d48fe049d7d8be195311f4d63571dc37aff2eeedb663f66ab4a1373b8e78ce65

General

Target

1d03e1578e120bb1bd0c7584d0632567.exe
Size

9KB
MD5

1d03e1578e120bb1bd0c7584d0632567
SHA1

be732464b06a5e9e935f8eefe988aeed8f92952d
SHA256

d48fe049d7d8be195311f4d63571dc37aff2eeedb663f66ab4a1373b8e78ce65
SHA512

1f55dc1f274b325aa51068249e24b16deb7460af52b9e15b48fa85431d2e35e58363498ec3bb467c5f25dc2eb0a2593a97707e62cc4a02f91d48cc1b2bd91c59
SSDEEP

192:2Ncai6Kk15esnALFOxgbcF+LKdLphYlV5j/Vwn0Y9cX108RKjOGC3:taj2pwHhYlV57cF7VC3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2628	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1668	cfmon.exe

Loads dropped DLL 2 IoCs

pid	Process
896	1d03e1578e120bb1bd0c7584d0632567.exe
896	1d03e1578e120bb1bd0c7584d0632567.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\cfmon.exe	1d03e1578e120bb1bd0c7584d0632567.exe
File opened for modification	C:\Windows\system\cfmon.exe	1d03e1578e120bb1bd0c7584d0632567.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2976	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	896	1d03e1578e120bb1bd0c7584d0632567.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	1668	cfmon.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 3052	896	1d03e1578e120bb1bd0c7584d0632567.exe	29
PID 896 wrote to memory of 3052	896	1d03e1578e120bb1bd0c7584d0632567.exe	29
PID 896 wrote to memory of 3052	896	1d03e1578e120bb1bd0c7584d0632567.exe	29
PID 896 wrote to memory of 3052	896	1d03e1578e120bb1bd0c7584d0632567.exe	29
PID 3052 wrote to memory of 2976	3052	cmd.exe	31
PID 3052 wrote to memory of 2976	3052	cmd.exe	31
PID 3052 wrote to memory of 2976	3052	cmd.exe	31
PID 3052 wrote to memory of 2976	3052	cmd.exe	31
PID 896 wrote to memory of 1668	896	1d03e1578e120bb1bd0c7584d0632567.exe	33
PID 896 wrote to memory of 1668	896	1d03e1578e120bb1bd0c7584d0632567.exe	33
PID 896 wrote to memory of 1668	896	1d03e1578e120bb1bd0c7584d0632567.exe	33
PID 896 wrote to memory of 1668	896	1d03e1578e120bb1bd0c7584d0632567.exe	33
PID 896 wrote to memory of 2628	896	1d03e1578e120bb1bd0c7584d0632567.exe	34
PID 896 wrote to memory of 2628	896	1d03e1578e120bb1bd0c7584d0632567.exe	34
PID 896 wrote to memory of 2628	896	1d03e1578e120bb1bd0c7584d0632567.exe	34
PID 896 wrote to memory of 2628	896	1d03e1578e120bb1bd0c7584d0632567.exe	34
PID 1668 wrote to memory of 2856	1668	cfmon.exe	35
PID 1668 wrote to memory of 2856	1668	cfmon.exe	35
PID 1668 wrote to memory of 2856	1668	cfmon.exe	35
PID 1668 wrote to memory of 2856	1668	cfmon.exe	35
PID 2856 wrote to memory of 824	2856	WScript.exe	38
PID 2856 wrote to memory of 824	2856	WScript.exe	38
PID 2856 wrote to memory of 824	2856	WScript.exe	38
PID 2856 wrote to memory of 824	2856	WScript.exe	38

C:\Users\Admin\AppData\Local\Temp\1d03e1578e120bb1bd0c7584d0632567.exe
"C:\Users\Admin\AppData\Local\Temp\1d03e1578e120bb1bd0c7584d0632567.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im cfmon.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im cfmon.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- C:\Windows\system\cfmon.exe
  C:\Windows\system\cfmon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\338.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c del C:\Windows\system32\drivers\etc\hosts
      4⤵
      PID:824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\1d03e1578e120bb1bd0c7584d0632567.exe"
  2⤵
  - Deletes itself
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\338.vbe

Filesize
1KB

MD5
c380998f121e79d60b44e22661bc6941

SHA1
ba1fbeb25fa155f93d3a2dcc4b10beb02eb16560

SHA256
4ea78da9063725bce786069965bc638bfcdf27136ed661faea8b90c94c688f90

SHA512
f0b357a4bf866996518c67ec27653cd7795555fbada5aa8297728818e3a6b4cc27d0ebf757f5a00837f6dbf27695ff7b4bc61d060e219b938662c62a654b770d

Download Submit
\Windows\system\cfmon.exe

Filesize
9KB

MD5
1d03e1578e120bb1bd0c7584d0632567

SHA1
be732464b06a5e9e935f8eefe988aeed8f92952d

SHA256
d48fe049d7d8be195311f4d63571dc37aff2eeedb663f66ab4a1373b8e78ce65

SHA512
1f55dc1f274b325aa51068249e24b16deb7460af52b9e15b48fa85431d2e35e58363498ec3bb467c5f25dc2eb0a2593a97707e62cc4a02f91d48cc1b2bd91c59

Download Submit
memory/896-9-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1668-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing