246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823

General

Target

246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823.exe
Size

121KB
MD5

5dce69c450262d7a5d48cdc8fccad2d7
SHA1

11cd8fa07e2314287099aaf4fbedb5dcc1fcf62a
SHA256

246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823
SHA512

7f5c2f5e6a02990adf6d638a8368f07a2f949dfedd7197e342c7467cc0ff4af5480ba2585060986f65e3f62efcdb80c037b89815db095326890269ef31db836a
SSDEEP

3072:MV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPJR:ht5hBPi0BW69hd1MMdxPe9N9uA069TBb

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3032	powershell.exe
2616	powershell.exe
1864	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2864	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3032	powershell.exe
2616	powershell.exe
1864	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2840	2720	246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823.exe	31
PID 2720 wrote to memory of 2840	2720	246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823.exe	31
PID 2720 wrote to memory of 2840	2720	246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823.exe	31
PID 2840 wrote to memory of 2676	2840	cmd.exe	33
PID 2840 wrote to memory of 2676	2840	cmd.exe	33
PID 2840 wrote to memory of 2676	2840	cmd.exe	33
PID 2840 wrote to memory of 3032	2840	cmd.exe	34
PID 2840 wrote to memory of 3032	2840	cmd.exe	34
PID 2840 wrote to memory of 3032	2840	cmd.exe	34
PID 2840 wrote to memory of 2616	2840	cmd.exe	35
PID 2840 wrote to memory of 2616	2840	cmd.exe	35
PID 2840 wrote to memory of 2616	2840	cmd.exe	35
PID 2840 wrote to memory of 1864	2840	cmd.exe	36
PID 2840 wrote to memory of 1864	2840	cmd.exe	36
PID 2840 wrote to memory of 1864	2840	cmd.exe	36
PID 2840 wrote to memory of 2864	2840	cmd.exe	37
PID 2840 wrote to memory of 2864	2840	cmd.exe	37
PID 2840 wrote to memory of 2864	2840	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823.exe
"C:\Users\Admin\AppData\Local\Temp\246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F27A.tmp\F27B.tmp\F28B.bat C:\Users\Admin\AppData\Local\Temp\246d03f418d4eb9a19ead89eb7816714b6a69f920cfeea3d3d17c971ba4c6823.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:2676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionExtension '.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionExtension '.bat'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Victalis\Links'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F27A.tmp\F27B.tmp\F28B.bat

Filesize
1KB

MD5
793c56b68060857e19833f659215179a

SHA1
2daea30fdb072ed77572ef5255095f649441c467

SHA256
974c3b25c20b04c6c9c64e63c133b3263f275533bac599f56a4f60519f233716

SHA512
508c792fbbe2207d008cebd370c96d223e3cef3cbd5e7a89e4bcfaf94b3d94772b1f4729291a7ae99e473304e7bd175fc549eb4891f4eedd78740ab982b72aea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
56780ce424c19a5d05454a8b755291e5

SHA1
f94afc6d24f440a8a6a1a5e93c3a689b21b758b7

SHA256
66dfa9ab2719f2166fec31992984b23482a52797e14e69026a696e6b534c106c

SHA512
1f251a817cff0f2c8bfcae81023ac907760761c2a36d37c792567b3519924bd2346667e264eade7ec957cd5d78aa61a3e9da83effb8f92f99511581e06f008ba

Download Submit
memory/2616-19-0x000000001B830000-0x000000001BB12000-memory.dmp

Filesize
2.9MB

Download
memory/2616-20-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/3032-6-0x000007FEF5EBE000-0x000007FEF5EBF000-memory.dmp

Filesize
4KB

Download
memory/3032-8-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/3032-7-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/3032-9-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-10-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-11-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-12-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-13-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing