b6127994f0c0b7359d0c244ff2278a946af690e3e88bc1347d8eafc5dc4813d8

General

Target

bd91f44a69e1334ac760a03483d2e951.exe
Size

2.1MB
MD5

bd91f44a69e1334ac760a03483d2e951
SHA1

b96598639d10d46288a5429d0ff57a7dc1d3876c
SHA256

b6127994f0c0b7359d0c244ff2278a946af690e3e88bc1347d8eafc5dc4813d8
SHA512

4d46ed820d8cfd1cafe1776b4c82368cf32916d67783c553ed78755d6c05a417f39e05c173de43b1a276406bd7ba4ecc63c322fc69bfeb238343c1e04ba9bb73
SSDEEP

12288:W2FS6GiWpFPVFHGTAyldymyOymy4vSwd5Skd4y:khCTAyldymyOymy4LSkd4y

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2464	bd91f44a69e1334ac760a03483d2e951.exe

Loads dropped DLL 1 IoCs

pid	Process
3064	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1952	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3052	tasklist.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2832	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3036	bd91f44a69e1334ac760a03483d2e951.exe
2464	bd91f44a69e1334ac760a03483d2e951.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	bd91f44a69e1334ac760a03483d2e951.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	3052	tasklist.exe
Token: SeDebugPrivilege	2464	bd91f44a69e1334ac760a03483d2e951.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3064	3036	bd91f44a69e1334ac760a03483d2e951.exe	28
PID 3036 wrote to memory of 3064	3036	bd91f44a69e1334ac760a03483d2e951.exe	28
PID 3036 wrote to memory of 3064	3036	bd91f44a69e1334ac760a03483d2e951.exe	28
PID 3036 wrote to memory of 3064	3036	bd91f44a69e1334ac760a03483d2e951.exe	28
PID 3036 wrote to memory of 3064	3036	bd91f44a69e1334ac760a03483d2e951.exe	28
PID 3036 wrote to memory of 3064	3036	bd91f44a69e1334ac760a03483d2e951.exe	28
PID 3036 wrote to memory of 3064	3036	bd91f44a69e1334ac760a03483d2e951.exe	28
PID 3064 wrote to memory of 1952	3064	cmd.exe	30
PID 3064 wrote to memory of 1952	3064	cmd.exe	30
PID 3064 wrote to memory of 1952	3064	cmd.exe	30
PID 3064 wrote to memory of 1952	3064	cmd.exe	30
PID 3064 wrote to memory of 2832	3064	cmd.exe	31
PID 3064 wrote to memory of 2832	3064	cmd.exe	31
PID 3064 wrote to memory of 2832	3064	cmd.exe	31
PID 3064 wrote to memory of 2832	3064	cmd.exe	31
PID 3064 wrote to memory of 3052	3064	cmd.exe	33
PID 3064 wrote to memory of 3052	3064	cmd.exe	33
PID 3064 wrote to memory of 3052	3064	cmd.exe	33
PID 3064 wrote to memory of 3052	3064	cmd.exe	33
PID 3064 wrote to memory of 2484	3064	cmd.exe	34
PID 3064 wrote to memory of 2484	3064	cmd.exe	34
PID 3064 wrote to memory of 2484	3064	cmd.exe	34
PID 3064 wrote to memory of 2484	3064	cmd.exe	34
PID 3064 wrote to memory of 2464	3064	cmd.exe	35
PID 3064 wrote to memory of 2464	3064	cmd.exe	35
PID 3064 wrote to memory of 2464	3064	cmd.exe	35
PID 3064 wrote to memory of 2464	3064	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951.exe
"C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951-Update.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1952
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /IM "bd91f44a69e1334ac760a03483d2e951.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
- - C:\Windows\SysWOW64\find.exe
    find /i "bd91f44a69e1334ac760a03483d2e951.exe"
    3⤵
    PID:2484
- - C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951.exe
    "C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951.exe" updated
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951-Update.bat

Filesize
562B

MD5
42c6c29059706a0f6edb23f22eb938a7

SHA1
cfa3e6a526a0e4d4710e52ef8ac85311fb6cdaa5

SHA256
5c585dc9637cd0f80f8eba289cbfcac73e7b5b5f600e8194947c2a635d2d9535

SHA512
db515d8551cb8cfcc0caf825532b21b3e5d64ca6770d97ddbd1d95d92e9e28241655ffa0172bfbcddb0bfcaacadd8697356151cd1e94ac19f34e025946825eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951-Update.exe

Filesize
2.3MB

MD5
ccc0e851425a42b695bc579dc5722d83

SHA1
1b5927123dd83eee8c1764cd7762bca28beb9d64

SHA256
d7da98729c16e0b4575f1de0a253cda2ca3f1941990501e9cbe362688add29fd

SHA512
870dbe31bafa8ac212c433f54d6abfd457d2227cc53416026c8b2bb2ad23894209d5046f22d1b36bd775dc3061fe8630f83d9963ef137e75773679a3bc9775e5

Download Submit
memory/2464-22-0x00000000007D0000-0x0000000000810000-memory.dmp

Filesize
256KB

Download
memory/2464-19-0x0000000000900000-0x0000000000B5C000-memory.dmp

Filesize
2.4MB

Download
memory/2464-25-0x00000000007D0000-0x0000000000810000-memory.dmp

Filesize
256KB

Download
memory/2464-24-0x00000000007D0000-0x0000000000810000-memory.dmp

Filesize
256KB

Download
memory/2464-23-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/2464-21-0x00000000007D0000-0x0000000000810000-memory.dmp

Filesize
256KB

Download
memory/2464-20-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/3036-15-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/3036-1-0x0000000000350000-0x0000000000574000-memory.dmp

Filesize
2.1MB

Download
memory/3036-14-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/3036-0-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/3036-3-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/3036-2-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/3036-4-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing