16a6c07ee461bec6e73d47649e16256626319a3ac945f3425b483c449d8040e9

General

Target

2a5fd072c8bba2f8eb11b4a16ecbe621.exe
Size

244KB
MD5

2a5fd072c8bba2f8eb11b4a16ecbe621
SHA1

38467581999d0bd029f4c44b488c79d03a02f49b
SHA256

16a6c07ee461bec6e73d47649e16256626319a3ac945f3425b483c449d8040e9
SHA512

906f422fd8aa062be323c9440bd0403c36239ef6bef1fd711a1135ebb65d19de5f6f0f975bd8b5b36eb2e563db8c09246c4d22e1b8cb114d0486506519244053
SSDEEP

3072:BQIURTXJh6TxB9u/83vCRitN/XH0ikHd7ExC9l2+6gvLQ1an+IRrdtqs7dNFlK//:Bs2B9yKU+X0Td+c3XRRqENFl2GQsxxRW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1508	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2940	revealingdc.exe

Loads dropped DLL 10 IoCs

pid	Process
1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe
1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe
1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe
1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe
1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe
1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe
1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe
2940	revealingdc.exe
2940	revealingdc.exe
2940	revealingdc.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\revealing\revealingdc.exe	2a5fd072c8bba2f8eb11b4a16ecbe621.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe
1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe
1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe
1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2940	revealingdc.exe
Token: SeBackupPrivilege	2940	revealingdc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2940	revealingdc.exe
2940	revealingdc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2940	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	31
PID 1876 wrote to memory of 2940	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	31
PID 1876 wrote to memory of 2940	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	31
PID 1876 wrote to memory of 2940	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	31
PID 1876 wrote to memory of 2940	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	31
PID 1876 wrote to memory of 2940	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	31
PID 1876 wrote to memory of 2940	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	31
PID 1876 wrote to memory of 1508	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	33
PID 1876 wrote to memory of 1508	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	33
PID 1876 wrote to memory of 1508	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	33
PID 1876 wrote to memory of 1508	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	33
PID 1876 wrote to memory of 1508	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	33
PID 1876 wrote to memory of 1508	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	33
PID 1876 wrote to memory of 1508	1876	2a5fd072c8bba2f8eb11b4a16ecbe621.exe	33

C:\Users\Admin\AppData\Local\Temp\2a5fd072c8bba2f8eb11b4a16ecbe621.exe
"C:\Users\Admin\AppData\Local\Temp\2a5fd072c8bba2f8eb11b4a16ecbe621.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Program Files (x86)\revealing\revealingdc.exe
  "C:\Program Files (x86)\revealing\revealingdc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  - Deletes itself
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
200B

MD5
0032bf8aae18a9bfe931d5eec0d354d2

SHA1
bc7974bcc474b8cc784c257d643bba4c6c5b1edc

SHA256
81169f4491d52167425023b933930b870ab58bb30a28f50581232f371ff827a6

SHA512
5906f6dd122d02183c70e56058d9c7222ae4d29e52d1d6cb0f3adf387973f6074aec82d136761d9b9ca57597230b3464a60f0d66b5b916a32de264a138ed00d6

Download Submit
\Program Files (x86)\revealing\revealingdc.exe

Filesize
656KB

MD5
cbba3e4c0e9c65cef439a140ce92a2c2

SHA1
547bcc0709777ff3b16da38b5cf4a80ebdb0cdf4

SHA256
049b5bfe0f62d43f1baec46ef1b0ab078a886aa3f204bbbc3bba34e262086f4a

SHA512
2f621eb8ec09f1d1a5d44dc24411ce4e3f8f4ef6ac23376fe33954e398d286534e5aa09da2fc490e40e9bc95c5d6873a7cbac1a1a6f26c4a534d93ae6c67e179

Download Submit
\Users\Admin\AppData\Local\Temp\nse782.tmp\DLLWebCount.dll

Filesize
28KB

MD5
3d320f250297fe1dd1ddc350fa154b3b

SHA1
9236e354d2fe2b9f25a36f1ba686f1f2785e0b26

SHA256
f1ed5586759eaa6e5edf92bc589b0812620a3d48db3724c833b1fd9ea6c837bb

SHA512
8e259f6025080180fedcf13b1493910c20242d02c1776a84a79c8ff1aba00ca64873b251578000867bbcd129c46503470e364817afa267bb631e0d47ef31366a

Download Submit
\Users\Admin\AppData\Local\Temp\nse782.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nse782.tmp\SelfDelete.dll

Filesize
24KB

MD5
ddc0d6806073a5b034104c88288ca762

SHA1
9663cc10c496f05d6167e19c3920245040e5e431

SHA256
2f4767da9dc7e720d910d32d451674cd08b7892ca753ec5c10b11fe85e12f06b

SHA512
545ca797a397cfcbd9b5d3bd2da2e3219ba7a294e541831655c5763a7f17480fd0b990d0c2e58ba8c71f81d85472b2da6d079b8211b44c40c8c36d21168ec054

Download Submit

Analysis

Sharing