e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2

General

Target

e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe
Size

1.3MB
MD5

e94789d1b75d6520283673c75aabddb2
SHA1

6b34ff2a184980cd36ed962b24610201ce2e9708
SHA256

e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2
SHA512

b48f690de562ba2115de6b38868aaece4ccf9b9fdd2934120d5211bdc969291d38e5bbdb0817d8a579853d05feac7096119f27fd297044ab3a9fc83f0f77e6de

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

downloader.exe

pid process

2752 downloader.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4160 systeminfo.exe

pid	process
2752	downloader.exe

pid	process
4160	systeminfo.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exedownloader.execmd.exe

description	pid	process	target process
PID 3244 wrote to memory of 2752	3244	e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe	downloader.exe
PID 3244 wrote to memory of 2752	3244	e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe	downloader.exe
PID 3244 wrote to memory of 2752	3244	e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe	downloader.exe
PID 2752 wrote to memory of 3412	2752	downloader.exe	cmd.exe
PID 2752 wrote to memory of 3412	2752	downloader.exe	cmd.exe
PID 2752 wrote to memory of 3412	2752	downloader.exe	cmd.exe
PID 3412 wrote to memory of 4160	3412	cmd.exe	systeminfo.exe
PID 3412 wrote to memory of 4160	3412	cmd.exe	systeminfo.exe
PID 3412 wrote to memory of 4160	3412	cmd.exe	systeminfo.exe
PID 3412 wrote to memory of 4172	3412	cmd.exe	findstr.exe
PID 3412 wrote to memory of 4172	3412	cmd.exe	findstr.exe
PID 3412 wrote to memory of 4172	3412	cmd.exe	findstr.exe

C:\Users\Admin\AppData\Local\Temp\e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe
"C:\Users\Admin\AppData\Local\Temp\e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3244

C:\Users\Admin\AppData\Local\Temp\7zS82E.tmp\downloader.exe
.\downloader.exe %%S
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\findstr.exe
findstr /c:"Model:" /c:"Host Name" /c:"OS Name"
1⤵
PID:4172

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
1⤵
- Gathers system information
PID:4160

C:\Windows\SysWOW64\cmd.exe
/k systeminfo | findstr /c:"Model:" /c:"Host Name" /c:"OS Name"
1⤵
- Suspicious use of WriteProcessMemory
PID:3412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS82E.tmp\downloader.exe
Filesize
80KB

MD5
643e7f332dd244b700f1b64ce7111845

SHA1
3dd18032ba2229fcf1256545c6e5bfc0b7c1d5eb

SHA256
82212db014f6074d17a55291e5913fb8229b4d0aca56e99a2dc8aab1772d4c42

SHA512
3735183f72e40fd7ca066c64000f379be30183e3a5a0ad0850ba17267b8aa931c0dc5e291612628469e0219d1cf5536b5c059601674d89d177efcde211b6182c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82E.tmp\downloader.exe
Filesize
88KB

MD5
a070a8c095ddb751173ae73cb1cb6b23

SHA1
2c0fbb5aabd51332f8c7c89369558f69978cf0e4

SHA256
715f1ffeab188b6f6e0fc0f857b3a4dbff3752a2b3cb04a6721b8c2b188b9840

SHA512
9a8e47740cb68112628f49dbdb7ccdb131717ff5e41b3b19a205565889e22e83d8e1ce2f5c6b8ae9bd088b08b0bbc23ec3c39d05a1ffebbffcdfdaa658e03b08

Download Submit
memory/2752-130-0x0000000000000000-mapping.dmp

Download
memory/3412-133-0x0000000000000000-mapping.dmp

Download
memory/4160-134-0x0000000000000000-mapping.dmp

Download
memory/4172-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing