faa141f5de1cc065547026d4bcc77c14ce0a4a5640e801811d80591130384fd4

General

Target

28f9177e6247ca9f8282e2cffe962eff.exe
Size

305KB
MD5

28f9177e6247ca9f8282e2cffe962eff
SHA1

cf891821f24bd9a305b863b59e25f216c78ef1e9
SHA256

faa141f5de1cc065547026d4bcc77c14ce0a4a5640e801811d80591130384fd4
SHA512

d0e769d75f124af9dcd914e5c71b5e529769227df505a819e78bfd595699fccaa71e14bcfa7278d3263541a24dcc1c081cff5b23624652ab1900a06826be344b
SSDEEP

6144:3oO0SSvl2py/BdSC4aZp+zhPo4p6Cp/6VD6UcQON2diEyjZNmBhYWW:r0S8qmtNZ45o4tV6VD60OsirHmBhYWW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2120	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2120	cmd.exe
2120	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2696	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3004	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2120	2548	28f9177e6247ca9f8282e2cffe962eff.exe	30
PID 2548 wrote to memory of 2120	2548	28f9177e6247ca9f8282e2cffe962eff.exe	30
PID 2548 wrote to memory of 2120	2548	28f9177e6247ca9f8282e2cffe962eff.exe	30
PID 2548 wrote to memory of 2120	2548	28f9177e6247ca9f8282e2cffe962eff.exe	30
PID 2120 wrote to memory of 2696	2120	cmd.exe	28
PID 2120 wrote to memory of 2696	2120	cmd.exe	28
PID 2120 wrote to memory of 2696	2120	cmd.exe	28
PID 2120 wrote to memory of 2696	2120	cmd.exe	28
PID 2120 wrote to memory of 3004	2120	cmd.exe	32
PID 2120 wrote to memory of 3004	2120	cmd.exe	32
PID 2120 wrote to memory of 3004	2120	cmd.exe	32
PID 2120 wrote to memory of 3004	2120	cmd.exe	32
PID 2120 wrote to memory of 2336	2120	cmd.exe	33
PID 2120 wrote to memory of 2336	2120	cmd.exe	33
PID 2120 wrote to memory of 2336	2120	cmd.exe	33
PID 2120 wrote to memory of 2336	2120	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\28f9177e6247ca9f8282e2cffe962eff.exe
"C:\Users\Admin\AppData\Local\Temp\28f9177e6247ca9f8282e2cffe962eff.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2548 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\28f9177e6247ca9f8282e2cffe962eff.exe" & start C:\Users\Admin\AppData\Local\arvvcahl.exe -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:3004
- - C:\Users\Admin\AppData\Local\arvvcahl.exe
    C:\Users\Admin\AppData\Local\arvvcahl.exe -f
    3⤵
    PID:2336

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 2548
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\arvvcahl.exe

Filesize
38KB

MD5
d42544d5bba322f505d9903c7e8a84b2

SHA1
db164e7728d324ea957032a8d0fe229ea9888008

SHA256
623a8dd3982e395518d213d22c66ca44b5f07f2dd279380aca512f533bd64241

SHA512
ed6a565ecf37b446a5d56a9c0ad69ae86bddf2389bce0144c442ff62df7e03a427af5f7ddca8ddf609f07990804bf727784cf5f45fbec4535bf3fbc62ecbe3c8

Download Submit
\Users\Admin\AppData\Local\arvvcahl.exe

Filesize
32KB

MD5
9961382cb851595546a6f61b62d354fd

SHA1
36a06632e73308d75d71c121eda49b7a9e4dd186

SHA256
693ee337fb72097535859f90100aba73438f2af4fd2ea144eb8164ff597bf7c9

SHA512
7a07c341442c37295ee1cbfd55de15c2e1aef62e3c7b0b8c687bd2470ca1b73a13b17932399603de1e662590acf42e57a3c6b5dd17b6ad9c18a634391aa72bdf

Download Submit
\Users\Admin\AppData\Local\arvvcahl.exe

Filesize
26KB

MD5
becee922dce6ba79602173f11cb9e605

SHA1
c5ef67e34603d7f4a2665b76c08c4b2fb5bf1470

SHA256
0db8d17b3ada050d957f4816a1ee7f8faab4f65d518bf0f8b0b9101d69ab5e01

SHA512
97d7796297c8f947f54940e1e275134fe69f49d1aa0a9b75c0a5db4a89899dd375c2fff2cc5443fcd25923405843dcf57bb5b3fdc4595e9ad64b187f731452f2

Download Submit
\Users\Admin\AppData\Local\arvvcahl.exe

Filesize
45KB

MD5
6032b130c3be1e4de892b8949a485e3c

SHA1
94b1457239eebc0aa9a99b8e8363d935c326d855

SHA256
472c44fcb735d0158023e2a7392846f5528b6a4378148c24510587c76d22c18e

SHA512
9ca9abd7b43ffdcb2c86258a1f380557b3e88f17b30a1664992742d1b37660e28af5ca2b5e7673afaca4b6ef3a37a429ca08b2d673935bd8e23942e2715e3e4e

Download Submit
memory/2336-13-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2336-20-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2336-10-0x00000000002C0000-0x00000000002C2000-memory.dmp

Filesize
8KB

Download
memory/2336-25-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2336-24-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2336-23-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2336-12-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2336-22-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2336-15-0x00000000002C0000-0x00000000002C2000-memory.dmp

Filesize
8KB

Download
memory/2336-14-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2336-16-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2336-18-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2336-19-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2336-9-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2336-21-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2548-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2548-1-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download
memory/2548-2-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/2548-4-0x0000000001000000-0x00000000010AA000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing