110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d

General

Target

110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
Size

1.8MB
MD5

a69c199a4f17c1dfd96b64ff2e3651d1
SHA1

3a441d70c00a5535b8ce8cee93dea0d71536c1a5
SHA256

110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d
SHA512

f629c6172172c0fca384a8308d250ad315ddffcdcb1c595b6029aa7c960780177dedb2c1a01895a64d2332a9c1dab1c760a6097fd3387c25624aeae2232e18ec
SSDEEP

49152:Zi39+084E6W4W8+m/ob49aXZmMA88DOKmX:Y+HVb4W8bG49unDfTX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1964	sg.tmp
2632	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
2632	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeBackupPrivilege	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
Token: SeRestorePrivilege	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
Token: 33	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
Token: SeIncBasePriorityPrivilege	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
Token: SeCreateGlobalPrivilege	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
Token: 33	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
Token: SeIncBasePriorityPrivilege	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
Token: 33	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
Token: SeIncBasePriorityPrivilege	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
Token: SeRestorePrivilege	1964	sg.tmp
Token: 35	1964	sg.tmp
Token: SeSecurityPrivilege	1964	sg.tmp
Token: SeSecurityPrivilege	1964	sg.tmp
Token: 33	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
Token: SeIncBasePriorityPrivilege	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
Token: SeDebugPrivilege	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 852	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe	28
PID 2308 wrote to memory of 852	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe	28
PID 2308 wrote to memory of 852	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe	28
PID 2308 wrote to memory of 852	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe	28
PID 2308 wrote to memory of 1964	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe	30
PID 2308 wrote to memory of 1964	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe	30
PID 2308 wrote to memory of 1964	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe	30
PID 2308 wrote to memory of 1964	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe	30
PID 2308 wrote to memory of 2632	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe	32
PID 2308 wrote to memory of 2632	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe	32
PID 2308 wrote to memory of 2632	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe	32
PID 2308 wrote to memory of 2632	2308	110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe	32

C:\Users\Admin\AppData\Local\Temp\110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe
"C:\Users\Admin\AppData\Local\Temp\110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:852
- C:\Users\Admin\AppData\Local\Temp\~7443456966716773161~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\110ac3af0ae9210dccc86e7b9bd14d7274b80c18630e9b0b4b2c1469ba2ddb1d.exe" -y -aos -o"C:\Users\Admin\AppData\Local\Temp\~5757588230734611182"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\~5757588230734611182\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\~5757588230734611182\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~5757588230734611182\msedge_elf.dll

Filesize
26KB

MD5
457f1e9754479c07bfa7925fd743bdfa

SHA1
d2c99cca4749da75f5b3dd624943e425205f3828

SHA256
2fa643f7c1a47a1c9423d4602e32bed58aa7adf1a40ee112e0ce8c7767f438c2

SHA512
11b781260b8a76624663053723789c346e97248e5bc0db1a425a73ee5384ec6e78b25d8e95a28c4b2fd48e6b4ae06872e07fd8a47c2dd80224e606504ac65ab9

Download Submit
\Users\Admin\AppData\Local\Temp\~5757588230734611182\svchost.exe

Filesize
833KB

MD5
9a25c9f4ae1ae0206d0ac670fc26bfb0

SHA1
ab9e4e3c92a722d0ccec78a5843d99b29d5a65e5

SHA256
7e78f5183d1539b90445356a7069b0f610d9b8c69c2be228e5952fe807d1791b

SHA512
ed7c65b387f8a3aeb06a3e06ed6444a928bdaff816391220a633dbbc18b6d8db65e86889ed1ba9e48d8e88dbb3cae4867a7c3a1ff12f473f36f03639a5b711d1

Download Submit
\Users\Admin\AppData\Local\Temp\~7443456966716773161~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/2308-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing