b6127994f0c0b7359d0c244ff2278a946af690e3e88bc1347d8eafc5dc4813d8

General

Target

bd91f44a69e1334ac760a03483d2e951.exe
Size

2.1MB
MD5

bd91f44a69e1334ac760a03483d2e951
SHA1

b96598639d10d46288a5429d0ff57a7dc1d3876c
SHA256

b6127994f0c0b7359d0c244ff2278a946af690e3e88bc1347d8eafc5dc4813d8
SHA512

4d46ed820d8cfd1cafe1776b4c82368cf32916d67783c553ed78755d6c05a417f39e05c173de43b1a276406bd7ba4ecc63c322fc69bfeb238343c1e04ba9bb73
SSDEEP

12288:W2FS6GiWpFPVFHGTAyldymyOymy4vSwd5Skd4y:khCTAyldymyOymy4LSkd4y

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4876	bd91f44a69e1334ac760a03483d2e951.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4352	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2712	tasklist.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1200	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2560	bd91f44a69e1334ac760a03483d2e951.exe
4876	bd91f44a69e1334ac760a03483d2e951.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	bd91f44a69e1334ac760a03483d2e951.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	2712	tasklist.exe
Token: SeDebugPrivilege	4876	bd91f44a69e1334ac760a03483d2e951.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 4412	2560	bd91f44a69e1334ac760a03483d2e951.exe	92
PID 2560 wrote to memory of 4412	2560	bd91f44a69e1334ac760a03483d2e951.exe	92
PID 2560 wrote to memory of 4412	2560	bd91f44a69e1334ac760a03483d2e951.exe	92
PID 4412 wrote to memory of 4352	4412	cmd.exe	94
PID 4412 wrote to memory of 4352	4412	cmd.exe	94
PID 4412 wrote to memory of 4352	4412	cmd.exe	94
PID 4412 wrote to memory of 1200	4412	cmd.exe	97
PID 4412 wrote to memory of 1200	4412	cmd.exe	97
PID 4412 wrote to memory of 1200	4412	cmd.exe	97
PID 4412 wrote to memory of 2712	4412	cmd.exe	99
PID 4412 wrote to memory of 2712	4412	cmd.exe	99
PID 4412 wrote to memory of 2712	4412	cmd.exe	99
PID 4412 wrote to memory of 924	4412	cmd.exe	100
PID 4412 wrote to memory of 924	4412	cmd.exe	100
PID 4412 wrote to memory of 924	4412	cmd.exe	100
PID 4412 wrote to memory of 4876	4412	cmd.exe	101
PID 4412 wrote to memory of 4876	4412	cmd.exe	101
PID 4412 wrote to memory of 4876	4412	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951.exe
"C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951-Update.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4352
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /IM "bd91f44a69e1334ac760a03483d2e951.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\find.exe
    find /i "bd91f44a69e1334ac760a03483d2e951.exe"
    3⤵
    PID:924
- - C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951.exe
    "C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951.exe" updated
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bd91f44a69e1334ac760a03483d2e951.exe.log

Filesize
1KB

MD5
26bd5cfe49df60483c5a6517cc2ff70b

SHA1
f5101eeea1aad084d75514b81ebc5a360a1f5e7a

SHA256
97509d6d0828aadd677ffcaf8150090ad53b57b7a1120d2de034310fa1539090

SHA512
f36722fe92292eb890766d27c77e714eebd551c29e27abc582bb5bd1adbcf2ac2a51428a49e5d7b93a43688126c022b0fbe645e6de4ed3c9830af2602993f0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951-Update.bat

Filesize
562B

MD5
42c6c29059706a0f6edb23f22eb938a7

SHA1
cfa3e6a526a0e4d4710e52ef8ac85311fb6cdaa5

SHA256
5c585dc9637cd0f80f8eba289cbfcac73e7b5b5f600e8194947c2a635d2d9535

SHA512
db515d8551cb8cfcc0caf825532b21b3e5d64ca6770d97ddbd1d95d92e9e28241655ffa0172bfbcddb0bfcaacadd8697356151cd1e94ac19f34e025946825eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd91f44a69e1334ac760a03483d2e951-Update.exe

Filesize
2.3MB

MD5
ccc0e851425a42b695bc579dc5722d83

SHA1
1b5927123dd83eee8c1764cd7762bca28beb9d64

SHA256
d7da98729c16e0b4575f1de0a253cda2ca3f1941990501e9cbe362688add29fd

SHA512
870dbe31bafa8ac212c433f54d6abfd457d2227cc53416026c8b2bb2ad23894209d5046f22d1b36bd775dc3061fe8630f83d9963ef137e75773679a3bc9775e5

Download Submit
memory/2560-4-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/2560-2-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2560-5-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2560-6-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/2560-7-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2560-3-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/2560-13-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/2560-0-0x0000000000A00000-0x0000000000C24000-memory.dmp

Filesize
2.1MB

Download
memory/2560-1-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4876-17-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4876-18-0x0000000000CF0000-0x0000000000F4C000-memory.dmp

Filesize
2.4MB

Download
memory/4876-19-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/4876-20-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/4876-24-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4876-25-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/4876-26-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing