01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9

General

Target

01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9.exe
Size

6.8MB
MD5

7e5bff95ecbbf4f35d41694ff8add1ca
SHA1

7b2d06361147128c423f7c0dbff8e25ee58e80e5
SHA256

01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9
SHA512

84c0d65a6685b8751671dba9d78f1b98576c981aa53e59f269c9a995837a13f3b594989f3f1322be0d19378c6e97796d3871dd349ece4d4e0ea3abb89348c604
SSDEEP

49152:YAP0EYVgRFWi30MZpbyWcS+fOVzaAU6SzqMj4KKUvRULvxhZf/YmDR4/jKBiRqP6:YVrjMif2laEy+UZu5YKBioTnkMGGTwd

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9.exe

Executes dropped EXE 1 IoCs

pid	Process
2240	xJdluJxwKsX.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
840	timeout.exe
1932	timeout.exe
3492	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
60	01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9.exe
2240	xJdluJxwKsX.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	60	01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9.exe
Token: SeDebugPrivilege	2240	xJdluJxwKsX.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 2312	60	01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9.exe	88
PID 60 wrote to memory of 2312	60	01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9.exe	88
PID 2312 wrote to memory of 840	2312	cmd.exe	91
PID 2312 wrote to memory of 840	2312	cmd.exe	91
PID 60 wrote to memory of 2240	60	01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9.exe	90
PID 60 wrote to memory of 2240	60	01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9.exe	90
PID 2312 wrote to memory of 3092	2312	cmd.exe	93
PID 2312 wrote to memory of 3092	2312	cmd.exe	93
PID 2312 wrote to memory of 1932	2312	cmd.exe	94
PID 2312 wrote to memory of 1932	2312	cmd.exe	94
PID 2312 wrote to memory of 4252	2312	cmd.exe	96
PID 2312 wrote to memory of 4252	2312	cmd.exe	96
PID 2312 wrote to memory of 3492	2312	cmd.exe	97
PID 2312 wrote to memory of 3492	2312	cmd.exe	97
PID 2312 wrote to memory of 3156	2312	cmd.exe	98
PID 2312 wrote to memory of 3156	2312	cmd.exe	98
PID 2312 wrote to memory of 1880	2312	cmd.exe	99
PID 2312 wrote to memory of 1880	2312	cmd.exe	99

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3156	attrib.exe
1880	attrib.exe
3092	attrib.exe
4252	attrib.exe

C:\Users\Admin\AppData\Local\Temp\01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9.exe
"C:\Users\Admin\AppData\Local\Temp\01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0cbedc32-9dcc-4cd0-8d4a-6999df903d01.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\system32\timeout.exe
    timeout /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:840
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9.exe"
    3⤵
    - Views/modifies file attributes
    PID:3092
- - C:\Windows\system32\timeout.exe
    timeout /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:1932
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9.exe"
    3⤵
    - Views/modifies file attributes
    PID:4252
- - C:\Windows\system32\timeout.exe
    timeout /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:3492
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\01225f09c9cfe6b65bd30b5af4a41bd6c1f35c94a95e1ab50ae6f9153bb006e9.exe"
    3⤵
    - Views/modifies file attributes
    PID:3156
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\0cbedc32-9dcc-4cd0-8d4a-6999df903d01.bat"
    3⤵
    - Views/modifies file attributes
    PID:1880
- C:\Users\Admin\AppData\Local\Temp\xJdluJxwKsX.exe
  "C:\Users\Admin\AppData\Local\Temp\xJdluJxwKsX.exe" 1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0cbedc32-9dcc-4cd0-8d4a-6999df903d01.bat

Filesize
815B

MD5
44c9799180bc03725404cbd4e4cec184

SHA1
aee0d14e75ce8252bcc0b4d96663a13ca52bf293

SHA256
07dce570e1c475590e769587281aa5d9c14b37b0cfcc8c663758022f3a4ee72e

SHA512
5af971c06d10a091d102baf01dbe7515e2819f591e779ab356ca419b8dd9e8c69b0ae637c67514f2f231b6caf15b63a4abb03d28d76eedf3a7ad6f5eced7b426

Download Submit
C:\Users\Admin\AppData\Local\Temp\xJdluJxwKsX.exe

Filesize
6.8MB

MD5
54d53440d839517bbbd5ab88cd1553d4

SHA1
99dae5348ec2d2a91ff9d8f175b5e3d46afe0101

SHA256
16eb26c2bb5a0daa89807ddd75f91514c0fc666b5bd31e2d59898e685ff121fe

SHA512
9fe744cda4ed04157cf673565f00dd35e617776d3f8f7e52fa628a598866a1224675ade6a2baf2349d3793d39769b647d39fed3693a3f2066deb30f55457bf24

Download Submit
C:\Users\Admin\AppData\Roaming\gamehelpers

Filesize
56B

MD5
87b219c0f1ed503775a8e1b50b285683

SHA1
ccc846407b894ccea05dbf2e8836595c2f981323

SHA256
d947c9dc0f466276095a5fdf6822aea3f665c41730c2b7662daa4eaa4c493dd9

SHA512
dc1ac9cfb3b50d13cc4c6afe3ac9f29143ad96de7e7ea798de8440252964bfca47f97004f889ed34f000c32573b835fa2323d903ae804f06d59eea691b534ed8

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c71ab0d51d26efddb6de802a1aa67073

SHA1
c723d92a08da6256034d46d39d968f44f11d5547

SHA256
2c50997e2dd737265d18b7dbe9da70124c024d7d87c9b03ba836e601ed71fa78

SHA512
8c6ae05fa477b8e0ba8bb1f6b66dad231a4640ed3f32ff31b0eb265ee9fcd4c024421440df29b627051ebd4dc0ee21f83b316ba4fddcd718a04d99e72706d324

Download Submit

Analysis

Sharing