110153fca09fa9761ba79b12aee86d8a0b13e28784d4186b2a8f65557381000c

General

Target

file.exe
Size

791KB
MD5

5f9cb397c845f9e4b723575c20705c10
SHA1

8777fd75fe0058a5978780e6a4673b4759450eae
SHA256

110153fca09fa9761ba79b12aee86d8a0b13e28784d4186b2a8f65557381000c
SHA512

d6766f64e900499398392e65720ac51fb81ee1f6697cfe4f6e25231aa88b21dc16f76b466e84e3adea368d08ed21cdb84fa2014e47212c7a328e9d249fb9551f
SSDEEP

24576:ENQ//5PPhGNV4AiaaOu6+tHv0PTVbUkITUcU:ENm/5XhG34AiROuhtH8PveUc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3472	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3472	powershell.exe
3472	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 3472	3568	file.exe	77
PID 3568 wrote to memory of 3472	3568	file.exe	77
PID 3568 wrote to memory of 3472	3568	file.exe	77

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Sleep -Seconds 5; Remove-Item "C:\Users\Admin\AppData\Local\Temp\file.exe""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4nxktg0l.err.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\[CryZIP]ZC_LOG.txt

Filesize
4KB

MD5
6ad8ca0a895c031c6ec8c87bbe415d17

SHA1
2b5f3fe5e460573a61a2fa09af46579aa2387d8a

SHA256
c611f992d3b667b2dabd535d0f4c72765c45fde63f63f6eefe45baeead737ed8

SHA512
d5858a750cceeaef2b682d6ba874d51c8e484f71d505a1110af01dff4f6a75914bd4246c013aabde56a8ef27811bed8b6010b7e60b8f0424666ee1d12d66ad76

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\[CryZIP]INSTRUCTIONS.txt

Filesize
4KB

MD5
22962f2697be4e30a28f995b8c9e00f8

SHA1
c33bfa10c866562cce98312f5c806cafaea13d52

SHA256
06e0d978d1fe08bd74e9bad97000ae891156f297b942522656e41d2aaaf7c6d2

SHA512
59a23e72ed8fcea77dfa46a848e3826371d916e226e6594f827a6cdb86ab4ff7bf835a5255d043947b53e3a7ea15e35aae616dcd63bcea54643613005ab14199

Download Submit
memory/3472-500-0x00000000060C0000-0x0000000006417000-memory.dmp

Filesize
3.3MB

Download
memory/3472-501-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/3472-509-0x0000000075240000-0x00000000759F1000-memory.dmp

Filesize
7.7MB

Download
memory/3472-506-0x0000000006B90000-0x0000000006BB2000-memory.dmp

Filesize
136KB

Download
memory/3472-505-0x0000000007620000-0x00000000076B6000-memory.dmp

Filesize
600KB

Download
memory/3472-504-0x0000000006AD0000-0x0000000006AEA000-memory.dmp

Filesize
104KB

Download
memory/3472-503-0x0000000007C00000-0x000000000827A000-memory.dmp

Filesize
6.5MB

Download
memory/3472-502-0x00000000065F0000-0x000000000663C000-memory.dmp

Filesize
304KB

Download
memory/3472-483-0x0000000005130000-0x0000000005166000-memory.dmp

Filesize
216KB

Download
memory/3472-486-0x0000000075240000-0x00000000759F1000-memory.dmp

Filesize
7.7MB

Download
memory/3472-487-0x0000000075240000-0x00000000759F1000-memory.dmp

Filesize
7.7MB

Download
memory/3472-485-0x00000000058F0000-0x0000000005F1A000-memory.dmp

Filesize
6.2MB

Download
memory/3472-490-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/3472-489-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/3472-488-0x0000000005800000-0x0000000005822000-memory.dmp

Filesize
136KB

Download
memory/3472-491-0x0000000075240000-0x00000000759F1000-memory.dmp

Filesize
7.7MB

Download
memory/3568-1-0x0000000000D40000-0x0000000000E0C000-memory.dmp

Filesize
816KB

Download
memory/3568-484-0x0000000075240000-0x00000000759F1000-memory.dmp

Filesize
7.7MB

Download
memory/3568-0-0x000000007524E000-0x000000007524F000-memory.dmp

Filesize
4KB

Download
memory/3568-4-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/3568-2-0x00000000058E0000-0x000000000597C000-memory.dmp

Filesize
624KB

Download
memory/3568-3-0x0000000005F30000-0x00000000064D6000-memory.dmp

Filesize
5.6MB

Download
memory/3568-8-0x0000000007210000-0x0000000007288000-memory.dmp

Filesize
480KB

Download
memory/3568-7-0x0000000075240000-0x00000000759F1000-memory.dmp

Filesize
7.7MB

Download
memory/3568-6-0x0000000005B70000-0x0000000005BC6000-memory.dmp

Filesize
344KB

Download
memory/3568-5-0x00000000058D0000-0x00000000058DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing