c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3

General

Target

c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
Size

1.8MB
MD5

63b9d980ce167685f61415d082dc681b
SHA1

603140235d53cef46e3bac28cdddd5206a1c4246
SHA256

c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3
SHA512

a4161de9bdd90a7260d086080970c3f06df8a99b8cb2db8339b6d105d5b37b47f6e362b7972a6a562263e7d70dc055d5050d5f4ca12215329146fc3b7ad4e25c
SSDEEP

49152:zi39+084E6W4W8+m/oX49aXZmMA88DOKmX:G+HVb4W8b+49unDfTX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2560	sg.tmp
2768	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
2768	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeBackupPrivilege	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
Token: SeRestorePrivilege	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
Token: 33	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
Token: SeIncBasePriorityPrivilege	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
Token: SeCreateGlobalPrivilege	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
Token: 33	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
Token: SeIncBasePriorityPrivilege	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
Token: 33	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
Token: SeIncBasePriorityPrivilege	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
Token: SeRestorePrivilege	2560	sg.tmp
Token: 35	2560	sg.tmp
Token: SeSecurityPrivilege	2560	sg.tmp
Token: SeSecurityPrivilege	2560	sg.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2512	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe	28
PID 3048 wrote to memory of 2512	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe	28
PID 3048 wrote to memory of 2512	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe	28
PID 3048 wrote to memory of 2512	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe	28
PID 3048 wrote to memory of 2560	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe	30
PID 3048 wrote to memory of 2560	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe	30
PID 3048 wrote to memory of 2560	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe	30
PID 3048 wrote to memory of 2560	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe	30
PID 3048 wrote to memory of 2768	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe	32
PID 3048 wrote to memory of 2768	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe	32
PID 3048 wrote to memory of 2768	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe	32
PID 3048 wrote to memory of 2768	3048	c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe	32

C:\Users\Admin\AppData\Local\Temp\c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe
"C:\Users\Admin\AppData\Local\Temp\c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\~2277640203249909706~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\c3036f061c756b0279703655c6ccc1f58b0d2d560ba94924599099b1c73ecbf3.exe" -y -aos -o"C:\Users\Admin\AppData\Local\Temp\~6043619361850576355"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\~6043619361850576355\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\~6043619361850576355\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~6043619361850576355\msedge_elf.dll

Filesize
26KB

MD5
457f1e9754479c07bfa7925fd743bdfa

SHA1
d2c99cca4749da75f5b3dd624943e425205f3828

SHA256
2fa643f7c1a47a1c9423d4602e32bed58aa7adf1a40ee112e0ce8c7767f438c2

SHA512
11b781260b8a76624663053723789c346e97248e5bc0db1a425a73ee5384ec6e78b25d8e95a28c4b2fd48e6b4ae06872e07fd8a47c2dd80224e606504ac65ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6043619361850576355\svchost.exe

Filesize
833KB

MD5
9a25c9f4ae1ae0206d0ac670fc26bfb0

SHA1
ab9e4e3c92a722d0ccec78a5843d99b29d5a65e5

SHA256
7e78f5183d1539b90445356a7069b0f610d9b8c69c2be228e5952fe807d1791b

SHA512
ed7c65b387f8a3aeb06a3e06ed6444a928bdaff816391220a633dbbc18b6d8db65e86889ed1ba9e48d8e88dbb3cae4867a7c3a1ff12f473f36f03639a5b711d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6043619361850576355\svchost.exe

Filesize
8KB

MD5
dba37d8ab5a06fb6cc1b37d0c613e2b3

SHA1
54264241b53fb99e1bba03d75afe0a21576db50e

SHA256
17968ac6fd3bd4cc7acd0db56a2baf0e2cd250b1690e695ccbe5aa74a1c46838

SHA512
beaf395deb50ab2376c019df0d4b51142c7107fd52fa9d8b0f50af456c22dfd59b844b65c842476377194b426779b84ec94e752c7990a6e72e1cd8a70975f24a

Download Submit
\Users\Admin\AppData\Local\Temp\~2277640203249909706~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
\Users\Admin\AppData\Local\Temp\~6043619361850576355\svchost.exe

Filesize
378KB

MD5
ebffef560e5e5da5f4898bcd2fe0a773

SHA1
84e6daa167fc03668261d297440853e9600c41f4

SHA256
3b1cc30faa19a802c07767e094c93c5e3574188f58c656671d14dabe2c119253

SHA512
fa9ad26689ffe598b620790ce998ee82a52642937bcbf99b508fc058bdbba74150f2ff5904ec30cc621048ffffec15cee199b28f87890c0456728fc4ea66285e

Download Submit
\Users\Admin\AppData\Local\Temp\~6043619361850576355\svchost.exe

Filesize
14KB

MD5
dff9e593c345d81e33c26d64ab2becd9

SHA1
445192a954e980c30cf4cffff3321aa6f20b58ec

SHA256
9bbf2866987131a7de85209faffaa8bbec7ae3136bacc89fd5f87f7753c3355b

SHA512
dab911ea39abace7cde34e1f5af1c1a4d850e595334cb215f38bfe91266f14c643bc068f92d39fde049bd1f33208037edb1c5a48c90a1dfd946336b63a51512c

Download Submit
memory/3048-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing