d82675bace2a9b0202d872f9f06c1c4dd7fb4d21c1a058602b937389140c33b8

General

Target

0cac075f245ad2047532c39acfbe3cf1.exe
Size

4.2MB
MD5

0cac075f245ad2047532c39acfbe3cf1
SHA1

db8fb6a038ab78064fc4513076eadebf24e185f2
SHA256

d82675bace2a9b0202d872f9f06c1c4dd7fb4d21c1a058602b937389140c33b8
SHA512

a483cba950174536ff4ab23fe77d7120b8093939276727c45f3596c74fd46e3c672eed10a90647b3e959aa0d7d6e38a4b1de779b74a70d86d6bd5444c44ea987
SSDEEP

98304:oXB4uluJRmMg6QWlIpgi0rHqsih/mCqJ4B4uluU:ovsJR0TW6yiIKRhzqOsU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2972	D8SQI.exe

Executes dropped EXE 1 IoCs

pid	Process
2972	D8SQI.exe

Loads dropped DLL 2 IoCs

pid	Process
2964	0cac075f245ad2047532c39acfbe3cf1.exe
2972	D8SQI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2972	D8SQI.exe
2972	D8SQI.exe
2972	D8SQI.exe
2972	D8SQI.exe
2972	D8SQI.exe
2972	D8SQI.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	0cac075f245ad2047532c39acfbe3cf1.exe
Token: 0	2964	0cac075f245ad2047532c39acfbe3cf1.exe
Token: SeDebugPrivilege	2972	D8SQI.exe
Token: 0	2972	D8SQI.exe
Token: SeShutdownPrivilege	2972	D8SQI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2972	2964	0cac075f245ad2047532c39acfbe3cf1.exe	28
PID 2964 wrote to memory of 2972	2964	0cac075f245ad2047532c39acfbe3cf1.exe	28
PID 2964 wrote to memory of 2972	2964	0cac075f245ad2047532c39acfbe3cf1.exe	28

C:\Users\Admin\AppData\Local\Temp\0cac075f245ad2047532c39acfbe3cf1.exe
"C:\Users\Admin\AppData\Local\Temp\0cac075f245ad2047532c39acfbe3cf1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\D8SQI.exe
  "C:\Users\Admin\AppData\Local\Temp\D8SQI.exe" -Continue|"C:\Users\Admin\AppData\Local\Temp\0cac075f245ad2047532c39acfbe3cf1.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D8SQI.exe

Filesize
4.2MB

MD5
2dd4d160cc480809975e622dcb51a847

SHA1
2d55a378deae70af2e19e6a31dfe6088d6fe4d6b

SHA256
04c00dfb3db3d6804e8017a70bb9ef719b70a3ef81a1b074ffa3fa450704a7ca

SHA512
0d4c12d2d0557c328896ad5f8a03aaba0f8fe93458288992e4ee1905e261603ba7c6e7b892dd9458611a50aee0192912a8a1f8258b267ff8ff02e270e9eb0c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIH\VAC.zip

Filesize
13KB

MD5
5a8e8dedf1d910c79defff5638978d07

SHA1
bfab518af8a53f02c4f98fc321aa0984a208686c

SHA256
d5bf8619a6f47e74aceb629da039f25493b0b8fb2f892bda2b32bd68c0cf8893

SHA512
7acfc4d0bde75a518f394319c8cd6743d36eb7ebcdcd26eeae2fb59ead70bb8b4d2fb29be93c89b529775f8a407a9bcd6e4d2a2955c03b15f2880ff9aa61a519

Download Submit
\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x64\SciLexer.dll

Filesize
1.3MB

MD5
a70486cf41bf065ff8e76e8619745361

SHA1
e06e75380b17fec737fbdfeaa4a09b83e54d4838

SHA256
1563fc1966e779f0fcb71753f15e73ec770e169a0ad6e3c5af736764d9bd5858

SHA512
02f1c909fcbf7c0f5604ccb4e807640d80a2236c3cac6975e2e849bda318419e7188bb6a48184940eb381e2af375c83d7539e58951edf5e49ec11dd0cff66cc0

Download Submit
memory/2964-6-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/2964-25-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-5-0x000000001C380000-0x000000001C4D4000-memory.dmp

Filesize
1.3MB

Download
memory/2964-0-0x00000000008C0000-0x0000000000CF6000-memory.dmp

Filesize
4.2MB

Download
memory/2964-3-0x000000001B3C0000-0x000000001B4A0000-memory.dmp

Filesize
896KB

Download
memory/2964-10-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/2964-11-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/2964-2-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/2964-1-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-4-0x0000000002360000-0x00000000023A2000-memory.dmp

Filesize
264KB

Download
memory/2972-27-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2972-26-0x0000000000D30000-0x0000000001166000-memory.dmp

Filesize
4.2MB

Download
memory/2972-28-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2972-31-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2972-32-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2972-24-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-34-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2972-35-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-36-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2972-37-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2972-38-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2972-39-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing