c2a5a01354deed0fafe346d38f6eec84f0d79ba0e20407c9e1218ff83711fbf9

General

Target

a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe
Size

2.7MB
MD5

731ff38afbc5a664f5a458e222d91f84
SHA1

5105f89898a3d9e5b5b52ddcd7d0a3b167aaf701
SHA256

a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0
SHA512

910b1c9fb8e28c3f24d35a875ff86f3ab2e2c573797e078ece204538a3bdc6d42bc92531197e57be577ffb2e4cacdd53fec6a61843e6c69be4794e68506f68c3
SSDEEP

24576:3RoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvxB5VA0UC1dUUKj/OZ8j3g3:BoKmo4jC6TovDRUC1doj/Tg3

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wO3VaBWqgkb3gBE2IpgffQ9g.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P29WBMOBkQZpb9YJtFvtMfbu.bat	CasPol.exe

Executes dropped EXE 1 IoCs

pid	Process
5084	f9JfkkIGlbrXiEeCIgU5V8yo.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
8	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4728 set thread context of 4732	4728	a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe	92

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4732	CasPol.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 4732	4728	a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe	92
PID 4728 wrote to memory of 4732	4728	a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe	92
PID 4728 wrote to memory of 4732	4728	a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe	92
PID 4728 wrote to memory of 4732	4728	a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe	92
PID 4728 wrote to memory of 4732	4728	a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe	92
PID 4728 wrote to memory of 4732	4728	a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe	92
PID 4728 wrote to memory of 4732	4728	a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe	92
PID 4728 wrote to memory of 4732	4728	a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe	92
PID 4732 wrote to memory of 5084	4732	CasPol.exe	93
PID 4732 wrote to memory of 5084	4732	CasPol.exe	93
PID 4732 wrote to memory of 5084	4732	CasPol.exe	93

C:\Users\Admin\AppData\Local\Temp\a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe
"C:\Users\Admin\AppData\Local\Temp\a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Users\Admin\Pictures\f9JfkkIGlbrXiEeCIgU5V8yo.exe
    "C:\Users\Admin\Pictures\f9JfkkIGlbrXiEeCIgU5V8yo.exe"
    3⤵
    - Executes dropped EXE
    PID:5084
- - C:\Users\Admin\Pictures\FVyC4yVWb6tlcfk50U1hl2AT.exe
    "C:\Users\Admin\Pictures\FVyC4yVWb6tlcfk50U1hl2AT.exe"
    3⤵
    PID:4996
- - C:\Users\Admin\Pictures\sfY0v7PWb99DxijSWWeN0NSJ.exe
    "C:\Users\Admin\Pictures\sfY0v7PWb99DxijSWWeN0NSJ.exe"
    3⤵
    PID:2236
- - C:\Users\Admin\Pictures\b5tXaHPxe6ghHz21qY7jTOlg.exe
    "C:\Users\Admin\Pictures\b5tXaHPxe6ghHz21qY7jTOlg.exe"
    3⤵
    PID:4524
- - C:\Users\Admin\Pictures\4H7rROJMklfu1PUwVp2yio6e.exe
    "C:\Users\Admin\Pictures\4H7rROJMklfu1PUwVp2yio6e.exe"
    3⤵
    PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\FVyC4yVWb6tlcfk50U1hl2AT.exe

Filesize
4.1MB

MD5
abc8de7ab67111f1a11e0f56fa064a17

SHA1
0d6481e34d595b38762497f24917d6f36db1a1e3

SHA256
c06e1787c9443a978d92d1ffa2a029b3f675a4553586b82da896b0580abdacda

SHA512
b0debe776a64f2132a057e7a07c1593810bb849db403a3bf9244b9b3fe73f32c3a2154c34751f63be09e07b359764fad31362a249040a24f548e82f5817b7789

Download Submit
C:\Users\Admin\Pictures\f9JfkkIGlbrXiEeCIgU5V8yo.exe

Filesize
386KB

MD5
b34124b3f04c97f7da56e97ae39a85c9

SHA1
a10dfe5b613a7b14050e096069ff437c1f60f181

SHA256
7cd8f983a0c866b3342061211e2d3cdd813095d64a3e9293352840573cb4c28a

SHA512
0b8bc61c06100a0fa9f305f418c7a6b19d3413bdedc2a82dd8c6ce5c74d979dcfa264c2aeda8b680d0af9b6605886ed6b9591c5a314f11e87483193e4e842bf6

Download Submit
C:\Users\Admin\Pictures\sfY0v7PWb99DxijSWWeN0NSJ.exe

Filesize
4.1MB

MD5
7d797466a9c8f0f995a01e75f83f5104

SHA1
35c1a21693577f713ef4292902190a5eaf11479c

SHA256
92321d87b7dab27ced4c85a894b199d02d14c7005ec5e6729abf5e5d81807d9f

SHA512
bee594a02a130314f2338e51e943670001b97c3d164739994ec7447dcb257a195052b73744f4c98db8276637d690a6246e17c43a96e9d88fca99568da3eef80a

Download Submit
C:\Users\Admin\Pictures\wfzkCQ6orLl9FuangJPxSv5i.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
memory/4728-0-0x00007FF75E480000-0x00007FF75E7C9000-memory.dmp

Filesize
3.3MB

Download
memory/4728-2-0x00007FF75E480000-0x00007FF75E7C9000-memory.dmp

Filesize
3.3MB

Download
memory/4732-1-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-3-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

Filesize
4KB

Download
memory/4732-4-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing