2bec98a3a4ecd6e00b002db7b651f04703d87da4d1eaf3b83ebea42c6cb30835

General

Target

1b69c4f8042212d0ea0f021d83f24adf.exe
Size

672KB
MD5

1b69c4f8042212d0ea0f021d83f24adf
SHA1

ce1b3d34ae4e8854485b2951e72a1fceae6687aa
SHA256

2bec98a3a4ecd6e00b002db7b651f04703d87da4d1eaf3b83ebea42c6cb30835
SHA512

2b43e279f556ae445db9fc5fa98e2618d1b893c1c72d7c484bef1b08321dd7eda88ec4f82f629b60a75417617b5909e9c95cd6bd9de67008f1ab88c4b6ded30f
SSDEEP

12288:aeBNUbTVO86UCHruRdp+WA00SKCpVRwf/XSVUhbxk9e/pJu:aJIUCNd0nKwY3X+UhbW9eM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
464	Process not Found
1908	alg.exe
1748	aspnet_state.exe
544	mscorsvw.exe

Loads dropped DLL 1 IoCs

pid	Process
464	Process not Found

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\svchost.exe	1b69c4f8042212d0ea0f021d83f24adf.exe
File opened for modification	\??\c:\windows\system32\alg.exe	1b69c4f8042212d0ea0f021d83f24adf.exe
File created	\??\c:\windows\system32\dcoikpbj.tmp	1b69c4f8042212d0ea0f021d83f24adf.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\lecnknbl.tmp	1b69c4f8042212d0ea0f021d83f24adf.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	1b69c4f8042212d0ea0f021d83f24adf.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	1b69c4f8042212d0ea0f021d83f24adf.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\opngdgcj.tmp	1b69c4f8042212d0ea0f021d83f24adf.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	1b69c4f8042212d0ea0f021d83f24adf.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\gnmlpbno.tmp	alg.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\joqkgdom.tmp	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\cicfdedf.tmp	1b69c4f8042212d0ea0f021d83f24adf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2480	1b69c4f8042212d0ea0f021d83f24adf.exe
Token: SeTakeOwnershipPrivilege	1908	alg.exe

C:\Users\Admin\AppData\Local\Temp\1b69c4f8042212d0ea0f021d83f24adf.exe
"C:\Users\Admin\AppData\Local\Temp\1b69c4f8042212d0ea0f021d83f24adf.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\olpdamiq\cmd.exe

Filesize
732KB

MD5
2f03be55f35cd40db1bb890a1f215c50

SHA1
ce4798a98c9384fde05f204b283dc8f436f12c60

SHA256
8e2d6e3c2f3c6c1ce213e6a1b9d82f939be1745ec2a634eb64a2da495275916f

SHA512
b00f2ad8871bf5f8bcf18a79d632cd1ff3624d34401a15b5dd3814fb64937a3614767fc94dd57fe3b72a75a327b0b89b60e96ead0d755f1b5e90f526d8c8acb8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
453KB

MD5
405d1bc7dfbf95d72a940aab1152142d

SHA1
3db8199b2f3f1c2875a97bc58fe5acf1f39ec5c2

SHA256
3d0a076b1b8f411e28a74d4d8f6ae839954b38acb9b61fdfe4dd9ad05057e319

SHA512
021f109e91fa9043684882481bfdb45fafb8a7348ab94dddd31f34f6acfa6b30758d8510fb445906bb96591d3f26bac99fe1a2701375c068468a4e6e7158110d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
128KB

MD5
493bf611b0d0a4ef53082ead81990df4

SHA1
f5e9b8465ea959a9af7209339d7076288a3aa1f9

SHA256
a049c867764a3f4322f558c2586c43bbc182c392b44eda898ef64fce6bbcbd16

SHA512
a2bf5d2f142b6064dad7acf1b9adc8bf479e84381b28932aea7be88afcfd2e000da7f3e9d7bb377edf456b60c95eff7176cde5eb27e49f42c393a1c4d1238553

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
431KB

MD5
2d9d7ae59264d742dd5adfb2ce424b05

SHA1
ce52851e4eda7bf9d0f1caf61339a905503648c2

SHA256
623f21e2e115bb150653ea2385b10320a8dc4e612a099d7fbe19df65808c30ca

SHA512
154c5271c0f46731daa24a70d5ffef6bc2f1153fd3d320e7ac96e2f9bb47d7fdc65acc776f830ae076abf3e306b3c922c64e770546349cbcea40db9ec47f36c7

Download Submit
\Windows\System32\alg.exe

Filesize
472KB

MD5
cbe41987a3ce82488e2587b9b9d43024

SHA1
e5f7748907bda8497cc730a7e98bea208721dd27

SHA256
e794ac6124f165fb38110a8d1025a804365b75acafcb83410afc28624957f6a6

SHA512
c1fead09dd5dcc83dcc96db4206772476f14da28d363e4a38f17510baef5279b151e25e47dbf5eb234f0ec922e1671180655db54cbc6389b994b7993a63cb984

Download Submit
memory/544-47-0x0000000010000000-0x00000000100A4000-memory.dmp

Filesize
656KB

Download
memory/544-46-0x0000000010000000-0x00000000100A4000-memory.dmp

Filesize
656KB

Download
memory/1748-45-0x000000013F820000-0x000000013F8E6000-memory.dmp

Filesize
792KB

Download
memory/1748-30-0x000000013F820000-0x000000013F8E6000-memory.dmp

Filesize
792KB

Download
memory/1748-29-0x000000013F820000-0x000000013F8E6000-memory.dmp

Filesize
792KB

Download
memory/1908-24-0x00000000FF470000-0x00000000FF53D000-memory.dmp

Filesize
820KB

Download
memory/1908-26-0x00000000FF470000-0x00000000FF53D000-memory.dmp

Filesize
820KB

Download
memory/1908-19-0x00000000FF470000-0x00000000FF53D000-memory.dmp

Filesize
820KB

Download
memory/1908-18-0x00000000FF470000-0x00000000FF53D000-memory.dmp

Filesize
820KB

Download
memory/2480-0-0x000000013F930000-0x000000013FA30000-memory.dmp

Filesize
1024KB

Download
memory/2480-11-0x000000013F930000-0x000000013FA30000-memory.dmp

Filesize
1024KB

Download
memory/2480-3-0x000000013F930000-0x000000013FA30000-memory.dmp

Filesize
1024KB

Download
memory/2480-1-0x000000013F930000-0x000000013FA30000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing