e4a8df4dcd3d0121915de07ce56317f9eed2f949a3842ff075b42f4714a467e5

General

Target

a99bb08c877eaaf1349662ca111b3cd0.exe
Size

1.1MB
MD5

a99bb08c877eaaf1349662ca111b3cd0
SHA1

e154a40099eeff1f5ef3fc9553a0ceee0aada8f0
SHA256

e4a8df4dcd3d0121915de07ce56317f9eed2f949a3842ff075b42f4714a467e5
SHA512

f104aa79d250cc15e8a62404d4ddc1078dabe123fa9a8abc79db80276d1335fd65fee07599780cb0386bc108809b4a2373db7043d501b2f24c570e9fcc87e7be
SSDEEP

24576:mG70Svy/+So8K7Xpc4cWLzeZ7/QUX7a7n:m9SvRSo8KNpP/eZrX7e

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Kcwdiyys.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Kcwdiyys.exe

Executes dropped EXE 1 IoCs

pid	Process
2576	Kcwdiyys.exe

Loads dropped DLL 1 IoCs

pid	Process
2568	a99bb08c877eaaf1349662ca111b3cd0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 2568	2792	a99bb08c877eaaf1349662ca111b3cd0.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	a99bb08c877eaaf1349662ca111b3cd0.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2568	2792	a99bb08c877eaaf1349662ca111b3cd0.exe	29
PID 2792 wrote to memory of 2568	2792	a99bb08c877eaaf1349662ca111b3cd0.exe	29
PID 2792 wrote to memory of 2568	2792	a99bb08c877eaaf1349662ca111b3cd0.exe	29
PID 2792 wrote to memory of 2568	2792	a99bb08c877eaaf1349662ca111b3cd0.exe	29
PID 2792 wrote to memory of 2568	2792	a99bb08c877eaaf1349662ca111b3cd0.exe	29
PID 2792 wrote to memory of 2568	2792	a99bb08c877eaaf1349662ca111b3cd0.exe	29
PID 2792 wrote to memory of 2568	2792	a99bb08c877eaaf1349662ca111b3cd0.exe	29
PID 2792 wrote to memory of 2568	2792	a99bb08c877eaaf1349662ca111b3cd0.exe	29
PID 2792 wrote to memory of 2568	2792	a99bb08c877eaaf1349662ca111b3cd0.exe	29
PID 2792 wrote to memory of 2568	2792	a99bb08c877eaaf1349662ca111b3cd0.exe	29
PID 2568 wrote to memory of 2576	2568	a99bb08c877eaaf1349662ca111b3cd0.exe	32
PID 2568 wrote to memory of 2576	2568	a99bb08c877eaaf1349662ca111b3cd0.exe	32
PID 2568 wrote to memory of 2576	2568	a99bb08c877eaaf1349662ca111b3cd0.exe	32
PID 2568 wrote to memory of 2576	2568	a99bb08c877eaaf1349662ca111b3cd0.exe	32
PID 2568 wrote to memory of 1940	2568	a99bb08c877eaaf1349662ca111b3cd0.exe	31
PID 2568 wrote to memory of 1940	2568	a99bb08c877eaaf1349662ca111b3cd0.exe	31
PID 2568 wrote to memory of 1940	2568	a99bb08c877eaaf1349662ca111b3cd0.exe	31
PID 2568 wrote to memory of 1940	2568	a99bb08c877eaaf1349662ca111b3cd0.exe	31
PID 1940 wrote to memory of 2460	1940	cmd.exe	33
PID 1940 wrote to memory of 2460	1940	cmd.exe	33
PID 1940 wrote to memory of 2460	1940	cmd.exe	33
PID 1940 wrote to memory of 2460	1940	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\a99bb08c877eaaf1349662ca111b3cd0.exe
"C:\Users\Admin\AppData\Local\Temp\a99bb08c877eaaf1349662ca111b3cd0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\a99bb08c877eaaf1349662ca111b3cd0.exe
  "C:\Users\Admin\AppData\Local\Temp\a99bb08c877eaaf1349662ca111b3cd0.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Tjsjv.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f
      4⤵
      PID:2460
- - C:\Users\Admin\AppData\Local\Temp\Kcwdiyys.exe
    "C:\Users\Admin\AppData\Local\Temp\Kcwdiyys.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Kcwdiyys.exe

Filesize
15KB

MD5
cec301249206bba4c5e26035bf646fda

SHA1
38d00ddeff6ea6bf9458c35a0f00bd42461737f4

SHA256
756f6377affef18ecbf12e4b9a7a7a6acba4f3e93767f44f625366b2581c7974

SHA512
3853cf60346ba511d6ba031074b7ac0fc35d071fc890db2ca49b2ecfa82664feb9a20943d95eedc093df768717dc0148841cceee354490b81f60dae031f6d47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcwdiyys.exe

Filesize
16KB

MD5
fe17bf2405ca49a116e8c90522c9a491

SHA1
5cf59e48703dbd95bbd8cf90a266039594c01104

SHA256
7ae507dc5ada579ea1c32c565942dc71fc5a2150956295ad4bca35fc1bcdfdf6

SHA512
08c4e64fadfb75e3c60ce23be3f030aa0aefafc43f454064d446ce26d3e4c4d41f61abf2927d6eed5a6230aab0d4ec04b27ea33c76cf9457ef02ec9a516107ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tjsjv.bat

Filesize
108B

MD5
606064bf64d4431c11bb515e6af6cae7

SHA1
8e6821e4ba614a44792b0dc1bdb49520be5f8547

SHA256
b118432ae179089c91f451e54b8cb275c2a8e3afe36651fb558e29d6f797bf87

SHA512
ca891d2fb98a11590cd36ae43d897212c84c562cb741983338b5330dc58a4eb9167d5362acfb78beae9c1c40ea929dfe9b3724075c87b192ce6b2952dc3d1bdf

Download Submit
\Users\Admin\AppData\Local\Temp\Kcwdiyys.exe

Filesize
12KB

MD5
cf7d1c2bdd22f4d8fbf46945afa370a9

SHA1
0836ed8f08ef0d041928283f20fb0f80d91a5295

SHA256
8ab0d273f1c7f1bc6ceb97e5e790647cdc3880f8cfe3a319471e9978a6c16eca

SHA512
b2993126d8b78881ba6ea82b56f692dca34fe183aba8ba34a565e09ba40d3ee11f0c4da5d263bfb526695343ffd4d82a42051f450cc8b7211eab97267a96ca44

Download Submit
memory/2568-16-0x0000000004520000-0x0000000004560000-memory.dmp

Filesize
256KB

Download
memory/2568-5-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2568-7-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2568-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-8-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2568-11-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2568-13-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2568-6-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2568-15-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-33-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-3-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2576-43-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/2576-42-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/2576-41-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/2576-40-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2576-34-0x0000000000950000-0x0000000000A06000-memory.dmp

Filesize
728KB

Download
memory/2576-38-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/2576-35-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2576-36-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/2576-39-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/2792-14-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-0-0x0000000000F40000-0x0000000001064000-memory.dmp

Filesize
1.1MB

Download
memory/2792-2-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download
memory/2792-1-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-17-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing