dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1

General

Target

dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe
Size

411KB
MD5

ddb1ceb266455f58e6eba0c2ac95ce99
SHA1

159015591d226a5620d5a5f742307eb4ea603d27
SHA256

dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1
SHA512

a57a58190d107991374ef7421ba5644a5de862ca0375e666e1429196b0de7edaac0a375477cd1f5b0042cb23f76c9064b7478600003bc61602b39b76eef6bd49
SSDEEP

12288:CQiG+jL8+iDYVi/xDI+MBTlPadSfXioRcpMXVJoT:CQi3n8FDjMBTlP0QjcpMXVJoT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4852	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp

Loads dropped DLL 2 IoCs

pid	Process
4852	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp
4852	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2256	powershell.exe
2256	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4852	4856	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe	84
PID 4856 wrote to memory of 4852	4856	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe	84
PID 4856 wrote to memory of 4852	4856	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe	84
PID 4852 wrote to memory of 1292	4852	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp	86
PID 4852 wrote to memory of 1292	4852	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp	86
PID 4852 wrote to memory of 1292	4852	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp	86
PID 1292 wrote to memory of 2256	1292	cmd.exe	88
PID 1292 wrote to memory of 2256	1292	cmd.exe	88
PID 1292 wrote to memory of 2256	1292	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe
"C:\Users\Admin\AppData\Local\Temp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\is-3DKKE.tmp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3DKKE.tmp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp" /SL5="$80056,138489,56832,C:\Users\Admin\AppData\Local\Temp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-FIV8H.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3DKKE.tmp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3DKKE.tmp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FIV8H.tmp\av.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FIV8H.tmp\ex.bat

Filesize
786B

MD5
4bce744393016d9511afb464bfcf2aa5

SHA1
aa23c5b1787a7f92b023d458e7d1443f8f06b3e3

SHA256
5bdb4bbe9f9deba8c6cdfc4aab9cd1f281e8c4f5d6615641cd10e926fc8b48d0

SHA512
eef7c056ac9542777fb9fecdf715fb8da35268aec00f44871636c8ac01b69874a3dbf8328742fabf9adbe841dd76b15764b510d1221011da39ba83a816188e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FIV8H.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FIV8H.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/2256-151-0x00000000073F0000-0x0000000007486000-memory.dmp

Filesize
600KB

Download
memory/2256-149-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/2256-155-0x00000000088B0000-0x0000000008F2A000-memory.dmp

Filesize
6.5MB

Download
memory/2256-154-0x0000000007C80000-0x0000000008224000-memory.dmp

Filesize
5.6MB

Download
memory/2256-145-0x0000000002E20000-0x0000000002E56000-memory.dmp

Filesize
216KB

Download
memory/2256-146-0x0000000005880000-0x0000000005EA8000-memory.dmp

Filesize
6.2MB

Download
memory/2256-147-0x0000000005570000-0x0000000005592000-memory.dmp

Filesize
136KB

Download
memory/2256-148-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/2256-153-0x0000000006990000-0x00000000069B2000-memory.dmp

Filesize
136KB

Download
memory/2256-150-0x0000000006420000-0x000000000643E000-memory.dmp

Filesize
120KB

Download
memory/2256-152-0x0000000006940000-0x000000000695A000-memory.dmp

Filesize
104KB

Download
memory/4852-140-0x0000000003A20000-0x0000000003A5C000-memory.dmp

Filesize
240KB

Download
memory/4856-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4856-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4856-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing