41fee2ac0816763adeeea287e43c07a24d35af788e24a46afd81d6a9f7c6afdb

General

Target

a1ac900ec5e97852d7d4210a419f005e.exe
Size

2.0MB
MD5

a1ac900ec5e97852d7d4210a419f005e
SHA1

3a30fb4bb14cbe13ae8feca679952af098bdcd91
SHA256

41fee2ac0816763adeeea287e43c07a24d35af788e24a46afd81d6a9f7c6afdb
SHA512

d7687210be3a7b893b6ee96351e11eda619582658d61975bd8d2da6956d6e76f5a1d0c057ed6ad0b56675b1cdabf7b1ed9d4bb5b183032156d8d25bd97b6ef20
SSDEEP

49152:3c9TQ0g5M9mUTEV3iPnjb8DC6u9s/ZQQB4udeOJkwAb:MdQ0v9mU4SsDpu9CObOJhAb

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

a1ac900ec5e97852d7d4210a419f005e.exe

pid process

1876 a1ac900ec5e97852d7d4210a419f005e.exe

pid	process
1876	a1ac900ec5e97852d7d4210a419f005e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a1ac900ec5e97852d7d4210a419f005e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	a1ac900ec5e97852d7d4210a419f005e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a1ac900ec5e97852d7d4210a419f005e.exe

pid process

1876 a1ac900ec5e97852d7d4210a419f005e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a1ac900ec5e97852d7d4210a419f005e.exe

description pid process

Token: SeDebugPrivilege 1876 a1ac900ec5e97852d7d4210a419f005e.exe

pid	process
1876	a1ac900ec5e97852d7d4210a419f005e.exe

description	pid	process
Token: SeDebugPrivilege	1876	a1ac900ec5e97852d7d4210a419f005e.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

a1ac900ec5e97852d7d4210a419f005e.execmd.exewscript.exe

description	pid	process	target process
PID 1876 wrote to memory of 2536	1876	a1ac900ec5e97852d7d4210a419f005e.exe	cmd.exe
PID 1876 wrote to memory of 2536	1876	a1ac900ec5e97852d7d4210a419f005e.exe	cmd.exe
PID 1876 wrote to memory of 2536	1876	a1ac900ec5e97852d7d4210a419f005e.exe	cmd.exe
PID 1876 wrote to memory of 2536	1876	a1ac900ec5e97852d7d4210a419f005e.exe	cmd.exe
PID 2536 wrote to memory of 2684	2536	cmd.exe	wscript.exe
PID 2536 wrote to memory of 2684	2536	cmd.exe	wscript.exe
PID 2536 wrote to memory of 2684	2536	cmd.exe	wscript.exe
PID 2536 wrote to memory of 2684	2536	cmd.exe	wscript.exe
PID 1876 wrote to memory of 2560	1876	a1ac900ec5e97852d7d4210a419f005e.exe	svhost.exe
PID 1876 wrote to memory of 2560	1876	a1ac900ec5e97852d7d4210a419f005e.exe	svhost.exe
PID 1876 wrote to memory of 2560	1876	a1ac900ec5e97852d7d4210a419f005e.exe	svhost.exe
PID 1876 wrote to memory of 2560	1876	a1ac900ec5e97852d7d4210a419f005e.exe	svhost.exe
PID 1876 wrote to memory of 2560	1876	a1ac900ec5e97852d7d4210a419f005e.exe	svhost.exe
PID 1876 wrote to memory of 2560	1876	a1ac900ec5e97852d7d4210a419f005e.exe	svhost.exe
PID 1876 wrote to memory of 2560	1876	a1ac900ec5e97852d7d4210a419f005e.exe	svhost.exe
PID 1876 wrote to memory of 2560	1876	a1ac900ec5e97852d7d4210a419f005e.exe	svhost.exe
PID 1876 wrote to memory of 2560	1876	a1ac900ec5e97852d7d4210a419f005e.exe	svhost.exe
PID 2684 wrote to memory of 2908	2684	wscript.exe	cmd.exe
PID 2684 wrote to memory of 2908	2684	wscript.exe	cmd.exe
PID 2684 wrote to memory of 2908	2684	wscript.exe	cmd.exe
PID 2684 wrote to memory of 2908	2684	wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a1ac900ec5e97852d7d4210a419f005e.exe
"C:\Users\Admin\AppData\Local\Temp\a1ac900ec5e97852d7d4210a419f005e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\caca.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\caca2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\caca2.bat" "
4⤵
- Drops startup file
PID:2908

C:\Windows\Temp\svhost.exe
C:\Windows\Temp\svhost.exe
2⤵
PID:2560

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\caca.bat
Filesize
47B

MD5
58ccb87aa1da4939df403810f1e68b6b

SHA1
dc8551f41682e5cb1dd25af3f11a789b1d37b295

SHA256
eccc9f27214ff49689c1f597c0d3d3a3e45391064fd0baa9b5e0e03931b7822b

SHA512
17ad698f496a445c5cbd0972df9fe966081a3cbee33fb7d7e003890ae946c65687b85b9b16990a872338d00d798b82dee06e86bd2d38b01ad292048134688fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\caca2.bat
Filesize
151B

MD5
ed28c618f7d8306e3736432b58bb5d27

SHA1
441e6dab70e31d9c599fcd9e2d32009038781b42

SHA256
d9aa03911260779b1f8a9b046a7ecf7aa87b0f13c762491fe8e06c482bac09a3

SHA512
4257d8839e881a9ab6de6230a9df1e81456cb796eb9ee2361789fa5fe4c81b297ed1c472f91d97bb0b2ebdb6acadb924617e6ffd32fc96d8ddcebf8fee4a7880

Download Submit
C:\Users\Admin\AppData\Local\Temp\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32 .exe
Filesize
1.1MB

MD5
cb55e0ed2748f58327eda61eeda28ec0

SHA1
6c093455cd16564c1d473fe613c2e97a622a1275

SHA256
1eac1de893e00983197d7667570851bea15604ab2ccb013cba1fcb169a0d606e

SHA512
3b8cfc1059307f6b608688a7cb744a5950f8e97ee0f5791530a084c0bfe8fcce5cb63ada56123fb126f36498ad9de5c0170bdea524ed4644446aeee4769f87a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32-.txt
Filesize
2.0MB

MD5
a1ac900ec5e97852d7d4210a419f005e

SHA1
3a30fb4bb14cbe13ae8feca679952af098bdcd91

SHA256
41fee2ac0816763adeeea287e43c07a24d35af788e24a46afd81d6a9f7c6afdb

SHA512
d7687210be3a7b893b6ee96351e11eda619582658d61975bd8d2da6956d6e76f5a1d0c057ed6ad0b56675b1cdabf7b1ed9d4bb5b183032156d8d25bd97b6ef20

Download Submit
\Windows\Temp\svhost.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1876-0-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-2-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download
memory/1876-1-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-40-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-41-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download
memory/2560-22-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2560-25-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2560-26-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2560-28-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2560-32-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2560-30-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads