0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2

General

Target

0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe
Size

794KB
MD5

9ffe4f02cb568480e9475847474a647d
SHA1

0a33b07b7af98f4e549a3b5d63b5efb196ffdefc
SHA256

0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2
SHA512

1fc0fcd5fb86ba4317a547f1a657cd35d6ae25a5adcc9ab732903c3fed10dced58440934037b8b677c27e0c68bbbe803a2347e4e4ead7545567779446bcab607
SSDEEP

24576:UNY13P0Y0uBpDLms0DFd8UWuQHl/vhwAL77:VBIuBBas0DYUFqjwAb

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 3028	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	30
PID 3028 set thread context of 1196	3028	RegSvcs.exe	21
PID 3028 set thread context of 2696	3028	RegSvcs.exe	31
PID 2696 set thread context of 1196	2696	newdev.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe
2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe
3028	RegSvcs.exe
3028	RegSvcs.exe
3028	RegSvcs.exe
2884	powershell.exe
3028	RegSvcs.exe
3028	RegSvcs.exe
3028	RegSvcs.exe
3028	RegSvcs.exe
3028	RegSvcs.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe
2696	newdev.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3028	RegSvcs.exe
1196	Explorer.EXE
1196	Explorer.EXE
2696	newdev.exe
2696	newdev.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2884	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	28
PID 2308 wrote to memory of 2884	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	28
PID 2308 wrote to memory of 2884	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	28
PID 2308 wrote to memory of 2884	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	28
PID 2308 wrote to memory of 3028	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	30
PID 2308 wrote to memory of 3028	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	30
PID 2308 wrote to memory of 3028	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	30
PID 2308 wrote to memory of 3028	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	30
PID 2308 wrote to memory of 3028	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	30
PID 2308 wrote to memory of 3028	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	30
PID 2308 wrote to memory of 3028	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	30
PID 2308 wrote to memory of 3028	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	30
PID 2308 wrote to memory of 3028	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	30
PID 2308 wrote to memory of 3028	2308	0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe	30
PID 1196 wrote to memory of 2696	1196	Explorer.EXE	31
PID 1196 wrote to memory of 2696	1196	Explorer.EXE	31
PID 1196 wrote to memory of 2696	1196	Explorer.EXE	31
PID 1196 wrote to memory of 2696	1196	Explorer.EXE	31
PID 1196 wrote to memory of 2696	1196	Explorer.EXE	31
PID 1196 wrote to memory of 2696	1196	Explorer.EXE	31
PID 1196 wrote to memory of 2696	1196	Explorer.EXE	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe
  "C:\Users\Admin\AppData\Local\Temp\0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0b253fe8a257daf152d4c6124a21cca1034003c6ae5f45542d9a7d89c3c9c4a2.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3028
- C:\Windows\SysWOW64\newdev.exe
  "C:\Windows\SysWOW64\newdev.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-27-0x0000000002F40000-0x0000000003040000-memory.dmp

Filesize
1024KB

Download
memory/1196-28-0x0000000009340000-0x000000000B144000-memory.dmp

Filesize
30.0MB

Download
memory/1196-36-0x0000000009340000-0x000000000B144000-memory.dmp

Filesize
30.0MB

Download
memory/2308-4-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2308-15-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-5-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2308-6-0x0000000005060000-0x00000000050EA000-memory.dmp

Filesize
552KB

Download
memory/2308-0-0x0000000000BC0000-0x0000000000C8C000-memory.dmp

Filesize
816KB

Download
memory/2308-2-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/2308-1-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-3-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2696-34-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2696-33-0x0000000002470000-0x0000000002773000-memory.dmp

Filesize
3.0MB

Download
memory/2696-30-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2696-29-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2696-35-0x0000000000750000-0x00000000007F0000-memory.dmp

Filesize
640KB

Download
memory/2696-37-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2884-21-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/2884-19-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/2884-18-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-20-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-22-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

Filesize
5.7MB

Download
memory/3028-26-0x00000000001C0000-0x00000000001E1000-memory.dmp

Filesize
132KB

Download
memory/3028-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-32-0x00000000001C0000-0x00000000001E1000-memory.dmp

Filesize
132KB

Download
memory/3028-14-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/3028-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3028-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing