3720a13e18347d317c14b33ed2791d8b2f903095bfdb5f4ead3dc9341da61055

General

Target

update_3.57_mc.exe
Size

38.9MB
MD5

43ec0653ac48a69329112d02aee48cbf
SHA1

9f4ac3ad2dc6855e6efaa7f57f31665b2ead2f82
SHA256

3720a13e18347d317c14b33ed2791d8b2f903095bfdb5f4ead3dc9341da61055
SHA512

1e259498f394a49c0853f7bcbba2f1e320780503c52b983816aa235f698a7e1dd91f976ee9949dfe73dcbf0585ff72eb3b90049db3574880df09ef63407198a3
SSDEEP

786432:lxfDttTKvpBpWNuyUs/WoCMcKVwMLIi1nJfFMB:lxLmvPAN1H/MMciwE/JfFMB

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
1240	update_3.57_mc.exe
740	powershell.exe
816	powershell.exe
1120	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 740	1240	update_3.57_mc.exe	27
PID 1240 wrote to memory of 740	1240	update_3.57_mc.exe	27
PID 1240 wrote to memory of 740	1240	update_3.57_mc.exe	27
PID 1240 wrote to memory of 816	1240	update_3.57_mc.exe	29
PID 1240 wrote to memory of 816	1240	update_3.57_mc.exe	29
PID 1240 wrote to memory of 816	1240	update_3.57_mc.exe	29
PID 1240 wrote to memory of 1120	1240	update_3.57_mc.exe	31
PID 1240 wrote to memory of 1120	1240	update_3.57_mc.exe	31
PID 1240 wrote to memory of 1120	1240	update_3.57_mc.exe	31

C:\Users\Admin\AppData\Local\Temp\update_3.57_mc.exe
"C:\Users\Admin\AppData\Local\Temp\update_3.57_mc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cc8c79b97f9617d22fdc029af0fb5bcb

SHA1
1590c5d6acf4dffaff2e2bd82d03c83c8a214c6c

SHA256
e56d02c9e223476d353b51e9ceb99c9ba3341867d9fccc75fbecd8a6a09d1f58

SHA512
5e6b3a1ce10518e7edf93fd73395d6be568bb8c918aeb2d1ac9fd4c05909a20adb1a8ffa4b2b7a90c715291e2d8f7c55cc1238fb5d439ac1dc36669e6613fb12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cc8c79b97f9617d22fdc029af0fb5bcb

SHA1
1590c5d6acf4dffaff2e2bd82d03c83c8a214c6c

SHA256
e56d02c9e223476d353b51e9ceb99c9ba3341867d9fccc75fbecd8a6a09d1f58

SHA512
5e6b3a1ce10518e7edf93fd73395d6be568bb8c918aeb2d1ac9fd4c05909a20adb1a8ffa4b2b7a90c715291e2d8f7c55cc1238fb5d439ac1dc36669e6613fb12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MAKANJKGG3GTKVJ7BEWT.temp

Filesize
7KB

MD5
cc8c79b97f9617d22fdc029af0fb5bcb

SHA1
1590c5d6acf4dffaff2e2bd82d03c83c8a214c6c

SHA256
e56d02c9e223476d353b51e9ceb99c9ba3341867d9fccc75fbecd8a6a09d1f58

SHA512
5e6b3a1ce10518e7edf93fd73395d6be568bb8c918aeb2d1ac9fd4c05909a20adb1a8ffa4b2b7a90c715291e2d8f7c55cc1238fb5d439ac1dc36669e6613fb12

Download Submit
memory/740-81-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/740-86-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/740-84-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/740-85-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/740-82-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/740-83-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/816-94-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/816-93-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/816-98-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/816-97-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/816-96-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/816-95-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1120-107-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/1120-106-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/1120-105-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/1120-104-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/1240-74-0x000007FEFDB80000-0x000007FEFDB82000-memory.dmp

Filesize
8KB

Download
memory/1240-64-0x0000000077E50000-0x0000000077E52000-memory.dmp

Filesize
8KB

Download
memory/1240-62-0x0000000077E40000-0x0000000077E42000-memory.dmp

Filesize
8KB

Download
memory/1240-61-0x0000000077E40000-0x0000000077E42000-memory.dmp

Filesize
8KB

Download
memory/1240-60-0x0000000077E40000-0x0000000077E42000-memory.dmp

Filesize
8KB

Download
memory/1240-59-0x0000000077E30000-0x0000000077E32000-memory.dmp

Filesize
8KB

Download
memory/1240-58-0x0000000077E30000-0x0000000077E32000-memory.dmp

Filesize
8KB

Download
memory/1240-57-0x0000000077E30000-0x0000000077E32000-memory.dmp

Filesize
8KB

Download
memory/1240-56-0x0000000077E20000-0x0000000077E22000-memory.dmp

Filesize
8KB

Download
memory/1240-63-0x0000000077E50000-0x0000000077E52000-memory.dmp

Filesize
8KB

Download
memory/1240-55-0x0000000077E20000-0x0000000077E22000-memory.dmp

Filesize
8KB

Download
memory/1240-75-0x000000013F300000-0x00000001419E7000-memory.dmp

Filesize
38.9MB

Download
memory/1240-65-0x0000000077E50000-0x0000000077E52000-memory.dmp

Filesize
8KB

Download
memory/1240-73-0x000007FEFDB80000-0x000007FEFDB82000-memory.dmp

Filesize
8KB

Download
memory/1240-71-0x000007FEFDB70000-0x000007FEFDB72000-memory.dmp

Filesize
8KB

Download
memory/1240-54-0x0000000077E20000-0x0000000077E22000-memory.dmp

Filesize
8KB

Download
memory/1240-70-0x000007FEFDB70000-0x000007FEFDB72000-memory.dmp

Filesize
8KB

Download
memory/1240-68-0x0000000077E60000-0x0000000077E62000-memory.dmp

Filesize
8KB

Download
memory/1240-67-0x0000000077E60000-0x0000000077E62000-memory.dmp

Filesize
8KB

Download
memory/1240-66-0x0000000077E60000-0x0000000077E62000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing