a59b0fc794a2c4a56a989a5077e6fab8c213dedc5ba0deed812b905a1a8c43d7

General

Target

a59b0fc794a2c4a56a989a5077e6fab8c213dedc5ba0deed812b905a1a8c43d7.exe
Size

272KB
MD5

2e412948e8541cb02991b004e3e0acd2
SHA1

141b34b508f2a4eda9b0aa286cba5c0ad22b3f36
SHA256

a59b0fc794a2c4a56a989a5077e6fab8c213dedc5ba0deed812b905a1a8c43d7
SHA512

49e89f629528f9c2ebe9f58fb2c9972fa4dfb7914bf49a214fb9bb7e18dc7f0cb5f2bdcde2c04613fcf5332b9fbcb2621e2c6f6cbae319abd1200d957f6982fb
SSDEEP

3072:pAZcT58MuJroX3fOcvoCqJ1vyidZxvltCxPt7yPkTsuZfI:pAZE589c9qzvy2TloDuPkwuZg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

thknzb.exe

pid process

520 thknzb.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1120 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1120 cmd.exe
1120 cmd.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1876 PING.EXE

pid	process
520	thknzb.exe

pid	process
1120	cmd.exe

pid	process
1120	cmd.exe
1120	cmd.exe

pid	process
1876	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a59b0fc794a2c4a56a989a5077e6fab8c213dedc5ba0deed812b905a1a8c43d7.execmd.exe

description	pid	process	target process
PID 1480 wrote to memory of 1120	1480	a59b0fc794a2c4a56a989a5077e6fab8c213dedc5ba0deed812b905a1a8c43d7.exe	cmd.exe
PID 1480 wrote to memory of 1120	1480	a59b0fc794a2c4a56a989a5077e6fab8c213dedc5ba0deed812b905a1a8c43d7.exe	cmd.exe
PID 1480 wrote to memory of 1120	1480	a59b0fc794a2c4a56a989a5077e6fab8c213dedc5ba0deed812b905a1a8c43d7.exe	cmd.exe
PID 1480 wrote to memory of 1120	1480	a59b0fc794a2c4a56a989a5077e6fab8c213dedc5ba0deed812b905a1a8c43d7.exe	cmd.exe
PID 1120 wrote to memory of 520	1120	cmd.exe	thknzb.exe
PID 1120 wrote to memory of 520	1120	cmd.exe	thknzb.exe
PID 1120 wrote to memory of 520	1120	cmd.exe	thknzb.exe
PID 1120 wrote to memory of 520	1120	cmd.exe	thknzb.exe
PID 1120 wrote to memory of 1876	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 1876	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 1876	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 1876	1120	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\a59b0fc794a2c4a56a989a5077e6fab8c213dedc5ba0deed812b905a1a8c43d7.exe
"C:\Users\Admin\AppData\Local\Temp\a59b0fc794a2c4a56a989a5077e6fab8c213dedc5ba0deed812b905a1a8c43d7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\xunksyx.bat
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\thknzb.exe
"C:\Users\Admin\AppData\Local\Temp\thknzb.exe"
3⤵
- Executes dropped EXE
PID:520

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1876

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qbdnjc.bat
Filesize
188B

MD5
02962560814d1bfed1f9c41d29f18dd5

SHA1
fa5c4ecb007212c0528b22f0189f1424a38bce32

SHA256
7765207c6e4a52bdcafb81dcca19f370e1f593d5e2c77c0f680b36ceb86e5c83

SHA512
2d6374bd757da8342d684c3c66e5b1b6807c47eb37108d6c9a56a59d28da968829819f7d5cacd88dea650de2358082ab749d3a8ea357304e965668ef555d92f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\thknzb.exe
Filesize
172KB

MD5
c5c5bbb2cc4df671e3acd717c7c01582

SHA1
48d5743616648c3b51004737a5d406b30095e5b8

SHA256
8940449b380e0888ca3a404b2508d810d162fb4d5769b92f723396893662887a

SHA512
12e51ad62d076437d881561d90dd9f1ef5bbd9c388ab81e2bc075e7ce35b68b64a0e9880992df66fdcc3f3746768c8063c2ace2e88acea8a4775132fbb40b347

Download Submit
C:\Users\Admin\AppData\Local\Temp\thknzb.exe
Filesize
172KB

MD5
c5c5bbb2cc4df671e3acd717c7c01582

SHA1
48d5743616648c3b51004737a5d406b30095e5b8

SHA256
8940449b380e0888ca3a404b2508d810d162fb4d5769b92f723396893662887a

SHA512
12e51ad62d076437d881561d90dd9f1ef5bbd9c388ab81e2bc075e7ce35b68b64a0e9880992df66fdcc3f3746768c8063c2ace2e88acea8a4775132fbb40b347

Download Submit
C:\Users\Admin\AppData\Local\Temp\xunksyx.bat
Filesize
124B

MD5
f903db46bc0fdec1dd3c9952fcd0d3f6

SHA1
bdad8567ead8cf33b95497f702d522264ae89e01

SHA256
fc0f046d1a713ee4c992d4c0321ead8f9968bee0fa264d9461f866922131f651

SHA512
55f48a0c337211c4d8e555dfb8629a17d58a22b6e44440bf2d2cc52d4da7864d09062ee451b5f69970868784a9f3c8c45bc9a3fdacfc1d13343f8f7b2d5c79cd

Download Submit
\Users\Admin\AppData\Local\Temp\thknzb.exe
Filesize
172KB

MD5
c5c5bbb2cc4df671e3acd717c7c01582

SHA1
48d5743616648c3b51004737a5d406b30095e5b8

SHA256
8940449b380e0888ca3a404b2508d810d162fb4d5769b92f723396893662887a

SHA512
12e51ad62d076437d881561d90dd9f1ef5bbd9c388ab81e2bc075e7ce35b68b64a0e9880992df66fdcc3f3746768c8063c2ace2e88acea8a4775132fbb40b347

Download Submit
\Users\Admin\AppData\Local\Temp\thknzb.exe
Filesize
172KB

MD5
c5c5bbb2cc4df671e3acd717c7c01582

SHA1
48d5743616648c3b51004737a5d406b30095e5b8

SHA256
8940449b380e0888ca3a404b2508d810d162fb4d5769b92f723396893662887a

SHA512
12e51ad62d076437d881561d90dd9f1ef5bbd9c388ab81e2bc075e7ce35b68b64a0e9880992df66fdcc3f3746768c8063c2ace2e88acea8a4775132fbb40b347

Download Submit
memory/520-61-0x0000000000000000-mapping.dmp

Download
memory/1120-55-0x0000000000000000-mapping.dmp

Download
memory/1480-54-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download
memory/1876-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing