49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436

General

Target

49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe
Size

568KB
MD5

e4370a31c71c37bde2e16022fa0459c2
SHA1

10890db50f2aac0931eec94f45e012944efed869
SHA256

49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436
SHA512

1454935b456d4fc26b978fb4a38ec34ba673ba27ccc23c9d73328441cbdfd78baade7173eefbd2d51ffa42cd8e20697521d0128f4f08b1800293c613ac60d5af
SSDEEP

12288:mH7MMIqb9BaBUbdD4aPHb2XR+MAghog0RdBBplW8Lmy:+7a69BWUhD3Ha+MPCXtlW8Lmy

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4888 powershell.exe

Loads dropped DLL 2 IoCs

Processes:

49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe

pid	process
2508	49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe
2508	49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1956 4888 WerFault.exe powershell.exe

pid	pid_target	process	target process
1956	4888	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exe

pid	process
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4888 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4888	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exepowershell.exe

description	pid	process	target process
PID 2508 wrote to memory of 4888	2508	49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe	powershell.exe
PID 2508 wrote to memory of 4888	2508	49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe	powershell.exe
PID 2508 wrote to memory of 4888	2508	49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe	powershell.exe
PID 4888 wrote to memory of 4824	4888	powershell.exe	cmd.exe
PID 4888 wrote to memory of 4824	4888	powershell.exe	cmd.exe
PID 4888 wrote to memory of 4824	4888	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe
"C:\Users\Admin\AppData\Local\Temp\49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Gadgetries=Get-Content 'C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Kahlil\Sheriffess.Sal';$Underpricing=$Gadgetries.SubString(522,3);.$Underpricing($Gadgetries)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 2712
3⤵
- Program crash
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4888 -ip 4888
1⤵
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mnyarm5n.uas.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3B74.tmp\nsDialogs.dll

Filesize
9KB

MD5
1c8b2b40c642e8b5a5b3ff102796fb37

SHA1
3245f55afac50f775eb53fd6d14abb7fe523393d

SHA256
8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c

SHA512
4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

Download Submit
C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Kahlil\Sheriffess.Sal

Filesize
50KB

MD5
197064b3c1ff1c585db3f2a0b7c2c44a

SHA1
f66e3acf12f2c5c120923519ec806c0eb3b40c6d

SHA256
c2a25450b4800c19f49a02faaf3d4d549c6ddef5c8632621fc69b3fe4c3efbd6

SHA512
4e17845a8a7dcd40e1aa929cd9ca9158b635aff3b2e188c28eb533c660eab6aef1ccd872c417c12b10127788e118ac17f5c6a2aad628a2de5596fe4cced58670

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\degum.lnk

Filesize
910B

MD5
969dfb558bff1b8f071a8870a55e3715

SHA1
07d310c5e16e6de13472d4cf7c75c8ce2546debf

SHA256
25d18a4a27cda281bded9cdd47f353f948f0a269ef520247ec565b0ddef419a8

SHA512
df086be6e10db73b1c93e76d1f697b710a9d8451741d2f1a79350ba28eefc655f806b3eaf0bf6fdda2e0ebb88a36f7f2376f62bdac2c21cc8095915f2f2962b5

Download Submit
memory/4888-71-0x00000000056D0000-0x0000000005A24000-memory.dmp

Filesize
3.3MB

Download
memory/4888-72-0x0000000005C80000-0x0000000005C9E000-memory.dmp

Filesize
120KB

Download
memory/4888-59-0x0000000004CE0000-0x0000000004D02000-memory.dmp

Filesize
136KB

Download
memory/4888-60-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/4888-61-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/4888-57-0x0000000073970000-0x0000000074120000-memory.dmp

Filesize
7.7MB

Download
memory/4888-56-0x00000000026B0000-0x00000000026E6000-memory.dmp

Filesize
216KB

Download
memory/4888-58-0x0000000004E20000-0x0000000005448000-memory.dmp

Filesize
6.2MB

Download
memory/4888-73-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

Filesize
304KB

Download
memory/4888-74-0x0000000006230000-0x00000000062C6000-memory.dmp

Filesize
600KB

Download
memory/4888-76-0x00000000062D0000-0x00000000062F2000-memory.dmp

Filesize
136KB

Download
memory/4888-75-0x00000000061B0000-0x00000000061CA000-memory.dmp

Filesize
104KB

Download
memory/4888-77-0x00000000072B0000-0x0000000007854000-memory.dmp

Filesize
5.6MB

Download
memory/4888-55-0x000000007397E000-0x000000007397F000-memory.dmp

Filesize
4KB

Download
memory/4888-79-0x0000000007EE0000-0x000000000855A000-memory.dmp

Filesize
6.5MB

Download
memory/4888-81-0x0000000073970000-0x0000000074120000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads