44a77ca5bc28cf8900194953b720b19a12b4845af67f36ea0212a5a60af8d095

General

Target

program.exe
Size

34.0MB
MD5

873a4c98c0aaf59965af1da242d1d0cd
SHA1

b67bad68d8bb2e2748a5662c4496a5544112719c
SHA256

c2df0ea1cdff5a9325d55ed381e87a7187483406874d93c7abeeac1b68b0a38e
SHA512

a6d9b85c9af24b658b745ff9006c73e54d647618dcb4268ad2cce192349058080d6e1ffed8798a405946ef3e47eb11e59d7ebb5941d6f9c4e33f505b1856c5d6
SSDEEP

393216:PXXujqPZS1K0OrveP+SzR+JP9CHrpEaXO/7Dn1J:PXe6ZSAWlz29URKH

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2328 powershell.exe
2540 powershell.exe
1544 powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

program.exepowershell.exePowerShell.exepowershell.exePowerShell.exepowershell.exe

pid process

2612 program.exe
2328 powershell.exe
2696 PowerShell.exe
2540 powershell.exe
2868 PowerShell.exe
1544 powershell.exe

pid	process
2328	powershell.exe
2540	powershell.exe
1544	powershell.exe

pid	process
2612	program.exe
2328	powershell.exe
2696	PowerShell.exe
2540	powershell.exe
2868	PowerShell.exe
1544	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exePowerShell.exepowershell.exePowerShell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2696	PowerShell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2868	PowerShell.exe
Token: SeDebugPrivilege	1544	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

program.exe

description	pid	process	target process
PID 2612 wrote to memory of 2328	2612	program.exe	powershell.exe
PID 2612 wrote to memory of 2328	2612	program.exe	powershell.exe
PID 2612 wrote to memory of 2328	2612	program.exe	powershell.exe
PID 2612 wrote to memory of 2696	2612	program.exe	PowerShell.exe
PID 2612 wrote to memory of 2696	2612	program.exe	PowerShell.exe
PID 2612 wrote to memory of 2696	2612	program.exe	PowerShell.exe
PID 2612 wrote to memory of 2540	2612	program.exe	powershell.exe
PID 2612 wrote to memory of 2540	2612	program.exe	powershell.exe
PID 2612 wrote to memory of 2540	2612	program.exe	powershell.exe
PID 2612 wrote to memory of 2868	2612	program.exe	PowerShell.exe
PID 2612 wrote to memory of 2868	2612	program.exe	PowerShell.exe
PID 2612 wrote to memory of 2868	2612	program.exe	PowerShell.exe
PID 2612 wrote to memory of 1544	2612	program.exe	powershell.exe
PID 2612 wrote to memory of 1544	2612	program.exe	powershell.exe
PID 2612 wrote to memory of 1544	2612	program.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\program.exe
"C:\Users\Admin\AppData\Local\Temp\program.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -WindowStyle Hidden
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell" Expand-Archive -Path C:\Users\Admin\AppData\Local\Temp\kQw6saExswA2No7zmq7S.zip -DestinationPath C:\Users\Admin\AppData\Local\Temp\kQw6saExswA2No7zmq7S
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Process -FilePath C:\Users\Admin\AppData\Local\Temp\kQw6saExswA2No7zmq7S\launcher.exe -WindowStyle Hidden
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell" Expand-Archive -Path C:\Users\Admin\AppData\Local\Temp\oT5I7KoOVUuEOKoshURi.zip -DestinationPath C:\Users\Admin\AppData\Local\Temp\oT5I7KoOVUuEOKoshURi
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Process -FilePath C:\Users\Admin\AppData\Local\Temp\oT5I7KoOVUuEOKoshURi\system.exe -WindowStyle Hidden
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
930fcb042671070ee1349df359007702

SHA1
c22e861a3d7e465baeaaf237e214424b9211fefd

SHA256
0d888383af99c5a807c5c5129c2a997876b7fa47a8b9fe4c6da07351b955bc9f

SHA512
9c880a09ec8b2de5dbc5e7d70af4f264634ec1e9e1d3c1e838c31b1aecccf611d1ec2addeb10b27e36e751e94f1891b8fa5a8ec268a0eb209e0f404a06015216

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
306876d6807354eb0e41a1f5403a38a0

SHA1
c6a9a48ec06e961b0ca0f1c29be8db432d7421db

SHA256
3ce8f987f732cf68c11b0a1a2190d3083aaaea7e381f5328ed1ceb3eda9581a0

SHA512
31cfe616dcd8238b9fc35551914c20b48493510d83b653f66ff355f5d6a4e0c41813611fa8b7fa83ed3166a8bc4728b1df18612bc7a286a3011e9814a500d60a

Download Submit
memory/2328-4-0x000007FEF604E000-0x000007FEF604F000-memory.dmp

Filesize
4KB

Download
memory/2328-5-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2328-7-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2328-6-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-8-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-9-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-10-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-11-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-14-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-22-0x000007FEF604E000-0x000007FEF604F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing