39d7b97907b7836d51b332d85ecdbf4cd5fa55de562959a020a6752adeea4e1c

General

Target

03ba23a85802f57beed2d5c69453c6d2.exe
Size

500KB
MD5

03ba23a85802f57beed2d5c69453c6d2
SHA1

3d83f5623299630fd6f57a567ac048c7d1853dcb
SHA256

39d7b97907b7836d51b332d85ecdbf4cd5fa55de562959a020a6752adeea4e1c
SHA512

028c6edb097565b888589159fb7c8eb92604c333ac58cd075447eb369ae2cd071b85ee0ffdd427ec448fe1b3070adfe26ff5c28482b997a630f8f95b719e2974

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

pOwERsHeLl.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nameup.exe	pOwERsHeLl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nameup.exe	pOwERsHeLl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

pOwERsHeLl.exe03ba23a85802f57beed2d5c69453c6d2.exe

pid	process
1520	pOwERsHeLl.exe
1520	pOwERsHeLl.exe
644	03ba23a85802f57beed2d5c69453c6d2.exe
644	03ba23a85802f57beed2d5c69453c6d2.exe
644	03ba23a85802f57beed2d5c69453c6d2.exe
644	03ba23a85802f57beed2d5c69453c6d2.exe
644	03ba23a85802f57beed2d5c69453c6d2.exe
644	03ba23a85802f57beed2d5c69453c6d2.exe
644	03ba23a85802f57beed2d5c69453c6d2.exe
644	03ba23a85802f57beed2d5c69453c6d2.exe
644	03ba23a85802f57beed2d5c69453c6d2.exe
644	03ba23a85802f57beed2d5c69453c6d2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pOwERsHeLl.exe03ba23a85802f57beed2d5c69453c6d2.exe

description pid process

Token: SeDebugPrivilege 1520 pOwERsHeLl.exe
Token: SeDebugPrivilege 644 03ba23a85802f57beed2d5c69453c6d2.exe

description	pid	process
Token: SeDebugPrivilege	1520	pOwERsHeLl.exe
Token: SeDebugPrivilege	644	03ba23a85802f57beed2d5c69453c6d2.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

03ba23a85802f57beed2d5c69453c6d2.exe

C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe
"C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOwERsHeLl.exe
"pOwERsHeLl.exe" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nameup.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe
"C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe"
2⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe
"C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe"
2⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe
"C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe"
2⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe
"C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe"
2⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe
"C:\Users\Admin\AppData\Local\Temp\03ba23a85802f57beed2d5c69453c6d2.exe"
2⤵
PID:684

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-7-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/644-3-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/644-32-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/644-2-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/1520-11-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/1520-14-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1520-9-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1520-10-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/1520-6-0x00000000765E1000-0x00000000765E3000-memory.dmp

Filesize
8KB

Download
memory/1520-13-0x0000000004712000-0x0000000004713000-memory.dmp

Filesize
4KB

Download
memory/1520-12-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/1520-8-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/1520-17-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/1520-22-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/1520-23-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/1520-30-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1520-31-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1520-5-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 644 wrote to memory of 1520	644	03ba23a85802f57beed2d5c69453c6d2.exe	pOwERsHeLl.exe
PID 644 wrote to memory of 1520	644	03ba23a85802f57beed2d5c69453c6d2.exe	pOwERsHeLl.exe
PID 644 wrote to memory of 1520	644	03ba23a85802f57beed2d5c69453c6d2.exe	pOwERsHeLl.exe
PID 644 wrote to memory of 1520	644	03ba23a85802f57beed2d5c69453c6d2.exe	pOwERsHeLl.exe
PID 644 wrote to memory of 848	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 848	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 848	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 848	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 576	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 576	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 576	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 576	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 1480	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 1480	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 1480	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 1480	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 568	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 568	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 568	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 568	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 684	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 684	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 684	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe
PID 644 wrote to memory of 684	644	03ba23a85802f57beed2d5c69453c6d2.exe	03ba23a85802f57beed2d5c69453c6d2.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads