477f2355a728cecfcbb21dcdc3da50a1b2145e27a8ba136a43b57810670f6881

General

Target

07b12079a308905769e9b1078650d5e6.exe
Size

890KB
MD5

07b12079a308905769e9b1078650d5e6
SHA1

401306407e151f3ec203d58f209ca41940d9793e
SHA256

477f2355a728cecfcbb21dcdc3da50a1b2145e27a8ba136a43b57810670f6881
SHA512

5123b52831502d906153fb52f4684c5976b9caa7157b872dd8f91abf991f8d9843ac5737ec24da895f6f98e5778008f6ceaad49785e4a9974665dd8d9174ffc7
SSDEEP

24576:WHLmCiIh+yWCtgGMORpJZB292z63rqPAf:7UHMORpJZQ964qPAf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2268	Whitelist.exe
2892	Skisploit.exe

Loads dropped DLL 8 IoCs

pid	Process
2564	07b12079a308905769e9b1078650d5e6.exe
2564	07b12079a308905769e9b1078650d5e6.exe
2564	07b12079a308905769e9b1078650d5e6.exe
2564	07b12079a308905769e9b1078650d5e6.exe
2564	07b12079a308905769e9b1078650d5e6.exe
2564	07b12079a308905769e9b1078650d5e6.exe
2564	07b12079a308905769e9b1078650d5e6.exe
2564	07b12079a308905769e9b1078650d5e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2268	Whitelist.exe
2892	Skisploit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	Whitelist.exe
Token: SeDebugPrivilege	2892	Skisploit.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2268	2564	07b12079a308905769e9b1078650d5e6.exe	28
PID 2564 wrote to memory of 2268	2564	07b12079a308905769e9b1078650d5e6.exe	28
PID 2564 wrote to memory of 2268	2564	07b12079a308905769e9b1078650d5e6.exe	28
PID 2564 wrote to memory of 2268	2564	07b12079a308905769e9b1078650d5e6.exe	28
PID 2564 wrote to memory of 2892	2564	07b12079a308905769e9b1078650d5e6.exe	29
PID 2564 wrote to memory of 2892	2564	07b12079a308905769e9b1078650d5e6.exe	29
PID 2564 wrote to memory of 2892	2564	07b12079a308905769e9b1078650d5e6.exe	29
PID 2564 wrote to memory of 2892	2564	07b12079a308905769e9b1078650d5e6.exe	29

C:\Users\Admin\AppData\Local\Temp\07b12079a308905769e9b1078650d5e6.exe
"C:\Users\Admin\AppData\Local\Temp\07b12079a308905769e9b1078650d5e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\Whitelist.exe
  "C:\Users\Admin\AppData\Local\Temp\Whitelist.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\Skisploit.exe
  "C:\Users\Admin\AppData\Local\Temp\Skisploit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\Users\Admin\AppData\Local\Temp\Skisploit.exe

Filesize
427KB

MD5
36a39d094c17f88226a5aba5f00c4184

SHA1
fa57830b19cfde486047460c414360a73cbe90f2

SHA256
8d2ca41510115e78928cca10db7ab39cd0ccc15a3589743c2ae286a571dc9169

SHA512
25bbe61d96274e28ff1e0f1c07e1849fba35d19ad9c915f0d64c1625dbff346333bb801937141d8dac1e9e2ebc67aea92711dea877d93cb43984ea2ae4418788

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\Whitelist.exe

Filesize
300KB

MD5
1f17714919b1f001eacb357d85e4ec9d

SHA1
61a362276b62a3ff7e3576437f165677b616adf9

SHA256
0ab3551611c608785afab69c29af015accec97453063fa3a77394c22e20baad0

SHA512
d2d29066bcce2afb0c0a5e55d708d0244128035477baa92892ba2d58d887d884952e1058545251ee4ab438d77d9d14d56c09b7caf02ba6a7e2875ccec49d5dbb

Download Submit
\Users\Admin\AppData\Local\Temp\Skisploit.exe

Filesize
287KB

MD5
95e0a247ebc338b44ef90403011e9060

SHA1
9d08aa9eb059ff40aa0a3f580227f25328e6d91b

SHA256
79ef7f00bb68986aa9e357d545dd3c385bfd5a0869f2297d5cab2e138ef14ca1

SHA512
edcfa1476e0fc59114517f6236f53d110e1a7e08f23bbb6ac463cfe71833b41c64a3811c9a43bc4c4c1af14d89ba2e5bdaf5eeab74f44528170e21bea5ef4f00

Download Submit
\Users\Admin\AppData\Local\Temp\Skisploit.exe

Filesize
341KB

MD5
cd7c5af4c624a32bb4f0a1b11cc84a69

SHA1
f8a4bc9878ef80eb1faa9e099536216fa6edd13a

SHA256
b4f850edb8fbcfc645986ed8df0eab4cc4ba32db715e2f3705a4ad52a3b4f381

SHA512
ecd905b601dc9dc025fde5d0f3199c881fc32e8c148b29fada477a59ae3a7a514ce839415d2a1f184d3daf4d79ebd98b741cd7017622cb7e58e016cc45ce88fc

Download Submit
\Users\Admin\AppData\Local\Temp\Skisploit.exe

Filesize
435KB

MD5
0f2caa8f09eeaad8aec78b314344a554

SHA1
46f80716ee0f03383e4ad9800c6fb2738bcab61e

SHA256
2e485c548096e1ee7a99e605377ac48685e9422d3c627296737f2f0c36323d80

SHA512
37770fca29a60e1a7ed36630f3b2bc8ef636fa6a6334eda3def3a55ce2b7962b60fff2f33a7ab8a6d07d41afc170a9fda374f236bc9dbb7289eee8b523e7987a

Download Submit
\Users\Admin\AppData\Local\Temp\Skisploit.exe

Filesize
372KB

MD5
ab8b6b56e6c6082f687f0936e8d90041

SHA1
e49763082a7d4b3b4a761cabacdb1920d61659cd

SHA256
a636e7771650227994514849089fbe7780a656a990c673b263e891146f2b7834

SHA512
5db8dc3e20bb47f31b5d5da885db779a4ee16ebd0f92344644f3d28c09d51eb90d54268e50ee039cbca56f2176cdc284a102cbbc417ac6582a27c72a3e0134e3

Download Submit
\Users\Admin\AppData\Local\Temp\Whitelist.exe

Filesize
409KB

MD5
f4f53c7709fdf2bf71e217f85b85b809

SHA1
54c316959deea3b9c26b23c3414d432f19e6f862

SHA256
95c6ca270f8672826d649b3989a22ffb0301e35f425b6301c268ee6ff404d81d

SHA512
af7d69b17d6b931ec5e18dd16dd3345cfd11239ffbcf55601267c908aba9ba0100548e95de709d027e3d3f094ebebace79f0774296f07457aaaddd4dee99a8cc

Download Submit
memory/2268-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2268-49-0x00000000050C0000-0x0000000005100000-memory.dmp

Filesize
256KB

Download
memory/2268-48-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2268-51-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/2268-47-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2268-36-0x00000000776C0000-0x00000000776C1000-memory.dmp

Filesize
4KB

Download
memory/2268-44-0x00000000050C0000-0x0000000005100000-memory.dmp

Filesize
256KB

Download
memory/2268-40-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/2564-25-0x00000000033C0000-0x0000000003414000-memory.dmp

Filesize
336KB

Download
memory/2564-18-0x0000000003180000-0x00000000031D0000-memory.dmp

Filesize
320KB

Download
memory/2564-17-0x0000000003180000-0x00000000031D0000-memory.dmp

Filesize
320KB

Download
memory/2564-7-0x0000000003180000-0x00000000031D0000-memory.dmp

Filesize
320KB

Download
memory/2892-41-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/2892-42-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2892-45-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/2892-38-0x00000000003E0000-0x00000000003E5000-memory.dmp

Filesize
20KB

Download
memory/2892-37-0x00000000776C0000-0x00000000776C1000-memory.dmp

Filesize
4KB

Download
memory/2892-46-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/2892-53-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing