7cb43cc684dd0cd6e18f191e0bfc1062e4dac20902eeec6139f1b78861dddf71

General

Target

tmp.exe
Size

1.9MB
MD5

8ec99bfc1750be998e84924b67de36cd
SHA1

1b0c3c70aa62611e62c8fb4cab1c833dee09d828
SHA256

7cb43cc684dd0cd6e18f191e0bfc1062e4dac20902eeec6139f1b78861dddf71
SHA512

0d1be04f5f7f2a9ca5083617c5432b2fa23d11ba2202f12a080ba5ce6ee64fbfec51c0336b75b5a7551c390a23ab7354b3247f8583ab5111e0351ae4005f81ed
SSDEEP

49152:RXXNgaNdXoar7Ai3RKddNayQ+S+NhpwKjLT9IkvN+UWTL0rlcTKkQf3mG8f:BNdXoarl3MhayQ+S+NhpwKjLT9IaNysK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1688	dztxvrz.exe
676	dztxvrz.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	tmp.exe
File opened (read-only)	\??\S:	tmp.exe
File opened (read-only)	\??\V:	tmp.exe
File opened (read-only)	\??\Z:	tmp.exe
File opened (read-only)	\??\E:	tmp.exe
File opened (read-only)	\??\N:	tmp.exe
File opened (read-only)	\??\U:	tmp.exe
File opened (read-only)	\??\G:	tmp.exe
File opened (read-only)	\??\H:	tmp.exe
File opened (read-only)	\??\L:	tmp.exe
File opened (read-only)	\??\M:	tmp.exe
File opened (read-only)	\??\P:	tmp.exe
File opened (read-only)	\??\Q:	tmp.exe
File opened (read-only)	\??\W:	tmp.exe
File opened (read-only)	\??\X:	tmp.exe
File opened (read-only)	\??\B:	tmp.exe
File opened (read-only)	\??\Y:	tmp.exe
File opened (read-only)	\??\I:	tmp.exe
File opened (read-only)	\??\K:	tmp.exe
File opened (read-only)	\??\O:	tmp.exe
File opened (read-only)	\??\R:	tmp.exe
File opened (read-only)	\??\T:	tmp.exe
File opened (read-only)	\??\F:	tmp.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dztxvrz.exe	tmp.exe
File opened for modification	C:\Windows\SysWOW64\dztxvrz.exe	tmp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tmp.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1696	tmp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1696	tmp.exe
1688	dztxvrz.exe
676	dztxvrz.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 676	1688	dztxvrz.exe	28
PID 1688 wrote to memory of 676	1688	dztxvrz.exe	28
PID 1688 wrote to memory of 676	1688	dztxvrz.exe	28
PID 1688 wrote to memory of 676	1688	dztxvrz.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Windows\SysWOW64\dztxvrz.exe
C:\Windows\SysWOW64\dztxvrz.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\dztxvrz.exe
  C:\Windows\SysWOW64\dztxvrz.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\pass.txt

Filesize
8B

MD5
71d864b6b132a9235400af39917131b3

SHA1
b79d02acde8be0d57bedef9bd3edeab0a5a066f3

SHA256
f4392ea35b8bafc5813b48055be473c4eceb72f11936a67a92cd9086efc2492e

SHA512
f331a1c933e016667682d3339784e57f4518305954a7e02643b4deab5ff8ded663232f38190d535457f4351d506f642cea961ea09dc3182c7917f8e483dbd0d3

Download Submit
C:\Users\Public\Documents\pass.txt

Filesize
8B

MD5
71d864b6b132a9235400af39917131b3

SHA1
b79d02acde8be0d57bedef9bd3edeab0a5a066f3

SHA256
f4392ea35b8bafc5813b48055be473c4eceb72f11936a67a92cd9086efc2492e

SHA512
f331a1c933e016667682d3339784e57f4518305954a7e02643b4deab5ff8ded663232f38190d535457f4351d506f642cea961ea09dc3182c7917f8e483dbd0d3

Download Submit
C:\Windows\SysWOW64\dztxvrz.exe

Filesize
1.9MB

MD5
8ec99bfc1750be998e84924b67de36cd

SHA1
1b0c3c70aa62611e62c8fb4cab1c833dee09d828

SHA256
7cb43cc684dd0cd6e18f191e0bfc1062e4dac20902eeec6139f1b78861dddf71

SHA512
0d1be04f5f7f2a9ca5083617c5432b2fa23d11ba2202f12a080ba5ce6ee64fbfec51c0336b75b5a7551c390a23ab7354b3247f8583ab5111e0351ae4005f81ed

Download Submit
C:\Windows\SysWOW64\dztxvrz.exe

Filesize
1.9MB

MD5
8ec99bfc1750be998e84924b67de36cd

SHA1
1b0c3c70aa62611e62c8fb4cab1c833dee09d828

SHA256
7cb43cc684dd0cd6e18f191e0bfc1062e4dac20902eeec6139f1b78861dddf71

SHA512
0d1be04f5f7f2a9ca5083617c5432b2fa23d11ba2202f12a080ba5ce6ee64fbfec51c0336b75b5a7551c390a23ab7354b3247f8583ab5111e0351ae4005f81ed

Download Submit
C:\Windows\SysWOW64\dztxvrz.exe

Filesize
1.9MB

MD5
8ec99bfc1750be998e84924b67de36cd

SHA1
1b0c3c70aa62611e62c8fb4cab1c833dee09d828

SHA256
7cb43cc684dd0cd6e18f191e0bfc1062e4dac20902eeec6139f1b78861dddf71

SHA512
0d1be04f5f7f2a9ca5083617c5432b2fa23d11ba2202f12a080ba5ce6ee64fbfec51c0336b75b5a7551c390a23ab7354b3247f8583ab5111e0351ae4005f81ed

Download Submit
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-55-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads