146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d

General

Target

146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.exe
Size

192KB
MD5

254f08572f194f153b9edc9e45a9cb02
SHA1

42adeec00d68b7510f6122bd39363a2dc90703bb
SHA256

146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d
SHA512

93b21a0669b3d015b82b9eaaff6d17a46ceb316e8632ef160fe05d335a69bec53ee44cf12745952bae9e8da6c6f5e84d61670d932931edab3e5aa9ea6f86b7e8
SSDEEP

3072:g58A2cm6J/1NfBjGecJOeYq40FXXWnEFsTsuZfI:gKBqR7cJOYdLFswuZg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

mtmfvl.exe

pid process

1672 mtmfvl.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2032 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2032 cmd.exe
2032 cmd.exe

pid	process
1672	mtmfvl.exe

pid	process
2032	cmd.exe

pid	process
2032	cmd.exe
2032	cmd.exe

Modifies registry class 7 IoCs

Processes:

mtmfvl.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\gzqej	mtmfvl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\gzqej	mtmfvl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	mtmfvl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	mtmfvl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	mtmfvl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\gzqej\\command	mtmfvl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	mtmfvl.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1480 PING.EXE

pid	process
1480	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.execmd.exe

description	pid	process	target process
PID 1088 wrote to memory of 2032	1088	146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.exe	cmd.exe
PID 1088 wrote to memory of 2032	1088	146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.exe	cmd.exe
PID 1088 wrote to memory of 2032	1088	146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.exe	cmd.exe
PID 1088 wrote to memory of 2032	1088	146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.exe	cmd.exe
PID 2032 wrote to memory of 1672	2032	cmd.exe	mtmfvl.exe
PID 2032 wrote to memory of 1672	2032	cmd.exe	mtmfvl.exe
PID 2032 wrote to memory of 1672	2032	cmd.exe	mtmfvl.exe
PID 2032 wrote to memory of 1672	2032	cmd.exe	mtmfvl.exe
PID 2032 wrote to memory of 1480	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1480	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1480	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1480	2032	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.exe
"C:\Users\Admin\AppData\Local\Temp\146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\aecjbev.bat
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\mtmfvl.exe
"C:\Users\Admin\AppData\Local\Temp\mtmfvl.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
PID:1672

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aecjbev.bat

Filesize
124B

MD5
e46cc624418881deae8dd991cf7554ac

SHA1
2c83bdcdf55462c5a57d331de17382c98fcd8bf3

SHA256
704facdbfaec6e393e9f5d8b3e1e7d90294b7b1302f063b0b29126d2a08b9465

SHA512
9adff8c3e9274ba44a8748d607d4f0ae8edb65dd0d3acacd16741ae8236d73a7bcfe7662ed12072f05a3c8da39418c432742586a6acc58f195e761cc7695c500

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtzxfx.bat

Filesize
188B

MD5
000dcac74abc27d9c3217573bed1dad7

SHA1
2b3b9d0d637ccaf1df48a4ef9312561f82167388

SHA256
5d39942b216b3a018151e483febbb902bc325ef4e323c01c995a0241df0fa6e2

SHA512
fdcbdfb07d408ae3402313633821c9b2fa3218e39ab3559516f3651f43eb34d642302503014f303089783b376ee304ef65e133761a7ed9b9fd8c985975789277

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtmfvl.exe

Filesize
144KB

MD5
12c1a85723f2e97f94e84942a7f7563a

SHA1
2a19b33db0f04e70dc1f346a5d74fb46e8099414

SHA256
20f05563ee39d0032de1ad5e28037b2bef4c8a256d008be4920446ea9f2bdaa3

SHA512
718b3b89837c4c2f1ee5356f335e31d67500e6bea5f6b06bd530bf373e52fd75ca2da60863e0988e3edb36aa60a48680f6a4598195b881c3b4e7db084c6579de

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtmfvl.exe

Filesize
144KB

MD5
12c1a85723f2e97f94e84942a7f7563a

SHA1
2a19b33db0f04e70dc1f346a5d74fb46e8099414

SHA256
20f05563ee39d0032de1ad5e28037b2bef4c8a256d008be4920446ea9f2bdaa3

SHA512
718b3b89837c4c2f1ee5356f335e31d67500e6bea5f6b06bd530bf373e52fd75ca2da60863e0988e3edb36aa60a48680f6a4598195b881c3b4e7db084c6579de

Download Submit
\Users\Admin\AppData\Local\Temp\mtmfvl.exe

Filesize
144KB

MD5
12c1a85723f2e97f94e84942a7f7563a

SHA1
2a19b33db0f04e70dc1f346a5d74fb46e8099414

SHA256
20f05563ee39d0032de1ad5e28037b2bef4c8a256d008be4920446ea9f2bdaa3

SHA512
718b3b89837c4c2f1ee5356f335e31d67500e6bea5f6b06bd530bf373e52fd75ca2da60863e0988e3edb36aa60a48680f6a4598195b881c3b4e7db084c6579de

Download Submit
\Users\Admin\AppData\Local\Temp\mtmfvl.exe

Filesize
144KB

MD5
12c1a85723f2e97f94e84942a7f7563a

SHA1
2a19b33db0f04e70dc1f346a5d74fb46e8099414

SHA256
20f05563ee39d0032de1ad5e28037b2bef4c8a256d008be4920446ea9f2bdaa3

SHA512
718b3b89837c4c2f1ee5356f335e31d67500e6bea5f6b06bd530bf373e52fd75ca2da60863e0988e3edb36aa60a48680f6a4598195b881c3b4e7db084c6579de

Download Submit
memory/1088-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1480-63-0x0000000000000000-mapping.dmp

Download
memory/1672-61-0x0000000000000000-mapping.dmp

Download
memory/2032-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing