f868e88eb2524d15cfcd87afdf697074e0f9785792f342044501347dce549a1f

Resubmissions

25-01-2021 08:35

210125-cq2gjr6x2s 10

30-07-2019 12:34

190730-twrv8j2yqn 0

Sharing

Copy URL

Twitter E-mail

General

Target

m)hhm.exe
Sample

190730-twrv8j2yqn
SHA256

f868e88eb2524d15cfcd87afdf697074e0f9785792f342044501347dce549a1f

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 1 TTPs 8 IoCs

Process Injection

T1055

description	pid
PID 1180 wrote to memory of 868	868
PID 1180 wrote to memory of 1772	1772
PID 1180 wrote to memory of 2796	2796
PID 1180 wrote to memory of 2840	2840
PID 1180 wrote to memory of 2280	2280
PID 1180 wrote to memory of 2020	2020
PID 1180 wrote to memory of 2408	2408
PID 1180 wrote to memory of 1424	1424

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\780-0\Microsoft.PowerShell.Utility.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\95ba4899f658f739a2a9f74896f9f387\Microsoft.PowerShell.Utility.Activities.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\838-0\Microsoft.PowerShell.Workflow.ServiceCore.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\8a8-0\Microsoft.Windows.DSC.CoreConfProviders.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\928-0\Microsoft.WSMan.Management.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\5485e11ac0e4f0f52bde2b8cfdc783ae\Microsoft.WSMan.Management.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9ac-0\Microsoft.WSMan.Management.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\31442bf47481031d2ffc618719a526d4\Microsoft.WSMan.Management.Activities.ni.dll.aux.tmp

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a14-0\Microsoft.WSMan.Runtime.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\c80373093de278b947eba63c75e1dc5c\Microsoft.WSMan.Runtime.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Enumerates processes with tasklist 1 TTPs

Process Discovery
T1057

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeDebugPrivilege

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 2840 wrote to memory of 2864	2864

Suspicious use of AdjustPrivilegeToken 1 TTPs 20 IoCs

Access Token Manipulation

T1134

description
Token: SeIncreaseQuotaPrivilege
Token: SeSecurityPrivilege
Token: SeTakeOwnershipPrivilege
Token: SeLoadDriverPrivilege
Token: SeSystemProfilePrivilege
Token: SeSystemtimePrivilege
Token: SeProfSingleProcessPrivilege
Token: SeIncBasePriorityPrivilege
Token: SeCreatePagefilePrivilege
Token: SeBackupPrivilege
Token: SeRestorePrivilege
Token: SeShutdownPrivilege
Token: SeDebugPrivilege
Token: SeSystemEnvironmentPrivilege
Token: SeRemoteShutdownPrivilege
Token: SeUndockPrivilege
Token: SeManageVolumePrivilege
Token: 33
Token: 34
Token: 35

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ab8-0\System.Management.Automation.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ed18cbebc219551b9c8751127acc37ae\System.Management.Automation.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\95c-0\Microsoft.PowerShell.Commands.Management.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#\94a50c309cab8fd0a7b9f3f9d30bfa7d\Microsoft.PowerShell.Commands.Management.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\adc-0\Microsoft.PowerShell.Commands.Utility.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\3c31905935689790ae19814e443d0e69\Microsoft.PowerShell.Commands.Utility.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b7c-0\Microsoft.PowerShell.ConsoleHost.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\199cfe0e93a1644147eeeb686532c57e\Microsoft.PowerShell.ConsoleHost.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\7dc-0\Microsoft.PowerShell.Core.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\abd7f39bddd5bc98242373ee1615ab63\Microsoft.PowerShell.Core.Activities.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 5 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\87c-0\Microsoft.PowerShell.Diagnostics.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\8ef96b02ffb05e145d43e74e4ec4a4af\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux.tmp
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\87c-0\Microsoft.WSMan.Runtime.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\7e551f4dc439944b2a2eb69bb9edc30a\Microsoft.WSMan.Runtime.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8bc-0\Microsoft.PowerShell.Editor.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#\9b722a0a3dc01d0c6194ffbfe25b563c\Microsoft.PowerShell.Editor.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\760-0\Microsoft.PowerShell.GPowerShell.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#\934b8f230a672944b178c7bbfb33a555\Microsoft.PowerShell.GPowerShell.ni.dll.aux.tmp

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\994-0\Microsoft.PowerShell.GraphicalHost.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#\8889d3661791480ba80246f12a5c2f48\Microsoft.PowerShell.GraphicalHost.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\9b0-0\Microsoft.PowerShell.ISECommon.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#\b8e01a33542a3ce3a189a2bae9530e8a\Microsoft.PowerShell.ISECommon.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a64-0\Microsoft.PowerShell.Management.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\db532429e51fb52dcc881b6e56421bdc\Microsoft.PowerShell.Management.Activities.ni.dll.aux.tmp

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\a78-0\Microsoft.PowerShell.ScheduledJob.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#\0d1b6fe0b8138e850120ff7a88a3b07c\Microsoft.PowerShell.ScheduledJob.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b00-0\Microsoft.PowerShell.Security.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\caaf26965ac83d6ce3cec7276b56e20f\Microsoft.PowerShell.Security.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b1c-0\Microsoft.PowerShell.Security.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\59b82e63da9e424e1d6c9f76e309d9e3\Microsoft.PowerShell.Security.Activities.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\5a0-0\Microsoft.PowerShell.Utility.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\7a819854c83f3f4847304ff444080321\Microsoft.PowerShell.Utility.Activities.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\abc-0\Microsoft.PowerShell.Workflow.ServiceCore.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\125fc21007cedb909651d62fd3cb7d33\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux.tmp

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\bd4-0\Microsoft.WSMan.Management.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#\eb8d35ee2ef448b0ac4b0e396927b26c\Microsoft.WSMan.Management.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4e0-0\Microsoft.WSMan.Management.Activities.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\c4b53787a23c4d79686fcc4ef7f58a65\Microsoft.WSMan.Management.Activities.ni.dll.aux.tmp

Enumerates processes with tasklist 1 TTPs

Process Discovery
T1057

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeDebugPrivilege

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid
PID 1424 wrote to memory of 496	496

Suspicious use of AdjustPrivilegeToken 1 TTPs 20 IoCs

Access Token Manipulation

T1134

description
Token: SeIncreaseQuotaPrivilege
Token: SeSecurityPrivilege
Token: SeTakeOwnershipPrivilege
Token: SeLoadDriverPrivilege
Token: SeSystemProfilePrivilege
Token: SeSystemtimePrivilege
Token: SeProfSingleProcessPrivilege
Token: SeIncBasePriorityPrivilege
Token: SeCreatePagefilePrivilege
Token: SeBackupPrivilege
Token: SeRestorePrivilege
Token: SeShutdownPrivilege
Token: SeDebugPrivilege
Token: SeSystemEnvironmentPrivilege
Token: SeRemoteShutdownPrivilege
Token: SeUndockPrivilege
Token: SeManageVolumePrivilege
Token: 33
Token: 34
Token: 35

Drops file in system dir 3 IoCs

description
C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14c-0\System.Management.Automation.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ngenlock.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\a89bf8155e3baf281fbf4882a96b6e2f\System.Management.Automation.ni.dll.aux.tmp

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Resubmissions

Sharing

General

Malware Config

Signatures

Processes