86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee

General

Target

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
Size

320KB
MD5

139aded90404e7566d4ece8ba1ba43aa
SHA1

95e5454aa03d07d3ff8d6de4fe743d8b6bd41508
SHA256

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee
SHA512

30ef9e4de12713bdb808229edfba05e0561a2126bb7df8d1917ea9c868ced8bd462284a460dbe6405971725b8eff9b8cad2833ebc384cbfbc604ddac259a6bc0
SSDEEP

6144:R7NyWYhRghGq/998Ox2qf9QbmsrQIvKLnLjH9JXE9v2xkJwJuP8D:R7NyWYhRghGq/998Ox99emsrcLZ9u2xP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

olypj.exeolypj.exe

pid process

748 olypj.exe
1372 olypj.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

240 cmd.exe

pid	process
748	olypj.exe
1372	olypj.exe

pid	process
240	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exeolypj.exe

pid	process
892	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
892	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
748	olypj.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exeolypj.exe

description	ioc	process
File opened (read-only)	\??\I:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\K:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\M:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\R:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\X:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\H:	olypj.exe
File opened (read-only)	\??\B:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\F:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\Q:	olypj.exe
File opened (read-only)	\??\K:	olypj.exe
File opened (read-only)	\??\H:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\I:	olypj.exe
File opened (read-only)	\??\Q:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\J:	olypj.exe
File opened (read-only)	\??\N:	olypj.exe
File opened (read-only)	\??\X:	olypj.exe
File opened (read-only)	\??\E:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\L:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\P:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\G:	olypj.exe
File opened (read-only)	\??\L:	olypj.exe
File opened (read-only)	\??\O:	olypj.exe
File opened (read-only)	\??\S:	olypj.exe
File opened (read-only)	\??\T:	olypj.exe
File opened (read-only)	\??\A:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\G:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\F:	olypj.exe
File opened (read-only)	\??\V:	olypj.exe
File opened (read-only)	\??\N:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\T:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\P:	olypj.exe
File opened (read-only)	\??\U:	olypj.exe
File opened (read-only)	\??\W:	olypj.exe
File opened (read-only)	\??\Z:	olypj.exe
File opened (read-only)	\??\V:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\A:	olypj.exe
File opened (read-only)	\??\W:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\Z:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\B:	olypj.exe
File opened (read-only)	\??\M:	olypj.exe
File opened (read-only)	\??\Y:	olypj.exe
File opened (read-only)	\??\S:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\U:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\Y:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\E:	olypj.exe
File opened (read-only)	\??\R:	olypj.exe
File opened (read-only)	\??\J:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\O:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exeolypj.exe

description	pid	process	target process
PID 572 set thread context of 892	572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 748 set thread context of 1372	748	olypj.exe	olypj.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exeolypj.exe

pid	process
572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
892	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
748	olypj.exe
748	olypj.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exeolypj.exe

pid	process
572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
748	olypj.exe
748	olypj.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exeolypj.exe

description	pid	process	target process
PID 572 wrote to memory of 892	572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 572 wrote to memory of 892	572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 572 wrote to memory of 892	572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 572 wrote to memory of 892	572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 572 wrote to memory of 892	572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 572 wrote to memory of 892	572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 572 wrote to memory of 892	572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 572 wrote to memory of 892	572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 572 wrote to memory of 892	572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 572 wrote to memory of 892	572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 892 wrote to memory of 748	892	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	olypj.exe
PID 892 wrote to memory of 748	892	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	olypj.exe
PID 892 wrote to memory of 748	892	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	olypj.exe
PID 892 wrote to memory of 748	892	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	olypj.exe
PID 748 wrote to memory of 1372	748	olypj.exe	olypj.exe
PID 748 wrote to memory of 1372	748	olypj.exe	olypj.exe
PID 748 wrote to memory of 1372	748	olypj.exe	olypj.exe
PID 748 wrote to memory of 1372	748	olypj.exe	olypj.exe
PID 748 wrote to memory of 1372	748	olypj.exe	olypj.exe
PID 748 wrote to memory of 1372	748	olypj.exe	olypj.exe
PID 748 wrote to memory of 1372	748	olypj.exe	olypj.exe
PID 748 wrote to memory of 1372	748	olypj.exe	olypj.exe
PID 748 wrote to memory of 1372	748	olypj.exe	olypj.exe
PID 748 wrote to memory of 1372	748	olypj.exe	olypj.exe
PID 892 wrote to memory of 240	892	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	cmd.exe
PID 892 wrote to memory of 240	892	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	cmd.exe
PID 892 wrote to memory of 240	892	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	cmd.exe
PID 892 wrote to memory of 240	892	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
"C:\Users\Admin\AppData\Local\Temp\86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:572

C:\Users\Admin\AppData\Local\Temp\86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
C:\Users\Admin\AppData\Local\Temp\86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\Ifro\olypj.exe
"C:\Users\Admin\AppData\Local\Temp\Ifro\olypj.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\Ifro\olypj.exe
C:\Users\Admin\AppData\Local\Temp\Ifro\olypj.exe
4⤵
- Executes dropped EXE
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHO5378.bat"
3⤵
- Deletes itself
PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HHO5378.bat

Filesize
278B

MD5
fd325c7b12e8d3054f3533b0357eda33

SHA1
0c6f0758e40ef8e5cdb04c0d83ea210dd1078759

SHA256
2437f9c1edc0f36f3d9207d55160c7d850185944cd67a04c4cfb062432f78184

SHA512
15dacbd09c13f02f1d916a4582abfd0893b162285e03abd791fec124a2beb475209db302322198be8066665ae47bc107823baf717784c3f53b48c2a4278b4dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ifro\olypj.exe

Filesize
320KB

MD5
98c9c155998ac0d3b9410cd471718256

SHA1
c07f9b839ca02290faa1b62b849bc8e2a90d3b27

SHA256
600b5089dc6765cbc616034ca33488c396742fde40b2b98d3f1a50f79a2469a4

SHA512
09bc2871a2d62b3d775255afcf74b961c821cab688f7a90ab68b13adb90a47606084f77832b59e23d09027f02698df41127600ec6187ee0bb03a5b8f34fc3e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ifro\olypj.exe

Filesize
320KB

MD5
98c9c155998ac0d3b9410cd471718256

SHA1
c07f9b839ca02290faa1b62b849bc8e2a90d3b27

SHA256
600b5089dc6765cbc616034ca33488c396742fde40b2b98d3f1a50f79a2469a4

SHA512
09bc2871a2d62b3d775255afcf74b961c821cab688f7a90ab68b13adb90a47606084f77832b59e23d09027f02698df41127600ec6187ee0bb03a5b8f34fc3e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ifro\olypj.exe

Filesize
320KB

MD5
98c9c155998ac0d3b9410cd471718256

SHA1
c07f9b839ca02290faa1b62b849bc8e2a90d3b27

SHA256
600b5089dc6765cbc616034ca33488c396742fde40b2b98d3f1a50f79a2469a4

SHA512
09bc2871a2d62b3d775255afcf74b961c821cab688f7a90ab68b13adb90a47606084f77832b59e23d09027f02698df41127600ec6187ee0bb03a5b8f34fc3e31

Download Submit
\Users\Admin\AppData\Local\Temp\Ifro\olypj.exe

Filesize
320KB

MD5
98c9c155998ac0d3b9410cd471718256

SHA1
c07f9b839ca02290faa1b62b849bc8e2a90d3b27

SHA256
600b5089dc6765cbc616034ca33488c396742fde40b2b98d3f1a50f79a2469a4

SHA512
09bc2871a2d62b3d775255afcf74b961c821cab688f7a90ab68b13adb90a47606084f77832b59e23d09027f02698df41127600ec6187ee0bb03a5b8f34fc3e31

Download Submit
\Users\Admin\AppData\Local\Temp\Ifro\olypj.exe

Filesize
320KB

MD5
98c9c155998ac0d3b9410cd471718256

SHA1
c07f9b839ca02290faa1b62b849bc8e2a90d3b27

SHA256
600b5089dc6765cbc616034ca33488c396742fde40b2b98d3f1a50f79a2469a4

SHA512
09bc2871a2d62b3d775255afcf74b961c821cab688f7a90ab68b13adb90a47606084f77832b59e23d09027f02698df41127600ec6187ee0bb03a5b8f34fc3e31

Download Submit
\Users\Admin\AppData\Local\Temp\Ifro\olypj.exe

Filesize
320KB

MD5
98c9c155998ac0d3b9410cd471718256

SHA1
c07f9b839ca02290faa1b62b849bc8e2a90d3b27

SHA256
600b5089dc6765cbc616034ca33488c396742fde40b2b98d3f1a50f79a2469a4

SHA512
09bc2871a2d62b3d775255afcf74b961c821cab688f7a90ab68b13adb90a47606084f77832b59e23d09027f02698df41127600ec6187ee0bb03a5b8f34fc3e31

Download Submit
memory/240-90-0x0000000000000000-mapping.dmp

Download
memory/572-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/572-65-0x0000000003C20000-0x0000000003C24000-memory.dmp

Filesize
16KB

Download
memory/748-73-0x0000000000000000-mapping.dmp

Download
memory/892-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/892-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/892-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/892-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/892-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/892-64-0x0000000000426135-mapping.dmp

Download
memory/892-59-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/892-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/892-91-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/892-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/892-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1372-87-0x0000000000426135-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads