25ae68cdffbc5665b2ab458aa70b6273445130f021088a7bdc08b7fdfcb94b77

General

Target

vaultFile9081945144037048205.exe
Size

131KB
MD5

b0bcb1480c58dd7fca3c18f294ed0af7
SHA1

2970be435950fc4903843697018341a949cdf59a
SHA256

7670b172bd164ce649c108c62f0d24f4066501a24d61f20cb3dccace3e2ceb1c
SHA512

cc2455142e289c8497a168461fd2a98cc760492d218441879e3e2ce989bd041ecc1f87b18ae56a752db968e851418044d705ea9cdff01df0c321d02099df3aa3
SSDEEP

1536:mj2AwKrSEq7T6+TIyKECWQxK+oyEIXQ7+JLIzbPhwGsscat5DdPYMJp8UpM3cbdD:k2AwNex0AXQ7+crmy5PJp8+Dhxvg1+8U

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3588	eidolon.exe
4772	vaultFile9081945144037048205.exe
96	USBServers32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001ac45-16.dat	upx
behavioral1/memory/4772-21-0x00000000010C0000-0x00000000010D9000-memory.dmp	upx
behavioral1/memory/4772-22-0x00000000010C0000-0x00000000010D9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\USBServers32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\USBServers32.exe"	reg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell32.dll	eidolon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 3588	2764	vaultFile9081945144037048205.exe	73
PID 2764 wrote to memory of 3588	2764	vaultFile9081945144037048205.exe	73
PID 2764 wrote to memory of 3588	2764	vaultFile9081945144037048205.exe	73
PID 2764 wrote to memory of 2496	2764	vaultFile9081945144037048205.exe	74
PID 2764 wrote to memory of 2496	2764	vaultFile9081945144037048205.exe	74
PID 2764 wrote to memory of 2496	2764	vaultFile9081945144037048205.exe	74
PID 2764 wrote to memory of 3148	2764	vaultFile9081945144037048205.exe	75
PID 2764 wrote to memory of 3148	2764	vaultFile9081945144037048205.exe	75
PID 2764 wrote to memory of 3148	2764	vaultFile9081945144037048205.exe	75
PID 3148 wrote to memory of 4772	3148	cmd.exe	78
PID 3148 wrote to memory of 4772	3148	cmd.exe	78
PID 3148 wrote to memory of 4772	3148	cmd.exe	78
PID 3148 wrote to memory of 96	3148	cmd.exe	79
PID 3148 wrote to memory of 96	3148	cmd.exe	79
PID 3148 wrote to memory of 96	3148	cmd.exe	79
PID 96 wrote to memory of 1336	96	USBServers32.exe	80
PID 96 wrote to memory of 1336	96	USBServers32.exe	80
PID 96 wrote to memory of 1336	96	USBServers32.exe	80
PID 1336 wrote to memory of 3108	1336	cmd.exe	82
PID 1336 wrote to memory of 3108	1336	cmd.exe	82
PID 1336 wrote to memory of 3108	1336	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\vaultFile9081945144037048205.exe
"C:\Users\Admin\AppData\Local\Temp\vaultFile9081945144037048205.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\eidolon.exe
  "C:\Users\Admin\AppData\Local\Temp\eidolon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\temp\tttdelzzz.bat" "
  2⤵
  PID:2496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\temp\tttbrozzz.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\vaultFile9081945144037048205.exe
    "C:\Users\Admin\AppData\Local\Temp\vaultFile9081945144037048205.exe"
    3⤵
    - Executes dropped EXE
    PID:4772
- - C:\Users\Admin\AppData\Local\Temp\USBServers32.exe
    "C:\Users\Admin\AppData\Local\Temp\USBServers32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:96
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\windows\currentVersion\run /v USBServers32 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USBServers32.exe" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\windows\currentVersion\run /v USBServers32 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USBServers32.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\USBServers32.exe

Filesize
54KB

MD5
6428b1de8971e837926de5b464725f64

SHA1
19d7ce6fff617b790f9de7bf99406e61061f0594

SHA256
8f53ab3cd172f685568e0cbb51eb7dfd2389a5fe6aaf47d0aa7d823253e673ee

SHA512
7938b01ce48bcdd3276c83f82fc71407d101f2e884b3f271a17fcf4c60af642faf57047edab97906351217f79847107757283af3fbfc3059cf4eb8e8d778d026

Download Submit
C:\Users\Admin\AppData\Local\Temp\eidolon.exe

Filesize
24KB

MD5
f3858fb30c8ddb74a11e85381009c438

SHA1
ab388dbb45109acd543d28030daf065e50e20a1b

SHA256
a1bf9bc23f97fee5a83ddcb3ba4d8fbbcc70fb2d871b325261be0ded72196fe9

SHA512
6aeb783c6ed7108480f956fd5b54a39a26d6257dc1c472d4d16700eb76be4276690596702fbc9a078662627673965584accf90449cd08dec461806ae3d57c0d1

Download Submit
C:\Windows\temp\Server32History.dat

Filesize
48KB

MD5
23c976f83f66c2137ed6c88869cffa4d

SHA1
9da15c5e6367ddc243bee933ac889d1bfca358f2

SHA256
002f028adccd6a39483b7a6f0028c6e62231c3a0e00fcd40895ebf85415ccd90

SHA512
4f717aecd33331a8a49dc16c0a04e24d81b1c619e5b6f37f89b8b5b5f6821a741925c49491fc6d05a5792d858dace067e91226c962c9fd8e978ae1ec1ae94728

Download Submit
C:\Windows\temp\tttbrozzz.bat

Filesize
511B

MD5
f6d3d48f92f8b847b423538566e517e8

SHA1
b8edcd88941ea6a0cfbb2a1d0092785d879eb393

SHA256
6fc04675a442c3d259fbbfbc8ebff59e64a163d4211ce3bb4d99abffdd17e181

SHA512
454dc215117e42206fcda097b603538eca1533c7ea8013b209f191049cd6687239065da671d60bee134498e6e51da48c8838300390e2332b38e820d335692d6b

Download Submit
C:\Windows\temp\tttdelzzz.bat

Filesize
255B

MD5
e5a9d410555dac2c8e018d38b51dbb3f

SHA1
897314c63639ecad197f554af853af123e8174db

SHA256
141a2df2d02db41825c131b09a162e19bbe687cefc432a581b4c567429c551ac

SHA512
4d4500f3329497f497f22cee07dff5922d519ab02144da06fa850e51bb292ff8c180873c28a3e0cf9cb342b10ed731dd3d0e948f40df6b97e6311cae0a606aa2

Download Submit
memory/4772-21-0x00000000010C0000-0x00000000010D9000-memory.dmp

Filesize
100KB

Download
memory/4772-22-0x00000000010C0000-0x00000000010D9000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads