoft.PowerShell.Core.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\abd7f39bddd5bc98242373ee1615ab63\Microsoft.PowerShell.Core.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 5 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\38c-0\Microsoft.PowerShell.Editor.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#\9b722a0a3dc01d0c6194ffbfe25b563c\Microsoft.PowerShell.Editor.ni.dll.aux.tmp C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\38c-0\Microsoft.PowerShell.Management.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\db532429e51fb52dcc881b6e56421bdc\Microsoft.PowerShell.Management.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1f0-0\Microsoft.PowerShell.GPowerShell.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#\934b8f230a672944b178c7bbfb33a555\Microsoft.PowerShell.GPowerShell.ni.dll.aux.tmp -
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\54c-0\Microsoft.PowerShell.GraphicalHost.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#\8889d3661791480ba80246f12a5c2f48\Microsoft.PowerShell.GraphicalHost.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\238-0\Microsoft.PowerShell.ISECommon.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#\b8e01a33542a3ce3a189a2bae9530e8a\Microsoft.PowerShell.ISECommon.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\590-0\Microsoft.PowerShell.ScheduledJob.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#\0d1b6fe0b8138e850120ff7a88a3b07c\Microsoft.PowerShell.ScheduledJob.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\5d8-0\Microsoft.PowerShell.Security.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\caaf26965ac83d6ce3cec7276b56e20f\Microsoft.PowerShell.Security.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\664-0\Microsoft.PowerShell.Security.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\59b82e63da9e424e1d6c9f76e309d9e3\Microsoft.PowerShell.Security.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\64c-0\Microsoft.PowerShell.Utility.Activities.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\7a819854c83f3f4847304ff444080321\Microsoft.PowerShell.Utility.Activities.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1ec-0\Microsoft.PowerShell.Workflow.ServiceCore.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\125fc21007cedb909651d62fd3cb7d33\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs
-
Drops file in system dir 3 IoCs
description C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\6f0-0\Microsoft.WSMan.Runtime.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\7e551f4dc439944b2a2eb69bb9edc30a\Microsoft.WSMan.Runtime.ni.dll.aux.tmp -
Loads dropped DLL 1 TTPs