cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a

Reason

Machine shutdown

General

Target

cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a.exe
Size

696KB
MD5

efbe5feb1bfef5d5b37cb5717c956f93
SHA1

6c58db16e9b6d41119761863c531a7c61fa63d84
SHA256

cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a
SHA512

fe7390ab5be40fe6188fcd2371b4b7c8c87f3a314ff3ebb2f2fe52f1cb87bcbbf9ec07781132f37ad175f25faace5a7ff3c0bedab5b50de780b389dbfb9824e6
SSDEEP

12288:jZKzOxunS7PnHbFwU+QhG6puk8mjI03zFF5dG2PNW9xkzWTjkejSOmTdzToeD1pW:jZKG7l6XAWTjkejlmZnppIl/

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TwinkiePaste.lnk	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3024	timeout.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3032	shutdown.exe
Token: SeRemoteShutdownPrivilege	3032	shutdown.exe
Token: 33	1968	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1968	AUDIODG.EXE
Token: 33	1968	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1968	AUDIODG.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 560	2216	cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a.exe	28
PID 2216 wrote to memory of 560	2216	cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a.exe	28
PID 2216 wrote to memory of 560	2216	cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a.exe	28
PID 560 wrote to memory of 1540	560	cmd.exe	30
PID 560 wrote to memory of 1540	560	cmd.exe	30
PID 560 wrote to memory of 1540	560	cmd.exe	30
PID 2216 wrote to memory of 1996	2216	cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a.exe	31
PID 2216 wrote to memory of 1996	2216	cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a.exe	31
PID 2216 wrote to memory of 1996	2216	cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a.exe	31
PID 1996 wrote to memory of 2944	1996	cmd.exe	33
PID 1996 wrote to memory of 2944	1996	cmd.exe	33
PID 1996 wrote to memory of 2944	1996	cmd.exe	33
PID 2944 wrote to memory of 3024	2944	cmd.exe	35
PID 2944 wrote to memory of 3024	2944	cmd.exe	35
PID 2944 wrote to memory of 3024	2944	cmd.exe	35
PID 2944 wrote to memory of 3032	2944	cmd.exe	36
PID 2944 wrote to memory of 3032	2944	cmd.exe	36
PID 2944 wrote to memory of 3032	2944	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a.exe
"C:\Users\Admin\AppData\Local\Temp\cd3df0bd520d36d373c7105c67577b92cd11ddd8a40c29044e6d4fe12b20f50a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\oTTVRU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp\CtvE.vbs
    3⤵
    - Drops startup file
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\UNZPQQXM.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\UNZPQQXM.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\system32\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:3024
  - - C:\Windows\system32\shutdown.exe
      shutdown /r /t 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3032

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CtvE.vbs

Filesize
269B

MD5
fb821b1b92e7bebcfcfc6bdd431e8750

SHA1
72c28cc71660cd0b2552737cd59ae457a50b93db

SHA256
a525ef712e566b871758d015c3aa2493e1c58356b01bae8823d0b9b6c394b661

SHA512
2d6f485ae97a43643e6880436dc558bdc34f5e499e366deafa7c26575fd3119294de31c2bba58d383f5e86c949c55da328f855bdaf5a7be21a1dfbbe4396b8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oTTVRU.bat

Filesize
570B

MD5
d6b5b21dd006ea91b03dc910d191690e

SHA1
0e87d9896df5b23ebf0cf2fae5b16407ca107f76

SHA256
e7f50838dd05eaab56b9c3b27cc1dd839cb189510b15a4fc0f8594d4d4b21ed3

SHA512
5aacbb1b94c9535537ab8a7c1bba559c503d35977678d02d659977d6126241115ed4293d9909f44ec1d4e3d0268144887e32117226ee7b6f2ad215da64c9dd54

Download Submit
C:\Users\Admin\AppData\Roaming\UNZPQQXM.bat

Filesize
44B

MD5
e04f000c162860777360b3c135dcb86f

SHA1
dcfaa535a33309cf3c435a6a4eaa3737d1eb7ad5

SHA256
66ad9e8bd3303f0865f43f275865c18969c83cd7162b540e5cde753aca9e4e58

SHA512
e73b3605dfa0fc3e2f9c5bb80e47abcf47361effed09f1e2efcb01e9799f900d594908d6e731056540817b1b9b8deaf47510b1f92a8e25c86e6b207e3a995ea9

Download Submit
memory/2232-71-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/2784-72-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors