dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c

General

Target

dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe
Size

3.6MB
MD5

89ba5e9d24155628896c522b926506d1
SHA1

b87e119f7bd9e421b8fa7c3666ae0921287231fb
SHA256

dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c
SHA512

6c023b78473e0689690825d3a50eb96aded1307a66e2082c127000574d8819642ba927763016b38b9a3cb5a6e6c27c2abe8205a742db20d6ab8e2ac833a28361
SSDEEP

98304:0rhw8VTDKJjizmvxgWHAfbCai0bZG5h3N10zpKVraQ:0lwceizmvxgWHAfg

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2896	powershell.exe
2644	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	loader.exe
1564	Xeno.exe

Loads dropped DLL 6 IoCs

pid	Process
2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe
2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe
2080	Process not Found
2696	loader.exe
2696	loader.exe
2696	loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
2	raw.githubusercontent.com

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2896	powershell.exe
2644	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2848	2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe	31
PID 2748 wrote to memory of 2848	2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe	31
PID 2748 wrote to memory of 2848	2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe	31
PID 2848 wrote to memory of 2896	2848	cmd.exe	32
PID 2848 wrote to memory of 2896	2848	cmd.exe	32
PID 2848 wrote to memory of 2896	2848	cmd.exe	32
PID 2748 wrote to memory of 2932	2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe	33
PID 2748 wrote to memory of 2932	2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe	33
PID 2748 wrote to memory of 2932	2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe	33
PID 2932 wrote to memory of 2644	2932	cmd.exe	34
PID 2932 wrote to memory of 2644	2932	cmd.exe	34
PID 2932 wrote to memory of 2644	2932	cmd.exe	34
PID 2748 wrote to memory of 2696	2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe	35
PID 2748 wrote to memory of 2696	2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe	35
PID 2748 wrote to memory of 2696	2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe	35
PID 2748 wrote to memory of 1564	2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe	37
PID 2748 wrote to memory of 1564	2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe	37
PID 2748 wrote to memory of 1564	2748	dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe	37

C:\Users\Admin\AppData\Local\Temp\dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe
"C:\Users\Admin\AppData\Local\Temp\dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\main'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\main'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Programdata'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Programdata'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- C:\ProgramData\Tempsphere\loader.exe
  "C:\ProgramData\Tempsphere\loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\Xeno.exe
  "C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
  2⤵
  - Executes dropped EXE
  PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Tempsphere\VCRUNTIME140.dll

Filesize
86KB

MD5
c2bbcb5aae069c22711d8e49d6107401

SHA1
475944ffa91d04fc2ef99de22755e46c09b66ac5

SHA256
62713886db7fd51b3a1fdcf3a72596b85922fc86fc2128dd72b0ed6fcc8315ab

SHA512
15ba28f3ea593c002197c3bac2523d2f7869945364b135995e53620dd85e99e480a10d74cdce4422304db3fb1d02d2e1903c78ecf6c6cb47afe6a10857493c30

Download Submit
C:\ProgramData\Tempsphere\libcurl.dll

Filesize
577KB

MD5
c82ec4147225a3265c65feb328b05e72

SHA1
3e4c30fce1f858ed7656ac46ef878733bb9ad9f1

SHA256
18ced2beab443eb8a57ef2bb04df34100e32deb34049ddd82ee9cc329a22fa7f

SHA512
4b1d6c431ac70236b7b5e742d89edc57efbaf61b209f7d813ae546602b98a58258218ef51dda16638cf3b19721dd27a9d6c02943bd6984db18c043efffac628d

Download Submit
C:\ProgramData\Tempsphere\zlib1.dll

Filesize
87KB

MD5
e3181ce9d8e7fe239d612869d4e4afc3

SHA1
1c1057d6442da09059dd1741d3a595ebd577a140

SHA256
88e31462b7d6cc43970a849c0e42205ab398a75bf4c6e78209af3dcf1ab2fe01

SHA512
daeca18827df5145e20f826bdb0177934205ed4811a2b9a0288b395219196576d2d98f90bfe97c6593ae346cc86919988e6309d1fd88d8f117a6d280c2f04807

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f9fe0186fdf05c095cc09f2e38ac2dc0

SHA1
414da5451de44c69065b7ca4c98449d2e88b861d

SHA256
03233860f164f3b5729e65eb55b98db2a294281b136b84a722e6c528a4e00eb6

SHA512
76e54582abab9c6810c232ba9c1fd88790d2ca45658d807e3a1095bbc124e5197cf20f95ad5f8269bfd619e13dbc6633f977094319ba729915e68ec0951c5719

Download Submit
\ProgramData\Tempsphere\loader.exe

Filesize
214KB

MD5
92b4183563b3b9d42009806a79100396

SHA1
6882722eda6cb8c0255595488936dfdedc53f787

SHA256
958686bc633c06538ab233791ed5fd9dc45d7d3de6739487f1cb4acec950d460

SHA512
fd61c9bed17020f9326d32be99d8c143b2cac264f75e1031e93ce5d691bf1fb4c1c87e60127081b86b542fbd8768f4859baaf4ede6337e2dca9e0fc75840f7d0

Download Submit
\Users\Admin\AppData\Local\Temp\Xeno.exe

Filesize
140KB

MD5
f0d6a8ef8299c5f15732a011d90b0be1

SHA1
5d2e6cc0bd4f1e810808f2a284f6c2a30b21edcf

SHA256
326bae0bd1398234dcef4c3d71f00e30cc9b447fa963e21d6f29605f42bb7e5b

SHA512
5b9f1517949a7fa9fdb7413146632d21a4208dc92823b673af85963ae5cc7f827b3ba27f3e9c5554c45e726ad159aac77d30306acc3559bd8712534e41ff0f27

Download Submit
memory/2644-19-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/2644-18-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2748-40-0x000000013FD40000-0x000000013FF20000-memory.dmp

Filesize
1.9MB

Download
memory/2896-8-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download
memory/2896-12-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download
memory/2896-11-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download
memory/2896-10-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download
memory/2896-9-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download
memory/2896-4-0x000007FEF626E000-0x000007FEF626F000-memory.dmp

Filesize
4KB

Download
memory/2896-7-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

Filesize
9.6MB

Download
memory/2896-6-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2896-5-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing