106fdee9fdea0d037a3e40698a66bbae8895451adfbe717f9e9303b2c7148128

General

Target

106fdee9fdea0d037a3e40698a66bbae8895451adfbe717f9e9303b2c7148128.exe
Size

331KB
MD5

a3abf2faefda712ec94d9b8f47996247
SHA1

6a916f426b080cc49ad15d4cc4b061e456291cf0
SHA256

106fdee9fdea0d037a3e40698a66bbae8895451adfbe717f9e9303b2c7148128
SHA512

5aa480b30903f69d4eca7fc06743a5f1aee06d210cb3839829baa7f47e2fe5edb3a2e8e1aa5cad3eb2da4d8dfd299d6335472ab8260546fbb3cad62c383f5d63
SSDEEP

6144:vfL+oqWgmCMAXubUxFEGSIY1QDgRgYJ4AQwgiMZ8utaW8ArgIRI:vfLoMNwxFSIY1p+vziEaWJk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2952	cvtres.exe

Loads dropped DLL 1 IoCs

pid	Process
2352	106fdee9fdea0d037a3e40698a66bbae8895451adfbe717f9e9303b2c7148128.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2836	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2952	2352	106fdee9fdea0d037a3e40698a66bbae8895451adfbe717f9e9303b2c7148128.exe	28
PID 2352 wrote to memory of 2952	2352	106fdee9fdea0d037a3e40698a66bbae8895451adfbe717f9e9303b2c7148128.exe	28
PID 2352 wrote to memory of 2952	2352	106fdee9fdea0d037a3e40698a66bbae8895451adfbe717f9e9303b2c7148128.exe	28
PID 2352 wrote to memory of 2952	2352	106fdee9fdea0d037a3e40698a66bbae8895451adfbe717f9e9303b2c7148128.exe	28
PID 2952 wrote to memory of 2836	2952	cvtres.exe	29
PID 2952 wrote to memory of 2836	2952	cvtres.exe	29
PID 2952 wrote to memory of 2836	2952	cvtres.exe	29
PID 2952 wrote to memory of 2836	2952	cvtres.exe	29

C:\Users\Admin\AppData\Local\Temp\106fdee9fdea0d037a3e40698a66bbae8895451adfbe717f9e9303b2c7148128.exe
"C:\Users\Admin\AppData\Local\Temp\106fdee9fdea0d037a3e40698a66bbae8895451adfbe717f9e9303b2c7148128.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\cvtres.exe
  C:\Users\Admin\cvtres.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\temp_.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\temp.bat

Filesize
320KB

MD5
e617b4f4e3cfd84985341b65f093a1aa

SHA1
6c0d37989a3d2e839182b80d0f494111c9e6bcbc

SHA256
bdf92f74d05893ee9b3d80b8b471d08347bc8e6883bfd3ee7fa318ebd6acdc9e

SHA512
b591812d496969381d0f34b5ae1b8d443e8c30d531f5274fcd1517f37d6b0eca5c980bd111a001b9a9a876f91625bd6818fa5aec84a1adbf8c7a02eea3b0e22a

Download Submit
C:\Users\Admin\temp.ps1

Filesize
1KB

MD5
5e817bbd9ef2f8821aa0283b20a51923

SHA1
102ca518d89653fb400636e660fa3fc276235c5c

SHA256
27f2822ca2be992ebb6e1000aa3a2c39e9b4ff7e257cb45eadda8776d65018a7

SHA512
f21388e0655e6733abc70ff9fe2bbfdca00d81d2e7a09236d679293df34a966990f689f2d62119cdd877c7aeda35ab0c2b3c66108bc6b721e5dea34a93342d2e

Download Submit
C:\Users\Admin\temp_.bat

Filesize
320KB

MD5
a4e4c5d3f21a4c936490f0f7bf40a07a

SHA1
85aabd06694ccbbe55dc78ea13dc1f2519f92d7d

SHA256
e915154bb88330e5b52fa7e6280a10dbddb430a24b1c531c8aaa43ecf1ae6042

SHA512
a5bbd0f47228878d45b9738920d226ce25e089afe20bfabdfa630e8b0ddcb811aafae2aa490efa26c47f45478ef2b252f889651a41250380e31856269612dfc5

Download Submit
C:\Users\Admin\temp_.ps1

Filesize
1KB

MD5
5a0a8376c0e45cc25d4050920cee3dcc

SHA1
2de4ddf90f3165b245bd9f77c145c8f770c98b85

SHA256
86af1b7845145745ccaf65bf0dbeb1a981701ad0c6793c2dc93c0c2f2aef8d25

SHA512
f5afd39336d6b9f0590d68a716e8c3b403c13b98aae34d76f43e34698d2c6485e3dbce7a6439623362effec50ab0b2696b1ed25e377ba4dae75047ef419f51c0

Download Submit
\Users\Admin\cvtres.exe

Filesize
6KB

MD5
74b9f58725963a11be59108efb2a9620

SHA1
87459af592cac5ca9ebf817e544f3db6f84f1fd2

SHA256
b93e104615376c3658caa5bf386ae9c38b287754a5c22bd8aa1c292ff9c8827c

SHA512
4f29a504479cb25ab53c688de77edf2c4dd2105895f323346fdf369e42b816f76b08c5d93b93966467f219ed0b89580ee227e00d552f374aaf8ec3c594098b85

Download Submit
memory/2836-16-0x0000000071C10000-0x00000000721BB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-19-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download
memory/2836-18-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download
memory/2836-17-0x0000000071C10000-0x00000000721BB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-23-0x0000000071C10000-0x00000000721BB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-24-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download
memory/2836-25-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download
memory/2952-9-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-8-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/2952-22-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing