82ac93d2030fe23a014c9126668dfb4fb8c4ac6c5bc7a9384374ed2c8b2b342e

General

Target

379fb1a0ae56554e5619e287eff61635.exe
Size

3.1MB
MD5

379fb1a0ae56554e5619e287eff61635
SHA1

967312955e9b84093aab815f76c9734058a539a2
SHA256

82ac93d2030fe23a014c9126668dfb4fb8c4ac6c5bc7a9384374ed2c8b2b342e
SHA512

97fa14dbaeb56f02ce2a61ee34d62857d2a541ac200ce94bcad2446a26a85fda83141fa967e5f1de6923a0e17c38445a339db379fafc746bcab70c07f1a494a5
SSDEEP

98304:wdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8h:wdNB4ianUstYuUR2CSHsVP8h

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

test.exeFile.exe

pid process

2812 test.exe
2740 File.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exetest.exe

pid process

2628 cmd.exe
2812 test.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

test.exeFile.exe

pid process

2812 test.exe
2740 File.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

test.exeFile.exe

description pid process

Token: SeDebugPrivilege 2812 test.exe
Token: SeDebugPrivilege 2740 File.exe

pid	process
2812	test.exe
2740	File.exe

pid	process
2628	cmd.exe
2812	test.exe

pid	process
2812	test.exe
2740	File.exe

description	pid	process
Token: SeDebugPrivilege	2812	test.exe
Token: SeDebugPrivilege	2740	File.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

379fb1a0ae56554e5619e287eff61635.execmd.exetest.exe

description	pid	process	target process
PID 1848 wrote to memory of 2628	1848	379fb1a0ae56554e5619e287eff61635.exe	cmd.exe
PID 1848 wrote to memory of 2628	1848	379fb1a0ae56554e5619e287eff61635.exe	cmd.exe
PID 1848 wrote to memory of 2628	1848	379fb1a0ae56554e5619e287eff61635.exe	cmd.exe
PID 1848 wrote to memory of 2628	1848	379fb1a0ae56554e5619e287eff61635.exe	cmd.exe
PID 2628 wrote to memory of 2812	2628	cmd.exe	test.exe
PID 2628 wrote to memory of 2812	2628	cmd.exe	test.exe
PID 2628 wrote to memory of 2812	2628	cmd.exe	test.exe
PID 2628 wrote to memory of 2812	2628	cmd.exe	test.exe
PID 2628 wrote to memory of 2812	2628	cmd.exe	test.exe
PID 2628 wrote to memory of 2812	2628	cmd.exe	test.exe
PID 2628 wrote to memory of 2812	2628	cmd.exe	test.exe
PID 2812 wrote to memory of 2740	2812	test.exe	File.exe
PID 2812 wrote to memory of 2740	2812	test.exe	File.exe
PID 2812 wrote to memory of 2740	2812	test.exe	File.exe
PID 2812 wrote to memory of 2740	2812	test.exe	File.exe
PID 2812 wrote to memory of 2740	2812	test.exe	File.exe
PID 2812 wrote to memory of 2740	2812	test.exe	File.exe
PID 2812 wrote to memory of 2740	2812	test.exe	File.exe

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
  2⤵
  PID:1548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
  2⤵
  PID:1020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
  2⤵
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  PID:2548
- C:\Users\Admin\AppData\Roaming\tmp.exe
  "C:\Users\Admin\AppData\Roaming\tmp.exe"
  2⤵
  PID:2252

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
  2⤵
  PID:1600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
  2⤵
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
  2⤵
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\379fb1a0ae56554e5619e287eff61635.exe
"C:\Users\Admin\AppData\Local\Temp\379fb1a0ae56554e5619e287eff61635.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1848-80-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/1848-76-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/1848-1-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2252-75-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2548-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2548-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2548-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2548-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2548-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2548-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2548-63-0x0000000000401000-0x000000000041B000-memory.dmp

Filesize
104KB

Download
memory/2548-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2552-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-40-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2552-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-19-0x00000000002A0000-0x00000000002C4000-memory.dmp

Filesize
144KB

Download
memory/2740-17-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-18-0x0000000004820000-0x0000000004860000-memory.dmp

Filesize
256KB

Download
memory/2740-81-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-16-0x00000000003E0000-0x000000000043C000-memory.dmp

Filesize
368KB

Download
memory/2812-8-0x0000000002250000-0x00000000022D6000-memory.dmp

Filesize
536KB

Download
memory/2812-7-0x00000000022F0000-0x0000000002330000-memory.dmp

Filesize
256KB

Download
memory/2812-6-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-77-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-78-0x00000000022F0000-0x0000000002330000-memory.dmp

Filesize
256KB

Download
memory/2812-5-0x0000000000D60000-0x0000000000E4E000-memory.dmp

Filesize
952KB

Download
memory/2812-79-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing