ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470

Reason

Machine shutdown

General

Target

ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe
Size

690KB
MD5

e12dc94a46521e39e3555972381650d7
SHA1

526ec5384befc08a85cf5c32e992d2bf078fe354
SHA256

ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470
SHA512

4f611f4c0cccb8e2fbd015487352220507e7157822922dd20609dc30c6ad70029e055d101d3f5739a83419923d5a33222b5c0103c6e1f5133e3460e3c825e79c
SSDEEP

12288:jZKzOxunS7PnHbFwU+QhG6puk8mjI03zFF5dG2PNW9xkzWTjkejSOmTdzToeD1pU:jZKG7l6XAWTjkejlmZnppd2

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acoustica.lnk	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2264	timeout.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	240	shutdown.exe
Token: SeRemoteShutdownPrivilege	240	shutdown.exe
Token: 33	2144	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2144	AUDIODG.EXE
Token: 33	2144	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2144	AUDIODG.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 3020	2292	ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe	27
PID 2292 wrote to memory of 3020	2292	ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe	27
PID 2292 wrote to memory of 3020	2292	ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe	27
PID 3020 wrote to memory of 3060	3020	cmd.exe	29
PID 3020 wrote to memory of 3060	3020	cmd.exe	29
PID 3020 wrote to memory of 3060	3020	cmd.exe	29
PID 2292 wrote to memory of 2816	2292	ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe	31
PID 2292 wrote to memory of 2816	2292	ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe	31
PID 2292 wrote to memory of 2816	2292	ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe	31
PID 2816 wrote to memory of 2940	2816	cmd.exe	32
PID 2816 wrote to memory of 2940	2816	cmd.exe	32
PID 2816 wrote to memory of 2940	2816	cmd.exe	32
PID 2940 wrote to memory of 2264	2940	cmd.exe	34
PID 2940 wrote to memory of 2264	2940	cmd.exe	34
PID 2940 wrote to memory of 2264	2940	cmd.exe	34
PID 2940 wrote to memory of 240	2940	cmd.exe	35
PID 2940 wrote to memory of 240	2940	cmd.exe	35
PID 2940 wrote to memory of 240	2940	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe
"C:\Users\Admin\AppData\Local\Temp\ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\oTTVRU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp\TsytwEo.vbs
    3⤵
    - Drops startup file
    PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\UNZPQQXM.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\UNZPQQXM.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\system32\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2264
  - - C:\Windows\system32\shutdown.exe
      shutdown /r /t 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:240

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2812

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1d8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TsytwEo.vbs

Filesize
263B

MD5
9301ff72fcd4ffce2866b79f5cd95476

SHA1
802311e106373b9f9a0307ad3fd4c86baeadc144

SHA256
61a3c5c0a0005dfec62a3d6810225054785790a5cfccefbf1a4688cf6c1bcda8

SHA512
6a71e06a168ac5cd9468eb751fd630e331a22483cded6060aa1a5147066775de5b28c2f7e245550bc364b25c39965d826cbf6aebaa3b15eecce7016ec9b886a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oTTVRU.bat

Filesize
582B

MD5
7c4e9efd6e81d26cd0090e39ebaf8d01

SHA1
af56bec86065ffb82960b1a2758d67e9f787ece5

SHA256
29d8d8e044f4cd78d366443f585b83efe98ddc320b777be08fe6d1b4d922c886

SHA512
c44a36967fc7f6a078ae0ba2abe407013ee7190763de3bbf35013b958a76040a1829581f448fc2ebef7eed4a66c6af0c6d350fba43f3e1f5ed85e53195715534

Download Submit
C:\Users\Admin\AppData\Roaming\UNZPQQXM.bat

Filesize
44B

MD5
e04f000c162860777360b3c135dcb86f

SHA1
dcfaa535a33309cf3c435a6a4eaa3737d1eb7ad5

SHA256
66ad9e8bd3303f0865f43f275865c18969c83cd7162b540e5cde753aca9e4e58

SHA512
e73b3605dfa0fc3e2f9c5bb80e47abcf47361effed09f1e2efcb01e9799f900d594908d6e731056540817b1b9b8deaf47510b1f92a8e25c86e6b207e3a995ea9

Download Submit
memory/2600-72-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2812-71-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors