3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00

General

Target

3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Size

3.3MB
MD5

be2ff5df60ec9a7368ef353495a96706
SHA1

8437d4c3d19ea6280ce9598cba1083d9b55febbc
SHA256

3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00
SHA512

faefbeaa1c2aad1f9c1cf9db924382a43197cdca466798fe7084d4f15614562ac3717501f0c2c5052c4b797569fa2f6c1b4d751ae911c6cfd9d845eaf1a5efa4
SSDEEP

98304:BzdNGU3MREuVKATGF89NOR8bsU8Pe256gR:9dg3VKHF89NYp59R

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2136	~~6330182060289173698.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1640-0-0x0000000000400000-0x00000000007B4000-memory.dmp	upx
behavioral1/memory/1636-1-0x0000000000400000-0x00000000007B4000-memory.dmp	upx
behavioral1/memory/1636-4-0x0000000000400000-0x00000000007B4000-memory.dmp	upx
behavioral1/memory/1640-27-0x0000000000400000-0x00000000007B4000-memory.dmp	upx
behavioral1/memory/1640-28-0x0000000000400000-0x00000000007B4000-memory.dmp	upx
behavioral1/memory/2796-30-0x0000000000400000-0x00000000007B4000-memory.dmp	upx
behavioral1/memory/2796-29-0x0000000000400000-0x00000000007B4000-memory.dmp	upx

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000012026-5.dat	autoit_exe
behavioral1/files/0x0007000000012026-7.dat	autoit_exe
behavioral1/files/0x0007000000012026-6.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2136	~~6330182060289173698.tmp.exe
2136	~~6330182060289173698.tmp.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeBackupPrivilege	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: SeRestorePrivilege	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: 33	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: SeIncBasePriorityPrivilege	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: 33	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: SeIncBasePriorityPrivilege	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: SeBackupPrivilege	1636	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: SeRestorePrivilege	1636	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: 33	1636	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: SeIncBasePriorityPrivilege	1636	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: 33	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: SeIncBasePriorityPrivilege	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: 33	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: SeIncBasePriorityPrivilege	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: SeBackupPrivilege	2796	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: SeRestorePrivilege	2796	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: 33	2796	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
Token: SeIncBasePriorityPrivilege	2796	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1636	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	28
PID 1640 wrote to memory of 1636	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	28
PID 1640 wrote to memory of 1636	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	28
PID 1640 wrote to memory of 1636	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	28
PID 1640 wrote to memory of 2136	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	29
PID 1640 wrote to memory of 2136	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	29
PID 1640 wrote to memory of 2136	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	29
PID 1640 wrote to memory of 2136	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	29
PID 1640 wrote to memory of 2796	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	30
PID 1640 wrote to memory of 2796	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	30
PID 1640 wrote to memory of 2796	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	30
PID 1640 wrote to memory of 2796	1640	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	30
PID 2796 wrote to memory of 2980	2796	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	31
PID 2796 wrote to memory of 2980	2796	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	31
PID 2796 wrote to memory of 2980	2796	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	31
PID 2796 wrote to memory of 2980	2796	3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe	31

C:\Users\Admin\AppData\Local\Temp\3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
"C:\Users\Admin\AppData\Local\Temp\3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
  PECMD**pecmd-cmd* PUTF "C:\Users\Admin\AppData\Local\Temp\~~6330182060289173698.tmp.exe",,"C:\Users\Admin\AppData\Local\Temp\3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe""#102|SCRIPT"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\~~6330182060289173698.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\~~6330182060289173698.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\3be843f5b1c19c435fcaeeead1c16ba08636c63e29fcc4208967af7059c33c00.exe
  PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~727029293154719193.cmd"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\~727029293154719193.cmd"
    3⤵
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~727029293154719193.cmd

Filesize
404B

MD5
30eae6364930b3a47a969e2d19425d0b

SHA1
65e09986f5bb81cf481eb5b118ee608d28a0c72a

SHA256
ccfeb295e0d4407de3385bde24f32c2ac97ee78d933c8cdfef2c8dd53b041b6d

SHA512
bdbcd95893c8f20327eed28de83a01808f779b4b81112c979d6066f0ddb5570bed8cddc05853edc62f526a805cbe6b82abf2213f4781e3045b20b5bae4416d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\~727029293154719193.cmd

Filesize
404B

MD5
30eae6364930b3a47a969e2d19425d0b

SHA1
65e09986f5bb81cf481eb5b118ee608d28a0c72a

SHA256
ccfeb295e0d4407de3385bde24f32c2ac97ee78d933c8cdfef2c8dd53b041b6d

SHA512
bdbcd95893c8f20327eed28de83a01808f779b4b81112c979d6066f0ddb5570bed8cddc05853edc62f526a805cbe6b82abf2213f4781e3045b20b5bae4416d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~6330182060289173698.tmp.exe

Filesize
2.7MB

MD5
02cdbd6d8bece8e7da54b567a3b7de8a

SHA1
23706ddfddd04c146ff7a95aeae3b6e1f0758944

SHA256
6499bc13f9bec48c6be9e076117a42a488def3bb488e1768257ef8f1a49b48de

SHA512
dc1c29466cb24fb7dff98b74058f6d0eddc07245b05d0d450e869440d91f45e30001e6d626421df3d6cd687ea9148d21cec870825186e413205439b836e7eaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~6330182060289173698.tmp.exe

Filesize
2.7MB

MD5
02cdbd6d8bece8e7da54b567a3b7de8a

SHA1
23706ddfddd04c146ff7a95aeae3b6e1f0758944

SHA256
6499bc13f9bec48c6be9e076117a42a488def3bb488e1768257ef8f1a49b48de

SHA512
dc1c29466cb24fb7dff98b74058f6d0eddc07245b05d0d450e869440d91f45e30001e6d626421df3d6cd687ea9148d21cec870825186e413205439b836e7eaec

Download Submit
\Users\Admin\AppData\Local\Temp\~~6330182060289173698.tmp.exe

Filesize
2.7MB

MD5
02cdbd6d8bece8e7da54b567a3b7de8a

SHA1
23706ddfddd04c146ff7a95aeae3b6e1f0758944

SHA256
6499bc13f9bec48c6be9e076117a42a488def3bb488e1768257ef8f1a49b48de

SHA512
dc1c29466cb24fb7dff98b74058f6d0eddc07245b05d0d450e869440d91f45e30001e6d626421df3d6cd687ea9148d21cec870825186e413205439b836e7eaec

Download Submit
memory/1636-4-0x0000000000400000-0x00000000007B4000-memory.dmp

Filesize
3.7MB

Download
memory/1636-1-0x0000000000400000-0x00000000007B4000-memory.dmp

Filesize
3.7MB

Download
memory/1640-0-0x0000000000400000-0x00000000007B4000-memory.dmp

Filesize
3.7MB

Download
memory/1640-2-0x0000000002510000-0x00000000028C4000-memory.dmp

Filesize
3.7MB

Download
memory/1640-27-0x0000000000400000-0x00000000007B4000-memory.dmp

Filesize
3.7MB

Download
memory/1640-28-0x0000000000400000-0x00000000007B4000-memory.dmp

Filesize
3.7MB

Download
memory/2796-30-0x0000000000400000-0x00000000007B4000-memory.dmp

Filesize
3.7MB

Download
memory/2796-29-0x0000000000400000-0x00000000007B4000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing