f0f4aecb098f92a033355c2058300583967a7fbf00c81ce2f3ba250b8ae3e277

General

Target

37ef0d25d599bc8314e904d3b7d0ad26.exe
Size

510KB
MD5

37ef0d25d599bc8314e904d3b7d0ad26
SHA1

6c8fd89cb1082c5d2688a5eff9279558d558ab52
SHA256

f0f4aecb098f92a033355c2058300583967a7fbf00c81ce2f3ba250b8ae3e277
SHA512

15362d1c2f02f9bd923d4d91447d46de33f4b5ed0574c1524afd754ecf3b0917e259de4cc008df519e56aed2a2c4c1635ab1c8ed45f23bcfa37905cfe73df481
SSDEEP

12288:Xwq0XK1hApxvbKH+jSgTY9MRIHACrADR7+U1+owChKh6V:H71hAjKH+jSSYSRIHdW

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
828	37ef0d25d599bc8314e904d3b7d0ad26.exe
828	37ef0d25d599bc8314e904d3b7d0ad26.exe
828	37ef0d25d599bc8314e904d3b7d0ad26.exe
828	37ef0d25d599bc8314e904d3b7d0ad26.exe
828	37ef0d25d599bc8314e904d3b7d0ad26.exe
828	37ef0d25d599bc8314e904d3b7d0ad26.exe
828	37ef0d25d599bc8314e904d3b7d0ad26.exe
828	37ef0d25d599bc8314e904d3b7d0ad26.exe
828	37ef0d25d599bc8314e904d3b7d0ad26.exe
828	37ef0d25d599bc8314e904d3b7d0ad26.exe
2988	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	828	37ef0d25d599bc8314e904d3b7d0ad26.exe
Token: SeDebugPrivilege	2988	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 2988	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	30
PID 828 wrote to memory of 2988	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	30
PID 828 wrote to memory of 2988	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	30
PID 828 wrote to memory of 2988	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	30
PID 828 wrote to memory of 2344	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	32
PID 828 wrote to memory of 2344	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	32
PID 828 wrote to memory of 2344	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	32
PID 828 wrote to memory of 2344	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	32
PID 828 wrote to memory of 2724	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	33
PID 828 wrote to memory of 2724	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	33
PID 828 wrote to memory of 2724	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	33
PID 828 wrote to memory of 2724	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	33
PID 828 wrote to memory of 2180	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	34
PID 828 wrote to memory of 2180	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	34
PID 828 wrote to memory of 2180	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	34
PID 828 wrote to memory of 2180	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	34
PID 828 wrote to memory of 3004	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	35
PID 828 wrote to memory of 3004	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	35
PID 828 wrote to memory of 3004	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	35
PID 828 wrote to memory of 3004	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	35
PID 828 wrote to memory of 2532	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	36
PID 828 wrote to memory of 2532	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	36
PID 828 wrote to memory of 2532	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	36
PID 828 wrote to memory of 2532	828	37ef0d25d599bc8314e904d3b7d0ad26.exe	36

C:\Users\Admin\AppData\Local\Temp\37ef0d25d599bc8314e904d3b7d0ad26.exe
"C:\Users\Admin\AppData\Local\Temp\37ef0d25d599bc8314e904d3b7d0ad26.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\37ef0d25d599bc8314e904d3b7d0ad26.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\37ef0d25d599bc8314e904d3b7d0ad26.exe
  "C:\Users\Admin\AppData\Local\Temp\37ef0d25d599bc8314e904d3b7d0ad26.exe"
  2⤵
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\37ef0d25d599bc8314e904d3b7d0ad26.exe
  "C:\Users\Admin\AppData\Local\Temp\37ef0d25d599bc8314e904d3b7d0ad26.exe"
  2⤵
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\37ef0d25d599bc8314e904d3b7d0ad26.exe
  "C:\Users\Admin\AppData\Local\Temp\37ef0d25d599bc8314e904d3b7d0ad26.exe"
  2⤵
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\37ef0d25d599bc8314e904d3b7d0ad26.exe
  "C:\Users\Admin\AppData\Local\Temp\37ef0d25d599bc8314e904d3b7d0ad26.exe"
  2⤵
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\37ef0d25d599bc8314e904d3b7d0ad26.exe
  "C:\Users\Admin\AppData\Local\Temp\37ef0d25d599bc8314e904d3b7d0ad26.exe"
  2⤵
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/828-1-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/828-0-0x00000000003D0000-0x0000000000456000-memory.dmp

Filesize
536KB

Download
memory/828-2-0x0000000007250000-0x0000000007290000-memory.dmp

Filesize
256KB

Download
memory/828-3-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/828-4-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/828-5-0x0000000007250000-0x0000000007290000-memory.dmp

Filesize
256KB

Download
memory/828-6-0x0000000007A60000-0x0000000007ACC000-memory.dmp

Filesize
432KB

Download
memory/828-7-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/828-8-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2988-11-0x0000000073600000-0x0000000073BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2988-12-0x0000000073600000-0x0000000073BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2988-14-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/2988-13-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/2988-15-0x0000000073600000-0x0000000073BAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing