e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a

General

Target

e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Size

612KB
MD5

1fbd3a40c916ea15c507568d3c54187d
SHA1

952822b5ca77bd8fb2eaf78ed69ce72557afcf21
SHA256

e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a
SHA512

3528b9552a08a8b8313e1e167d00be978a4d764f7edac9226351f1b298bd32e4cd9d942a86d8afa7e5ad0d2abe1b2a3664d917a94d8db3b74caeeac317ab559b
SSDEEP

12288:aTaZZcvZb0kObgBPSi2bwSaCraJakIX4pkQqijdpl/Q9650v99VE:aTRRgkObgBSIiXTQBZptQ9650v9I

Score

7^/10

upx

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Console.LNK	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe

Executes dropped EXE 1 IoCs

pid	Process
1592	Console.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/920-0-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/920-1-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/920-3-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/4504-4-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/4504-6-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/920-11-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/920-19-0x0000000000400000-0x00000000004E7000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\PROGRA~3\SUBDIR~1\payload.ini	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
File created	C:\PROGRA~3\SUBDIR~1\zz.txt	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
File created	C:\PROGRA~3\SUBDIR~1\Console.exe	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeBackupPrivilege	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeRestorePrivilege	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: 33	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeIncBasePriorityPrivilege	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeCreateGlobalPrivilege	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: 33	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeIncBasePriorityPrivilege	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: 33	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeIncBasePriorityPrivilege	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeBackupPrivilege	4504	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeRestorePrivilege	4504	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: 33	4504	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
Token: SeIncBasePriorityPrivilege	4504	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1988	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	94
PID 920 wrote to memory of 1988	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	94
PID 920 wrote to memory of 4504	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	96
PID 920 wrote to memory of 4504	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	96
PID 920 wrote to memory of 4504	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	96
PID 920 wrote to memory of 1592	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	97
PID 920 wrote to memory of 1592	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	97
PID 920 wrote to memory of 1592	920	e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe	97

C:\Users\Admin\AppData\Local\Temp\e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
"C:\Users\Admin\AppData\Local\Temp\e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
  PECMD**pecmd-cmd* PUTF -dd -skipb=472598 "C:\Users\Admin\AppData\Local\Temp\~2838741960929414947.tmp",,C:\Users\Admin\AppData\Local\Temp\e301a7a94b1b0e8040498725bb78dff25f9cb433fc46d99183027081e0f6d44a.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\ProgramData\SubDirectory\Console.exe
  "C:\ProgramData\SubDirectory\Console.exe"
  2⤵
  - Executes dropped EXE
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SubDirectory\Console.exe

Filesize
44KB

MD5
e236221207a54e5bf99f939d2303ce1a

SHA1
dc4bb7a8ac30726c5db3148362fb400c17115a51

SHA256
326ced020e6131f21da465988ddb6b37c1766aca5bff7f0d86fcae3a86210f6a

SHA512
bc27a33fe7318559f04c683b73795ffac81df6277b3753c2726fa9d9d67af0f831e937c0f699872dd7501aa2381ff4dbe3f2b7e8f16b54dc81f9ebe6d52f571b

Download Submit
C:\ProgramData\SubDirectory\Console.exe

Filesize
44KB

MD5
e236221207a54e5bf99f939d2303ce1a

SHA1
dc4bb7a8ac30726c5db3148362fb400c17115a51

SHA256
326ced020e6131f21da465988ddb6b37c1766aca5bff7f0d86fcae3a86210f6a

SHA512
bc27a33fe7318559f04c683b73795ffac81df6277b3753c2726fa9d9d67af0f831e937c0f699872dd7501aa2381ff4dbe3f2b7e8f16b54dc81f9ebe6d52f571b

Download Submit
C:\ProgramData\SubDirectory\Console.exe

Filesize
44KB

MD5
e236221207a54e5bf99f939d2303ce1a

SHA1
dc4bb7a8ac30726c5db3148362fb400c17115a51

SHA256
326ced020e6131f21da465988ddb6b37c1766aca5bff7f0d86fcae3a86210f6a

SHA512
bc27a33fe7318559f04c683b73795ffac81df6277b3753c2726fa9d9d67af0f831e937c0f699872dd7501aa2381ff4dbe3f2b7e8f16b54dc81f9ebe6d52f571b

Download Submit
C:\ProgramData\SubDirectory\payload.ini

Filesize
6B

MD5
e665628cb6c912fad4a4547eeda2b562

SHA1
5e958e5bc63af1adc9ccea071006285edc1e8fa9

SHA256
5b9d676be71ad21edc06d50a5bcbbdf5498d025784ae377132447a31e10208de

SHA512
30a2c4cd666297375f9f6170e716733a2b22ea9558b31dc3fa7a180c33d20a15b2472b3359aeabb26b2d54713685f6d6685024778cb9ede8569aab736fe0593a

Download Submit
C:\ProgramData\SubDirectory\zz.txt

Filesize
177KB

MD5
903fab06feffed3fde964a81875b32b0

SHA1
f6b6b0579fc6302b68a60aff97ebe0bee29da634

SHA256
dea58225dfcb6a0f4a1c25c18eb3a67c1454ef22c99440ad71d2c8b035677119

SHA512
dbc39017f03acb86782e38c05fdbb68492aeacb23f4982bd8003a4fac482fe8cffcc35dad890d59f8dff00294e793a88f968ecfdd3a3c67fed34e6b558d5b7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\~28387~1.TMP

Filesize
151KB

MD5
940393e618aceb1081cec0b73829f944

SHA1
a22b37b080a73a76902508a5006f4003b5dcc193

SHA256
06dbdc191175b07b651f1aad866596fd0244fc6e5e17b8c037c980ec34e82448

SHA512
6af09675898e87b56d2e654c9b57e6837f06a2e03053c6f1c675eebe7153815f19fbbb3f4c49df7642908eacdb0f75b06ca073db1e3f45eed48d780bba11d1e0

Download Submit
memory/920-11-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/920-0-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/920-19-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/920-3-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/920-1-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1592-22-0x0000000000F00000-0x0000000000F2D000-memory.dmp

Filesize
180KB

Download
memory/4504-6-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4504-4-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download

Analysis

Sharing