23f9a81888e9d5de95fbfdab513baa577a46f6dd94d1f1537d8ee43ea3dffa18

General

Target

456bcdeae8a437acf9efe95c5ebb47be.exe
Size

419KB
MD5

456bcdeae8a437acf9efe95c5ebb47be
SHA1

27ce68df8f404cb1d74a3d725c9cfce99f2ebf53
SHA256

23f9a81888e9d5de95fbfdab513baa577a46f6dd94d1f1537d8ee43ea3dffa18
SHA512

c4251e4dd2f214085a35196934aea30887179103512c071bb84b6cb3738c6eb502d967a00e55ec3d87de1f541c79d64cc9f5a7c9b7439bc1b6c7d5a66cc5d4b1
SSDEEP

6144:1/QiQPtXdEOdEoj1Z6xFOQhD1Qx9PkYxXyVlcG40eAw38o85XOC8T/FUyKGpM9Ck:NQiGtXSh/dhDex+NlcGpX98iR4o

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4908	456bcdeae8a437acf9efe95c5ebb47be.tmp

Loads dropped DLL 2 IoCs

pid	Process
4908	456bcdeae8a437acf9efe95c5ebb47be.tmp
4908	456bcdeae8a437acf9efe95c5ebb47be.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4168	powershell.exe
4168	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4168	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 4908	1804	456bcdeae8a437acf9efe95c5ebb47be.exe	44
PID 1804 wrote to memory of 4908	1804	456bcdeae8a437acf9efe95c5ebb47be.exe	44
PID 1804 wrote to memory of 4908	1804	456bcdeae8a437acf9efe95c5ebb47be.exe	44
PID 4908 wrote to memory of 2980	4908	456bcdeae8a437acf9efe95c5ebb47be.tmp	92
PID 4908 wrote to memory of 2980	4908	456bcdeae8a437acf9efe95c5ebb47be.tmp	92
PID 4908 wrote to memory of 2980	4908	456bcdeae8a437acf9efe95c5ebb47be.tmp	92
PID 2980 wrote to memory of 4168	2980	cmd.exe	93
PID 2980 wrote to memory of 4168	2980	cmd.exe	93
PID 2980 wrote to memory of 4168	2980	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\456bcdeae8a437acf9efe95c5ebb47be.exe
"C:\Users\Admin\AppData\Local\Temp\456bcdeae8a437acf9efe95c5ebb47be.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\is-BO6IK.tmp\456bcdeae8a437acf9efe95c5ebb47be.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BO6IK.tmp\456bcdeae8a437acf9efe95c5ebb47be.tmp" /SL5="$601C6,139536,56832,C:\Users\Admin\AppData\Local\Temp\456bcdeae8a437acf9efe95c5ebb47be.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-3E78K.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_otdy25kq.4ix.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3E78K.tmp\av.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3E78K.tmp\ex.bat

Filesize
786B

MD5
ef00f6cf697eee2cb3f60ec3892cb9f3

SHA1
df48d1ee7bfbc55e6b154bd20994fbc4d966d34b

SHA256
d7fbf9f0ba9ab3dff48bb4ed96884541a443b86f35dfcacd458af57c614b95b5

SHA512
a61614d7ac359325299f99a6b4b5227e8d1fd6a2c1cd1b4d9c0b04ec9ab789e30a6ef1f41daa579bd93298d098492ee66bac81ca2c930a6a1a9624bd7ff77808

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3E78K.tmp\itdownload.dll

Filesize
121KB

MD5
5e0b0060cb66ac008989408b369ecef9

SHA1
59338ca5c561dac764d5dd374d1d1191dd34f438

SHA256
3450a424f5e0c3d35f3034d3a5486dfc40c5aad5bd7d3ef65a8a080f3c41a374

SHA512
35748191d2fc39185414a2711dd64866d43216248faaa3d66e89baeaf061fd0467f0edc87743eb9b76b5d149b75d316cd3f5b952d49b5a1839cab6b45728cdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3E78K.tmp\itdownload.dll

Filesize
138KB

MD5
03a01562cd63684d144690132346b23f

SHA1
cf799a66add0c6858c35ab510a51d80c1bbeba5f

SHA256
6cc69ae44d3d5506252257eaeffe2be19f7e82a6b29318b9353f8e63675cd27d

SHA512
63fad88efcbf67609e4ba3cde712e3290359ac04695e93eee56cb0626c1b7ebc2b43589a4e8c65bdca398daa77374be61296dc4a11994953cc92d5fdb9e31112

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BO6IK.tmp\456bcdeae8a437acf9efe95c5ebb47be.tmp

Filesize
336KB

MD5
cfa8ccd5b6cef3c001e361d26be7bb6b

SHA1
73e52e363df419c049661b9f37344adbe263ad73

SHA256
a967af22e6b0f56e19bf9c610d9ca3616e8b8123bd3354b5b590efebebe99334

SHA512
2e43d1b39aee099b63d93a311411ee3c439f8ed60193d627a6754c09e02cdcf65610f9495fd2fb007288c91089a4c03968c17a80914ac87592849479c3bfce45

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BO6IK.tmp\456bcdeae8a437acf9efe95c5ebb47be.tmp

Filesize
200KB

MD5
3dee9e0b76eee423c3d3a97a937868ca

SHA1
d31a6cd5b307b230f2fb60b93cf3acac9c4c26d0

SHA256
f3b6cc6a2e83b9fa2c2558fa6bd240f38c2d7a1762e5823cfe1d9ad4129a604c

SHA512
a249df2ff8367170dac0f159e1d322bafb723b85f4bc9c67015844e96db1fef8080a1f2c10e5dcd5facc17ae50c52d41cabf6e90dbd588a1079947256af6b9f8

Download Submit
memory/1804-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1804-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1804-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4168-27-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/4168-41-0x0000000003420000-0x0000000003430000-memory.dmp

Filesize
64KB

Download
memory/4168-24-0x0000000003420000-0x0000000003430000-memory.dmp

Filesize
64KB

Download
memory/4168-25-0x0000000005A90000-0x00000000060B8000-memory.dmp

Filesize
6.2MB

Download
memory/4168-26-0x00000000059E0000-0x0000000005A02000-memory.dmp

Filesize
136KB

Download
memory/4168-28-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/4168-23-0x00000000032E0000-0x0000000003316000-memory.dmp

Filesize
216KB

Download
memory/4168-21-0x0000000073710000-0x0000000073EC0000-memory.dmp

Filesize
7.7MB

Download
memory/4168-38-0x0000000006290000-0x00000000065E4000-memory.dmp

Filesize
3.3MB

Download
memory/4168-39-0x00000000068A0000-0x00000000068BE000-memory.dmp

Filesize
120KB

Download
memory/4168-40-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/4168-22-0x0000000003420000-0x0000000003430000-memory.dmp

Filesize
64KB

Download
memory/4168-44-0x0000000006E20000-0x0000000006E42000-memory.dmp

Filesize
136KB

Download
memory/4168-43-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/4168-45-0x0000000008110000-0x00000000086B4000-memory.dmp

Filesize
5.6MB

Download
memory/4168-42-0x0000000007A70000-0x0000000007B06000-memory.dmp

Filesize
600KB

Download
memory/4168-46-0x0000000008D40000-0x00000000093BA000-memory.dmp

Filesize
6.5MB

Download
memory/4168-49-0x0000000073710000-0x0000000073EC0000-memory.dmp

Filesize
7.7MB

Download
memory/4908-16-0x0000000003950000-0x000000000398C000-memory.dmp

Filesize
240KB

Download
memory/4908-7-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4908-54-0x0000000003950000-0x000000000398C000-memory.dmp

Filesize
240KB

Download
memory/4908-53-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4908-55-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing