0fc30ab0bb340134cb9ab1070ba75d08ea75b4199c6c5185256ffb86bed2329d

General

Target

file.exe
Size

8.1MB
MD5

20e93e0b9b17e2479e1d6aa14424ba4f
SHA1

6a9042b4a85cf128403df4ee1509e1b9a5df4c14
SHA256

0fc30ab0bb340134cb9ab1070ba75d08ea75b4199c6c5185256ffb86bed2329d
SHA512

a55f03b2a63c491376fdd4c431686f0e9fb4603d1e44541758c24cc275fd19b280efe05a7653641288731e243a81d1d5aeb2d8e8af04f62addf75eaaaa5ff032
SSDEEP

98304:kKvsZwahlW0L0xNceDu+3+IViWYFUsCGFA5h:Vvi3hlW0AmeDf3+IUWQUsCGFs

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2780	svczfHost.exe
2116	svczfHost.exe

Loads dropped DLL 2 IoCs

pid	Process
1752	file.exe
1752	file.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2948	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	file.exe
Token: SeDebugPrivilege	2948	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2948	1752	file.exe	28
PID 1752 wrote to memory of 2948	1752	file.exe	28
PID 1752 wrote to memory of 2948	1752	file.exe	28
PID 1752 wrote to memory of 2780	1752	file.exe	33
PID 1752 wrote to memory of 2780	1752	file.exe	33
PID 1752 wrote to memory of 2780	1752	file.exe	33
PID 1752 wrote to memory of 2116	1752	file.exe	34
PID 1752 wrote to memory of 2116	1752	file.exe	34
PID 1752 wrote to memory of 2116	1752	file.exe	34

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIABHAGUAdAAtAEkAZABlAG4AdABpAHQAeQB7AAoAIAAgACAAIAAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKACQAdABlAHMAdAAgAD0AIABHAGUAdAAtAEkAZABlAG4AdABpAHQAeQA7AAoAJAB0AGUAcwB0ACAAfAAgAE8AdQB0AC0ARgBpAGwAZQAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBkAGUAdgBpAGMAZQBJAGQALgB0AHgAdAAiACAALQBFAG4AYwBvAGQAaQBuAGcAIABVAFQARgA4AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\svczfHost.exe
  "C:\Users\Admin\AppData\Local\Temp\svczfHost.exe" !Fb!AB00C2B6D598A7DF62634B22BF877656
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\svczfHost.exe
  "C:\Users\Admin\AppData\Local\Temp\svczfHost.exe" !Fb!AB00C2B6D598A7DF62634B22BF877656
  2⤵
  - Executes dropped EXE
  PID:2116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\deviceId.txt

Filesize
37B

MD5
7196151fad430affc6d399eb70536cd9

SHA1
57505ff1390486813dafe7b40508a8d35bbb1ff5

SHA256
fc6e17cda2ab8c5c0e8dff58a665e8b81dd47af3d382bb47f03e2f6860b1ea6d

SHA512
6974fdabdc383e5e35350a92d6644133b9e5384e450df19fcb625d71386895e668c236dee8123c4beedba26521beb83d6973fafa68de488a7fb656535d0a09aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\svczfHost.exe

Filesize
100.9MB

MD5
7289145ba4ced349f3e236470b0d8950

SHA1
64951ba7ab9e7260d8a99c9feda2bd61484cac43

SHA256
a0b09442bdc3595b04b97a11232019954e24937873dab74f8c26cdf795b47851

SHA512
ff87dc7750109432119612edbcf41864fed7f8cc4ca01d45ea2e9a98e4260080daa06cca6fd901f1de7c6bea947236cb569e0114ff5b63383496994735d6a5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\svczfHost.exe

Filesize
100.9MB

MD5
7289145ba4ced349f3e236470b0d8950

SHA1
64951ba7ab9e7260d8a99c9feda2bd61484cac43

SHA256
a0b09442bdc3595b04b97a11232019954e24937873dab74f8c26cdf795b47851

SHA512
ff87dc7750109432119612edbcf41864fed7f8cc4ca01d45ea2e9a98e4260080daa06cca6fd901f1de7c6bea947236cb569e0114ff5b63383496994735d6a5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\svczfHost.exe

Filesize
100.9MB

MD5
7289145ba4ced349f3e236470b0d8950

SHA1
64951ba7ab9e7260d8a99c9feda2bd61484cac43

SHA256
a0b09442bdc3595b04b97a11232019954e24937873dab74f8c26cdf795b47851

SHA512
ff87dc7750109432119612edbcf41864fed7f8cc4ca01d45ea2e9a98e4260080daa06cca6fd901f1de7c6bea947236cb569e0114ff5b63383496994735d6a5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\svczfHost.exe

Filesize
100.9MB

MD5
7289145ba4ced349f3e236470b0d8950

SHA1
64951ba7ab9e7260d8a99c9feda2bd61484cac43

SHA256
a0b09442bdc3595b04b97a11232019954e24937873dab74f8c26cdf795b47851

SHA512
ff87dc7750109432119612edbcf41864fed7f8cc4ca01d45ea2e9a98e4260080daa06cca6fd901f1de7c6bea947236cb569e0114ff5b63383496994735d6a5da

Download Submit
\Users\Admin\AppData\Local\Temp\svczfHost.exe

Filesize
100.9MB

MD5
7289145ba4ced349f3e236470b0d8950

SHA1
64951ba7ab9e7260d8a99c9feda2bd61484cac43

SHA256
a0b09442bdc3595b04b97a11232019954e24937873dab74f8c26cdf795b47851

SHA512
ff87dc7750109432119612edbcf41864fed7f8cc4ca01d45ea2e9a98e4260080daa06cca6fd901f1de7c6bea947236cb569e0114ff5b63383496994735d6a5da

Download Submit
\Users\Admin\AppData\Local\Temp\svczfHost.exe

Filesize
100.9MB

MD5
7289145ba4ced349f3e236470b0d8950

SHA1
64951ba7ab9e7260d8a99c9feda2bd61484cac43

SHA256
a0b09442bdc3595b04b97a11232019954e24937873dab74f8c26cdf795b47851

SHA512
ff87dc7750109432119612edbcf41864fed7f8cc4ca01d45ea2e9a98e4260080daa06cca6fd901f1de7c6bea947236cb569e0114ff5b63383496994735d6a5da

Download Submit
memory/2780-36-0x0000000000410000-0x0000000000440000-memory.dmp

Filesize
192KB

Download
memory/2780-32-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2780-53-0x000000013FF50000-0x0000000140877000-memory.dmp

Filesize
9.2MB

Download
memory/2780-18-0x0000000002A90000-0x0000000002EB0000-memory.dmp

Filesize
4.1MB

Download
memory/2780-22-0x00000000069C0000-0x000000000A4D0000-memory.dmp

Filesize
59.1MB

Download
memory/2780-27-0x0000000003050000-0x00000000030C0000-memory.dmp

Filesize
448KB

Download
memory/2780-30-0x000000013FF50000-0x0000000140877000-memory.dmp

Filesize
9.2MB

Download
memory/2780-48-0x0000000001D30000-0x0000000001D70000-memory.dmp

Filesize
256KB

Download
memory/2780-44-0x0000000003140000-0x00000000031C0000-memory.dmp

Filesize
512KB

Download
memory/2780-40-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2948-4-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2948-10-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2948-8-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2948-7-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2948-6-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2948-5-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing