88731d2aa902f1b7a580d143c96a4a401bb8c34a20de87945936ee4db8fd7ca0

General

Target

1211a47e1a6d01156685c2bcbaefb7ea.exe
Size

3.8MB
MD5

1211a47e1a6d01156685c2bcbaefb7ea
SHA1

10020358dabd8961d7801287e09b42e80e5a3695
SHA256

88731d2aa902f1b7a580d143c96a4a401bb8c34a20de87945936ee4db8fd7ca0
SHA512

9fecc432e57088f0d62aa02d1710430dc894bb88a9ba698b6599e98d72670d85520f8d5226b301eb27fce8ef75ba668f9d1e8edb21639916950938ed1e704427
SSDEEP

49152:ZTaY6tV3zSYiaAKl1YEmGeRJ/Wouej0lvSXnif2vhpOw+RKr6V7YEAqNmxsa5w2x:szVD0aAgtg7o2vzTW5Ynl5tCC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2196	AutoPico.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	AutoPico.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1628	1288	1211a47e1a6d01156685c2bcbaefb7ea.exe	28
PID 1288 wrote to memory of 1628	1288	1211a47e1a6d01156685c2bcbaefb7ea.exe	28
PID 1288 wrote to memory of 1628	1288	1211a47e1a6d01156685c2bcbaefb7ea.exe	28
PID 1628 wrote to memory of 2196	1628	powershell.exe	30
PID 1628 wrote to memory of 2196	1628	powershell.exe	30
PID 1628 wrote to memory of 2196	1628	powershell.exe	30

C:\Users\Admin\AppData\Local\Temp\1211a47e1a6d01156685c2bcbaefb7ea.exe
"C:\Users\Admin\AppData\Local\Temp\1211a47e1a6d01156685c2bcbaefb7ea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\62E8.tmp\62E9.tmp\62EA.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Roaming\AutoPico.exe
    "C:\Users\Admin\AppData\Roaming\AutoPico.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Control Panel
    PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\62E8.tmp\62E9.tmp\62EA.ps1

Filesize
202B

MD5
7f76b01c19c50cd0fe50d3791e8096c5

SHA1
e6578af13929e71e31b7779199cee74cada4d927

SHA256
4a488d0749b86b862bcd2d3d1c2768d111f7715de1fd1227d2c5264d60977ad0

SHA512
f3d66b84d60906d5dac21a40479a36efaa71c30798c7c8cd0d240cbe4879bbf34e0b152b074431c956a7e6c82d689c4e46c2a04c254f0e4c50d47c440ec5c705

Download Submit
C:\Users\Admin\AppData\Roaming\AutoPico.exe

Filesize
375KB

MD5
d9022ff30e261d06a8ce867e9b603311

SHA1
765157def3a5d2bc690b41c20810f9e2109f539e

SHA256
54ae9e3ee5edb55908783e3cd785fc1f41f29f61fc45d1c0e73a73827660d99a

SHA512
e26eb85d18508697b0010ac2e1115b80a7d50e3df8b98dc811c851363466b1d25162352ed2e80f4637069ab5ff98d3c5732332603f221870b516bb85ea4cacc5

Download Submit
C:\Users\Admin\AppData\Roaming\AutoPico.exe

Filesize
264KB

MD5
cf6d2761f20959e6d6da3571db9a85fc

SHA1
f83a258d0900a9eb01883a3c76126bcaf20510a0

SHA256
695e068f793727cb72c1295472e7c7e7eaa1ddf711d7a3fbc7a4b510160bcfb2

SHA512
d3036f05b3d1e5a49fce57ce7e3c127ac0ab418423a784858cc4bdf24828d0432ba75b5833940c0135d47cd048019d0851ea20ba767e51b81811f9bffb5568f6

Download Submit
C:\Users\Admin\AppData\Roaming\logs\AutoPico.log

Filesize
4KB

MD5
c926eb1172dc5ceb1040fe0a33964234

SHA1
c1cc65c1f564cb03cd3f4ac7a2c8b0264ca510d4

SHA256
b6f22656597d51fba0edb3cba5a6cac20de74e9dfebff399f6a518ddaa75de84

SHA512
c319b93edbe23bf0be8f62d2d41dcf695f4bee87bcb67645f06ec10829c4cdc1683d0057726d2fc3c6279f46b5fa8519ded09ffcc952b631787170f2287cfe05

Download Submit
memory/1628-627-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1628-624-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1628-623-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1628-626-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/1628-619-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/1628-622-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1628-621-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/1628-936-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/1628-620-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2196-937-0x0000000000B10000-0x0000000000BCA000-memory.dmp

Filesize
744KB

Download
memory/2196-938-0x000007FEEE770000-0x000007FEEF15C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-939-0x000000001BAB0000-0x000000001BB30000-memory.dmp

Filesize
512KB

Download
memory/2196-988-0x000007FEEE770000-0x000007FEEF15C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing