2de324d57bb96154e70958eea97713553f59025ca39220aec5d53c908cbf4645

General

Target

deimos.ps1
Size

12.4MB
MD5

3d66aa2521f3e024a926350ac22c0622
SHA1

e92999c0809b144c20f0ceac95e9e39cd788124a
SHA256

2de324d57bb96154e70958eea97713553f59025ca39220aec5d53c908cbf4645
SHA512

1dd56755dd7dfa322d25cf4733417e099e63ba688e6173f01ff7abe825a5c6685362bae3026908f13f0a110e2a3d0377ea9cb3457e4ae46e450be300d3af9fd0
SSDEEP

49152:t4h5SOsvIuP8mqGsqFnv5GQDuam+yZncMLhfbfUlSe+dPR9DV4mmabYp8Q76Xiji:C

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2816	powershell.exe
2816	powershell.exe
2816	powershell.exe
2816	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2608	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2312	2816	powershell.exe	29
PID 2816 wrote to memory of 2312	2816	powershell.exe	29
PID 2816 wrote to memory of 2312	2816	powershell.exe	29
PID 2312 wrote to memory of 2500	2312	csc.exe	30
PID 2312 wrote to memory of 2500	2312	csc.exe	30
PID 2312 wrote to memory of 2500	2312	csc.exe	30
PID 2816 wrote to memory of 2608	2816	powershell.exe	31
PID 2816 wrote to memory of 2608	2816	powershell.exe	31
PID 2816 wrote to memory of 2608	2816	powershell.exe	31
PID 2816 wrote to memory of 2608	2816	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\deimos.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\znx1rruk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1527.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1516.tmp"
    3⤵
    PID:2500
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\~P9341841.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1527.tmp

Filesize
1KB

MD5
9aeac8f3578293f5d9321ea28fe9d81a

SHA1
69f8b1ad57db2b29468fef14cfda97902aa323eb

SHA256
11f04eb858cedf0a1d9a95ad035f8d883c0f1dc02b7578811a8742685151e89d

SHA512
def89623e99fd0e241f82dd9d287bd36377350bc0b3302fec97027e80d652051397b1d9535f131467869a293ea28731b6de8e17f86e4e3ce93e60bfa11447eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\znx1rruk.dll

Filesize
3KB

MD5
4585ce7c9abb1d880b842fae1a2c959e

SHA1
48ac5569cd6f383d248035681219d4a93d2c7f10

SHA256
39575c3c12f6d1b02fdea67b792fcefe5c63a9c158f92d5c693aa0f18633e31a

SHA512
0ad855e7341ebf243d78172afc6faf20abfa4696a046c0f3b31bb4e0d1b3cff951296296de37b9b54a9f1bc50907b3afa3df90aec8d899f0512d71cdc3a71a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\znx1rruk.pdb

Filesize
7KB

MD5
c3be4be9d9249f006609fe944d015804

SHA1
42395f429c472db98cb45aa4867fbfba476dd489

SHA256
30c6bed92db9623aac874c5c899f8df7fb418f91c020d80be43491f6a0f3ef98

SHA512
1bb256d245d0d6c67dd45e942b1aa72b5a739f0db3f38ef9d0a04daa0c3681ad7784cb60c1008a8231969a49b040fa6e6d2227fefd36818579178e44a2aa6d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\~P9341841.pdf

Filesize
8.8MB

MD5
aa81bdaeac18676979c6c846ce2f43aa

SHA1
bda40a47ba5c5d0154c698961926fee1cb40554c

SHA256
013f4de04da240f2cf2dd3960a2c77d1cc305bafe1e05812d9e4218a56acc03b

SHA512
da549bbd27aa0ab8311dcbef0e1fb94ed1f2ecc17dc2d046e2230e43f23bb3aeed594087ed9b206af3b2540437aa293ffb47b4d9d43470e205429121a0b18254

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
73da3fc61e5c70b9871e45f7594d1e08

SHA1
df85494167d3fcbe1471a37ab37fa510ec513716

SHA256
7fe8129086562d0693510df260679ab38e1866488a8b9d3f435ca75f53e405cb

SHA512
c9af4f2329914c007bc42246de4dbb9f599e1428650998c9c1f796230786c42c8f60b0411be7c6283fb8e1f1e7f9d41d5f9578df7248e98881cb9b485a5d14b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1516.tmp

Filesize
652B

MD5
08103431a0dabe82859a5ba6ac14c725

SHA1
7f4e11357858fd8d8b5f26841adb62d8e90718a7

SHA256
c060636e237e48300d4de4d717d9c9e62695bc9e00287024aa9c945518fbfb5a

SHA512
5aaa9ab897dd76a65b22b5d4afff440279a09b82bde77b5e2b2eba2799617b9c86137ca3204766452e537ad0ae9e6e24f2a9241c88e0cdde911b7f82204bd7ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\znx1rruk.0.cs

Filesize
244B

MD5
b999975748af32dd007ff48814430b26

SHA1
46b54a3e3be2d3497127d67b96b3f6a55d26447d

SHA256
ed13935d6ac43e5ce0419aa7d162dbc70562c02dedacb81d5efdfc609a035c69

SHA512
f8e48caaac395db45ac4c8a899dbd64305dd6f57fcd22919a6d880b035455286d3504b097dca250d4ea283004cb64d47e376901b8fae65f4fa792234dee9f81e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\znx1rruk.cmdline

Filesize
309B

MD5
fa671d5027e7d1a930acad79397cb020

SHA1
ea2c5fd46fee4255ef44468ba14b965a22b4e014

SHA256
7516db14da8ab3880c2b24fb78781098fe1ccf7b7666cbba1121578c5899c34a

SHA512
f721bbf3283e9248a74e9784895aaab215ec381e56d55abb6c37f8cfa4ff9595ce38244604b58b6f645283258bd170cf3b83e8c48026a0f54886984fd4ea52c7

Download Submit
memory/2312-17-0x0000000002280000-0x0000000002300000-memory.dmp

Filesize
512KB

Download
memory/2816-5-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-51-0x0000000002E50000-0x0000000002ED0000-memory.dmp

Filesize
512KB

Download
memory/2816-10-0x0000000002E50000-0x0000000002ED0000-memory.dmp

Filesize
512KB

Download
memory/2816-9-0x0000000002E50000-0x0000000002ED0000-memory.dmp

Filesize
512KB

Download
memory/2816-8-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-26-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2816-6-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2816-11-0x0000000002E50000-0x0000000002ED0000-memory.dmp

Filesize
512KB

Download
memory/2816-4-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2816-48-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-49-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-50-0x0000000002E50000-0x0000000002ED0000-memory.dmp

Filesize
512KB

Download
memory/2816-7-0x0000000002E50000-0x0000000002ED0000-memory.dmp

Filesize
512KB

Download
memory/2816-52-0x0000000002E50000-0x0000000002ED0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing