168b6fbe8b8f0fa03736eeec8e5e3b5a72c049700bfe847cd7050bc97f267649

General

Target

be3f0baa13fecfbf44e07583e2351df7.exe
Size

911KB
MD5

be3f0baa13fecfbf44e07583e2351df7
SHA1

3989229062f1393bccac518002b4625445721063
SHA256

168b6fbe8b8f0fa03736eeec8e5e3b5a72c049700bfe847cd7050bc97f267649
SHA512

9c26974164d5b4f999dffa8c5f59a32dbd6bc868498f300d44e33c4aa32576aa190a25c0a761f6421857bfe934a9ea0d955d064034e2c7ad887ac0c5d6479de6
SSDEEP

12288:Jtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNTPPpHSgaZpCYcT2wE0XzFHV6A:Jtb20pkaCqT5TBWgNT7aZHIREwBV6A

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2752	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2956	MSShell32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	MSShell32.exe
File opened (read-only)	\??\h:	MSShell32.exe
File opened (read-only)	\??\i:	MSShell32.exe
File opened (read-only)	\??\m:	MSShell32.exe
File opened (read-only)	\??\v:	MSShell32.exe
File opened (read-only)	\??\a:	MSShell32.exe
File opened (read-only)	\??\e:	MSShell32.exe
File opened (read-only)	\??\g:	MSShell32.exe
File opened (read-only)	\??\o:	MSShell32.exe
File opened (read-only)	\??\p:	MSShell32.exe
File opened (read-only)	\??\q:	MSShell32.exe
File opened (read-only)	\??\x:	MSShell32.exe
File opened (read-only)	\??\j:	MSShell32.exe
File opened (read-only)	\??\l:	MSShell32.exe
File opened (read-only)	\??\n:	MSShell32.exe
File opened (read-only)	\??\r:	MSShell32.exe
File opened (read-only)	\??\s:	MSShell32.exe
File opened (read-only)	\??\t:	MSShell32.exe
File opened (read-only)	\??\w:	MSShell32.exe
File opened (read-only)	\??\z:	MSShell32.exe
File opened (read-only)	\??\k:	MSShell32.exe
File opened (read-only)	\??\u:	MSShell32.exe
File opened (read-only)	\??\y:	MSShell32.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2348-0-0x0000000000400000-0x00000000004EF000-memory.dmp	autoit_exe
behavioral1/memory/2348-4-0x0000000000400000-0x00000000004EF000-memory.dmp	autoit_exe
behavioral1/files/0x0009000000015c4e-6.dat	autoit_exe
behavioral1/memory/2956-7-0x0000000000400000-0x00000000004EF000-memory.dmp	autoit_exe
behavioral1/files/0x0009000000015c4e-5.dat	autoit_exe
behavioral1/memory/2956-14-0x0000000000400000-0x00000000004EF000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winmgmts:{impersonationLevel=impersonate}!\root\cimv2	MSShell32.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\root\SecurityCenter2	MSShell32.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\root\CIMV2	MSShell32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2100	schtasks.exe
2396	schtasks.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2100	2348	be3f0baa13fecfbf44e07583e2351df7.exe	28
PID 2348 wrote to memory of 2100	2348	be3f0baa13fecfbf44e07583e2351df7.exe	28
PID 2348 wrote to memory of 2100	2348	be3f0baa13fecfbf44e07583e2351df7.exe	28
PID 2348 wrote to memory of 2100	2348	be3f0baa13fecfbf44e07583e2351df7.exe	28
PID 2480 wrote to memory of 2956	2480	taskeng.exe	33
PID 2480 wrote to memory of 2956	2480	taskeng.exe	33
PID 2480 wrote to memory of 2956	2480	taskeng.exe	33
PID 2480 wrote to memory of 2956	2480	taskeng.exe	33
PID 2956 wrote to memory of 2396	2956	MSShell32.exe	34
PID 2956 wrote to memory of 2396	2956	MSShell32.exe	34
PID 2956 wrote to memory of 2396	2956	MSShell32.exe	34
PID 2956 wrote to memory of 2396	2956	MSShell32.exe	34
PID 2956 wrote to memory of 2752	2956	MSShell32.exe	36
PID 2956 wrote to memory of 2752	2956	MSShell32.exe	36
PID 2956 wrote to memory of 2752	2956	MSShell32.exe	36
PID 2956 wrote to memory of 2752	2956	MSShell32.exe	36

C:\Users\Admin\AppData\Local\Temp\be3f0baa13fecfbf44e07583e2351df7.exe
"C:\Users\Admin\AppData\Local\Temp\be3f0baa13fecfbf44e07583e2351df7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn MSShell32 /tr "C:\Users\Admin\AppData\Roaming\MSShell32.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2100

C:\Windows\system32\taskeng.exe
taskeng.exe {BE0DBB65-D417-46A1-BE5F-62867730C846} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Roaming\MSShell32.exe
  C:\Users\Admin\AppData\Roaming\MSShell32.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn MSShell32 /tr "C:\Users\Admin\AppData\Roaming\MSShell32.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2396
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\MSShell32.exe" "MSShell32" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MSShell32.exe

Filesize
447KB

MD5
597f77a017528ca54ef5204f31ef5d6f

SHA1
2899c7d70032125e808de71abae038acf58584c7

SHA256
431f81c1780497e22d9c767b3eca4d76b747cf721015e0b8055ef66a40f14235

SHA512
4dce8b2ff06a981b607dbef1b98cba20918bcdd8101c212469581d5fa325169ae7e546e0a410426398b0b97363ee157ea00f5a92bfc7425ffea462d6ef80bacc

Download Submit
C:\Users\Admin\AppData\Roaming\MSShell32.exe

Filesize
464KB

MD5
60526ce02cfb01bd425ffbcf86eca804

SHA1
cc30c5f82273d11bca900a7b875179f3549720aa

SHA256
14dbe1fe07fa6df5d4ae48c60b2259db697e82b6fa35614eb57b47f7480da5e2

SHA512
c32ab437286282b9cec5aa1ea4a8ca7a5bb74aaa79498f4b0e7b3836094207eb7d11baafdc054d1dc59f753bedae834a797f5dec363548b2794458ed868aba8d

Download Submit
C:\Users\Admin\AppData\Roaming\MSShell32.ini

Filesize
15B

MD5
97a75a065383136b888da2884b84ceba

SHA1
000ba94c7d528ddfd9aebcbfe8e64abc672852e9

SHA256
46f6285ae622e0c180232e435ce0b43311c9f5b38ce43526160b993b734a3268

SHA512
37d0c532719e18cf21a237cf5a1dacf90c4a6a4f41ef125da2d1ac738f2b649eaa4f759e021d4d867248a0655c2396419ff806078e8ba3debab75acfe3c5ae4b

Download Submit
memory/2348-0-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2348-4-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2956-7-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2956-13-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/2956-12-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/2956-11-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2956-14-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads