e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a

General

Target

e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Size

612KB
MD5

1fbd3a40c916ea15c507568d3c54187d
SHA1

952822b5ca77bd8fb2eaf78ed69ce72557afcf21
SHA256

e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a
SHA512

3528b9552a08a8b8313e1e167d00be978a4d764f7edac9226351f1b298bd32e4cd9d942a86d8afa7e5ad0d2abe1b2a3664d917a94d8db3b74caeeac317ab559b
SSDEEP

12288:aTaZZcvZb0kObgBPSi2bwSaCraJakIX4pkQqijdpl/Q9650v99VE:aTRRgkObgBSIiXTQBZptQ9650v9I

Score

7^/10

upx

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.LNK	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	Console.exe

Loads dropped DLL 1 IoCs

pid	Process
2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2456-0-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/3064-2-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/3064-4-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2456-20-0x0000000000400000-0x00000000004E7000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\PROGRA~3\SUBDIR~1\Console.exe	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
File created	C:\PROGRA~3\SUBDIR~1\payload.ini	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
File created	C:\PROGRA~3\SUBDIR~1\zz.txt	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeBackupPrivilege	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeRestorePrivilege	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: 33	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeIncBasePriorityPrivilege	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeCreateGlobalPrivilege	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: 33	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeIncBasePriorityPrivilege	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: 33	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeIncBasePriorityPrivilege	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeBackupPrivilege	3064	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeRestorePrivilege	3064	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: 33	3064	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeIncBasePriorityPrivilege	3064	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2980	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	28
PID 2456 wrote to memory of 2980	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	28
PID 2456 wrote to memory of 2980	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	28
PID 2456 wrote to memory of 2980	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	28
PID 2456 wrote to memory of 3064	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	30
PID 2456 wrote to memory of 3064	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	30
PID 2456 wrote to memory of 3064	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	30
PID 2456 wrote to memory of 3064	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	30
PID 2456 wrote to memory of 2688	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	31
PID 2456 wrote to memory of 2688	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	31
PID 2456 wrote to memory of 2688	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	31
PID 2456 wrote to memory of 2688	2456	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	31

C:\Users\Admin\AppData\Local\Temp\e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
"C:\Users\Admin\AppData\Local\Temp\e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
  PECMD**pecmd-cmd* PUTF -dd -skipb=472598 "C:\Users\Admin\AppData\Local\Temp\~1462007005795578804.tmp",,C:\Users\Admin\AppData\Local\Temp\e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\ProgramData\SubDirectory\Console.exe
  "C:\ProgramData\SubDirectory\Console.exe"
  2⤵
  - Executes dropped EXE
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SubDirectory\Console.exe

Filesize
44KB

MD5
e236221207a54e5bf99f939d2303ce1a

SHA1
dc4bb7a8ac30726c5db3148362fb400c17115a51

SHA256
326ced020e6131f21da465988ddb6b37c1766aca5bff7f0d86fcae3a86210f6a

SHA512
bc27a33fe7318559f04c683b73795ffac81df6277b3753c2726fa9d9d67af0f831e937c0f699872dd7501aa2381ff4dbe3f2b7e8f16b54dc81f9ebe6d52f571b

Download Submit
C:\ProgramData\SubDirectory\Console.exe

Filesize
44KB

MD5
e236221207a54e5bf99f939d2303ce1a

SHA1
dc4bb7a8ac30726c5db3148362fb400c17115a51

SHA256
326ced020e6131f21da465988ddb6b37c1766aca5bff7f0d86fcae3a86210f6a

SHA512
bc27a33fe7318559f04c683b73795ffac81df6277b3753c2726fa9d9d67af0f831e937c0f699872dd7501aa2381ff4dbe3f2b7e8f16b54dc81f9ebe6d52f571b

Download Submit
C:\ProgramData\SubDirectory\payload.ini

Filesize
6B

MD5
e665628cb6c912fad4a4547eeda2b562

SHA1
5e958e5bc63af1adc9ccea071006285edc1e8fa9

SHA256
5b9d676be71ad21edc06d50a5bcbbdf5498d025784ae377132447a31e10208de

SHA512
30a2c4cd666297375f9f6170e716733a2b22ea9558b31dc3fa7a180c33d20a15b2472b3359aeabb26b2d54713685f6d6685024778cb9ede8569aab736fe0593a

Download Submit
C:\ProgramData\SubDirectory\zz.txt

Filesize
177KB

MD5
903fab06feffed3fde964a81875b32b0

SHA1
f6b6b0579fc6302b68a60aff97ebe0bee29da634

SHA256
dea58225dfcb6a0f4a1c25c18eb3a67c1454ef22c99440ad71d2c8b035677119

SHA512
dbc39017f03acb86782e38c05fdbb68492aeacb23f4982bd8003a4fac482fe8cffcc35dad890d59f8dff00294e793a88f968ecfdd3a3c67fed34e6b558d5b7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\~14620~1.TMP

Filesize
151KB

MD5
940393e618aceb1081cec0b73829f944

SHA1
a22b37b080a73a76902508a5006f4003b5dcc193

SHA256
06dbdc191175b07b651f1aad866596fd0244fc6e5e17b8c037c980ec34e82448

SHA512
6af09675898e87b56d2e654c9b57e6837f06a2e03053c6f1c675eebe7153815f19fbbb3f4c49df7642908eacdb0f75b06ca073db1e3f45eed48d780bba11d1e0

Download Submit
\ProgramData\SubDirectory\Console.exe

Filesize
44KB

MD5
e236221207a54e5bf99f939d2303ce1a

SHA1
dc4bb7a8ac30726c5db3148362fb400c17115a51

SHA256
326ced020e6131f21da465988ddb6b37c1766aca5bff7f0d86fcae3a86210f6a

SHA512
bc27a33fe7318559f04c683b73795ffac81df6277b3753c2726fa9d9d67af0f831e937c0f699872dd7501aa2381ff4dbe3f2b7e8f16b54dc81f9ebe6d52f571b

Download Submit
memory/2456-0-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2456-20-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2688-19-0x00000000000F0000-0x000000000011D000-memory.dmp

Filesize
180KB

Download
memory/3064-2-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3064-4-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download

Analysis

Sharing