c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339

Analysis

max time kernel
123s
max time network
126s
platform
windows7_x64
resource
win7-en-20211014
submitted
21-10-2021 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe
Size

19.5MB
MD5

6374c01ed81cea712fe61d0774521ac3
SHA1

6a2957d427b9ca85f58266564951e6e56da89566
SHA256

c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339
SHA512

4a85f10a54a8721d09e2ba9171882c53b83bdb9c87ad3ec84877f7a34d6007b6d12cfe0d9a8b48d41ac9054a3d78781a4fd299def96ff0927917b4d5c4bcab83

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	1720	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
1560	opera.exe

Loads dropped DLL 3 IoCs

pid	Process
1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe
876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
1560	opera.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	mountvol.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1560	opera.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	27
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	27
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	27
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	27
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	27
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	27
PID 1336 wrote to memory of 876	1336	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe	27
PID 876 wrote to memory of 1048	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	28
PID 876 wrote to memory of 1048	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	28
PID 876 wrote to memory of 1048	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	28
PID 876 wrote to memory of 1048	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	28
PID 876 wrote to memory of 268	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	32
PID 876 wrote to memory of 268	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	32
PID 876 wrote to memory of 268	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	32
PID 876 wrote to memory of 268	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	32
PID 876 wrote to memory of 1240	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	29
PID 876 wrote to memory of 1240	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	29
PID 876 wrote to memory of 1240	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	29
PID 876 wrote to memory of 1240	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	29
PID 1240 wrote to memory of 1480	1240	cmd.exe	34
PID 1240 wrote to memory of 1480	1240	cmd.exe	34
PID 1240 wrote to memory of 1480	1240	cmd.exe	34
PID 1240 wrote to memory of 1480	1240	cmd.exe	34
PID 1048 wrote to memory of 1472	1048	cmd.exe	35
PID 1048 wrote to memory of 1472	1048	cmd.exe	35
PID 1048 wrote to memory of 1472	1048	cmd.exe	35
PID 1048 wrote to memory of 1472	1048	cmd.exe	35
PID 876 wrote to memory of 924	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	36
PID 876 wrote to memory of 924	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	36
PID 876 wrote to memory of 924	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	36
PID 876 wrote to memory of 924	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	36
PID 876 wrote to memory of 1592	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	43
PID 876 wrote to memory of 1592	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	43
PID 876 wrote to memory of 1592	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	43
PID 876 wrote to memory of 1592	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	43
PID 876 wrote to memory of 432	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	41
PID 876 wrote to memory of 432	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	41
PID 876 wrote to memory of 432	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	41
PID 876 wrote to memory of 432	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	41
PID 876 wrote to memory of 740	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	38
PID 876 wrote to memory of 740	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	38
PID 876 wrote to memory of 740	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	38
PID 876 wrote to memory of 740	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	38
PID 876 wrote to memory of 1560	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	44
PID 876 wrote to memory of 1560	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	44
PID 876 wrote to memory of 1560	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	44
PID 876 wrote to memory of 1560	876	c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp	44
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45
PID 1560 wrote to memory of 1720	1560	opera.exe	45

C:\Users\Admin\AppData\Local\Temp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe
"C:\Users\Admin\AppData\Local\Temp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\is-816R8.tmp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-816R8.tmp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.tmp" /SL5="$30158,19610817,831488,C:\Users\Admin\AppData\Local\Temp\c183d00cdf9f69f815e28277f5aed7503c41c6c77d8351fd1cd38d3f3144d339.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mountvol P: /D
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\mountvol.exe
      mountvol P: /D
      4⤵
      Enumerates connected drives
      PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C setx /m PATH "%PATH%C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\SysWOW64\setx.exe
      setx /m PATH "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp"
      4⤵
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
    3⤵
    PID:268
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp\devcon.exe" remove "ROOT\bareflank""
    3⤵
    PID:924
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp\bfbuilder.inf" "ROOT\bfbuilder""
    3⤵
    PID:740
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp\devcon.exe" remove "ROOT\bfbuilder""
    3⤵
    PID:432
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-KKQP8.tmp\bareflank.inf" "ROOT\bareflank""
    3⤵
    PID:1592
- - C:\Users\Admin\AppData\Roaming\opera.exe
    "C:\Users\Admin\AppData\Roaming\opera.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Blocklisted process makes network request
      PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/876-62-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1336-54-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1336-57-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1560-79-0x0000000000521000-0x000000000052B000-memory.dmp

Filesize
40KB

Download
memory/1720-83-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1720-84-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download