bb1ecd1c00c3880c69f3fa6d049e3c91d8c3f482edf6104db708a5328eaee991

General

Target

36ef580d4f343a8ecebd95136aed56e2.exe
Size

176KB
MD5

36ef580d4f343a8ecebd95136aed56e2
SHA1

1a6f97de5cdd7f185f79f284c22269ee8054d03a
SHA256

bb1ecd1c00c3880c69f3fa6d049e3c91d8c3f482edf6104db708a5328eaee991
SHA512

89bb65c0b25dd97d121f8b7fa73b6d3b5dd43fd65460447843933ea83ffff2428efddc80439f021521a2d9f7d71539350dbfc0ffb0f45a40cd5c1b6000901ea7
SSDEEP

3072:1YaQ1Knr+mWlfmfIOrycJaxFuT/hZeOOdUJqO3L/6gesO0bq:1YaQarpWt+IOruFuNZeOOdU/6dsO3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2472	update32.exe

Loads dropped DLL 1 IoCs

pid	Process
1452	36ef580d4f343a8ecebd95136aed56e2.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\soaction32.dll	36ef580d4f343a8ecebd95136aed56e2.exe
File opened for modification	C:\Windows\SysWOW64\soaction32.dll	36ef580d4f343a8ecebd95136aed56e2.exe
File created	C:\Windows\SysWOW64\maxsvc32.dll	36ef580d4f343a8ecebd95136aed56e2.exe
File opened for modification	C:\Windows\SysWOW64\maxsvc32.dll	36ef580d4f343a8ecebd95136aed56e2.exe
File created	C:\Windows\SysWOW64\insvc32.exe	36ef580d4f343a8ecebd95136aed56e2.exe
File opened for modification	C:\Windows\SysWOW64\insvc32.exe	36ef580d4f343a8ecebd95136aed56e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1452	36ef580d4f343a8ecebd95136aed56e2.exe
1452	36ef580d4f343a8ecebd95136aed56e2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	36ef580d4f343a8ecebd95136aed56e2.exe
Token: SeDebugPrivilege	2472	update32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 424	1452	36ef580d4f343a8ecebd95136aed56e2.exe	3
PID 1452 wrote to memory of 2472	1452	36ef580d4f343a8ecebd95136aed56e2.exe	28
PID 1452 wrote to memory of 2472	1452	36ef580d4f343a8ecebd95136aed56e2.exe	28
PID 1452 wrote to memory of 2472	1452	36ef580d4f343a8ecebd95136aed56e2.exe	28
PID 1452 wrote to memory of 2472	1452	36ef580d4f343a8ecebd95136aed56e2.exe	28
PID 1452 wrote to memory of 2472	1452	36ef580d4f343a8ecebd95136aed56e2.exe	28
PID 1452 wrote to memory of 2472	1452	36ef580d4f343a8ecebd95136aed56e2.exe	28
PID 1452 wrote to memory of 2472	1452	36ef580d4f343a8ecebd95136aed56e2.exe	28
PID 1452 wrote to memory of 2804	1452	36ef580d4f343a8ecebd95136aed56e2.exe	29
PID 1452 wrote to memory of 2804	1452	36ef580d4f343a8ecebd95136aed56e2.exe	29
PID 1452 wrote to memory of 2804	1452	36ef580d4f343a8ecebd95136aed56e2.exe	29
PID 1452 wrote to memory of 2804	1452	36ef580d4f343a8ecebd95136aed56e2.exe	29
PID 2472 wrote to memory of 1996	2472	update32.exe	32
PID 2472 wrote to memory of 1996	2472	update32.exe	32
PID 2472 wrote to memory of 1996	2472	update32.exe	32
PID 2472 wrote to memory of 1996	2472	update32.exe	32

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Users\Admin\AppData\Local\Temp\36ef580d4f343a8ecebd95136aed56e2.exe
"C:\Users\Admin\AppData\Local\Temp\36ef580d4f343a8ecebd95136aed56e2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\update32.exe
  "C:\Users\Admin\AppData\Local\Temp\update32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\_unins_u32.bat" "
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_unins_mxz.bat" "
  2⤵
  - Deletes itself
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_unins_mxz.bat

Filesize
368B

MD5
ecda3c1f4e5f913cfed7defd52720a7e

SHA1
d06b188b70249984911fa7b278fa7078c054cbaa

SHA256
bbb0a7001c44e884804496c9bd2eb1f1111a3a6cf2d1477981ae74a7d1458cf5

SHA512
d38913cc34d221aca353734a2bd6cc3ecaf094a9a7f7d205c0449708e29c7e15338caaf4df2312e7322f206574dba1a9a6545f718b50d764d603296aeb97a0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_unins_u32.bat

Filesize
188B

MD5
2c7320344b59eaafc488717a9e8dac7e

SHA1
7cf56b082438ffd9371bc23277ef32fa006e5e3c

SHA256
5d9a36bca8f9f21180c9f33875a339b07414f0cb2d5aed2d43240f82da2f4ea2

SHA512
f7536383656a57b045e58f8781b98e8e1c8f9b83ef0abf579fd3796c0e0f708a6f2aff2b40db16ddde44c7db424f53830fdd57bd36e2aa810dfa031650076b48

Download Submit
\Users\Admin\AppData\Local\Temp\update32.exe

Filesize
40KB

MD5
d271656e84a732815a31898e72dfb311

SHA1
df7ce991916a03d7ed04f54a1347cbff462935fe

SHA256
3be2f18841e29e383bb6980d56d1a4b624f81d31b04e37ba1bcbf94c4edbc615

SHA512
688cedd26b10a50b814c3a4df9f4a08d5462dce97b9cb003d971f3c2aa5e7c4498192471ac8d8a53285d13dce87fb963e226d0127661edb0fed1aab79e3913cb

Download Submit
memory/424-9-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing