bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120

General

Target

bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe
Size

342KB
MD5

ca0d9a211c08bc340786405d20e4bb86
SHA1

79e91ec248eea68498551c7c50e195d470385b81
SHA256

bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120
SHA512

4eeb83e2d90c3cb154be31bdb3529e6b6ffa02744018ff83594966ddd36acd26479ab3898bf2f722a8b2eb19cb39ed91eb662c150607b14639024c26e0ed1c80
SSDEEP

6144:UffYozitUEBczJ8dvypOsfU5xf0R81jvPgUEJqG6XtG/tspWweh:Poh5zJWvyIs40R8toRJOKspzS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1436	mmm.dat
5088	flash.dat

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	mmm.dat
File created	C:\Windows\SysWOW64\flash.dat	bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe
File created	C:\Windows\SysWOW64\mmm.dat	bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe
File created	C:\Windows\SysWOW64\runf.bat	bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe
File opened for modification	C:\Windows\SysWOW64\mmm.dat	mmm.dat

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat
Token: 33	1436	mmm.dat
Token: SeIncBasePriorityPrivilege	1436	mmm.dat

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1436	mmm.dat
1436	mmm.dat
1436	mmm.dat
1436	mmm.dat
1436	mmm.dat
1436	mmm.dat

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1436	mmm.dat
1436	mmm.dat
1436	mmm.dat
1436	mmm.dat
1436	mmm.dat
1436	mmm.dat

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5088	flash.dat

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 4212	900	bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe	80
PID 900 wrote to memory of 4212	900	bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe	80
PID 900 wrote to memory of 4212	900	bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe	80
PID 900 wrote to memory of 1436	900	bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe	81
PID 900 wrote to memory of 1436	900	bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe	81
PID 900 wrote to memory of 1436	900	bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe	81
PID 4212 wrote to memory of 5088	4212	cmd.exe	83
PID 4212 wrote to memory of 5088	4212	cmd.exe	83
PID 4212 wrote to memory of 5088	4212	cmd.exe	83
PID 900 wrote to memory of 4604	900	bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe	84
PID 900 wrote to memory of 4604	900	bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe	84
PID 900 wrote to memory of 4604	900	bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe	84

C:\Users\Admin\AppData\Local\Temp\bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe
"C:\Users\Admin\AppData\Local\Temp\bbe9087dade7024ca64bc6c37a4b1e10ed3595ecb86d76d1a7d70e0982352120.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\runf.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\flash.dat
    flash.dat
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5088
- C:\Windows\SysWOW64\mmm.dat
  C:\Windows\system32\mmm.dat
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c clear.bat
  2⤵
  PID:4604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\clear.bat

Filesize
282B

MD5
e9e5fafa109b7f4a853e077ba75d74cb

SHA1
c7ecf93574f76a8d0adfdfb5c8bd7b1eab2bdfe8

SHA256
e0b8387c9585cc0da7df4f9648f931fad9987860c68f4d8f3275f4dd53e91bdf

SHA512
96e502ea344acc6f14d995a0ff2e8517cd5227a26d99837a07dd548e24374f1710b6281c7d6e26ab6fafd8e7db0efd41c7d3502ff4ef7b55e6d84b54e9d670bf

Download Submit
C:\Windows\SysWOW64\flash.dat

Filesize
24KB

MD5
f6212833432c6b33155ea3aae886810a

SHA1
cb2ed24fdc7b04331dc5afbb821620f9541f6045

SHA256
ffbdcae2216b1b4c16375ca6270d9c55c90e800887cd682adb7c25366eb25ead

SHA512
726c452c85d7d140b66bb8af43f0334653e5751a760a25a2fd321f5ffbe9c89af1fd7868c14fdd7175ff2577f249dae816116a738708e53b2027219e2c92cfa1

Download Submit
C:\Windows\SysWOW64\flash.dat

Filesize
24KB

MD5
f6212833432c6b33155ea3aae886810a

SHA1
cb2ed24fdc7b04331dc5afbb821620f9541f6045

SHA256
ffbdcae2216b1b4c16375ca6270d9c55c90e800887cd682adb7c25366eb25ead

SHA512
726c452c85d7d140b66bb8af43f0334653e5751a760a25a2fd321f5ffbe9c89af1fd7868c14fdd7175ff2577f249dae816116a738708e53b2027219e2c92cfa1

Download Submit
C:\Windows\SysWOW64\mmm.dat

Filesize
709KB

MD5
64361fd9f4ea3f5fcabcf291f7c3a477

SHA1
04d124676cc9c8d648b9f7c7c4603a5120d3f4fb

SHA256
936854b0d53b8152904f386860b76ae63126e7508d2b485eab375be376638b15

SHA512
6066d92178a052f8ca2f64d287d890b580e679a632ad3a199e8a1570d08622e9a91876f5fdde733afda44058ca12b87139231eefbbb59fb3da9ca9be406f1035

Download Submit
C:\Windows\SysWOW64\mmm.dat

Filesize
709KB

MD5
64361fd9f4ea3f5fcabcf291f7c3a477

SHA1
04d124676cc9c8d648b9f7c7c4603a5120d3f4fb

SHA256
936854b0d53b8152904f386860b76ae63126e7508d2b485eab375be376638b15

SHA512
6066d92178a052f8ca2f64d287d890b580e679a632ad3a199e8a1570d08622e9a91876f5fdde733afda44058ca12b87139231eefbbb59fb3da9ca9be406f1035

Download Submit
C:\Windows\SysWOW64\runf.bat

Filesize
95B

MD5
aaf01ef33650ebb85da08a274cd703b0

SHA1
ab59f6eb330ab9645cbfecdbba0187f935dfdf25

SHA256
187dea8d5aacc08d2635e24f8e241c9739271cf373df01deb49cb57dcd201d89

SHA512
643d7f8274b40b7aade9287ab7fa8f0ae78b86ed995dfa5286c63b78cf55c427d7972cb70a0f5bc636ae1fa51f4d4c82c7b48f65238a63bc3b5d06c1ae70e125

Download Submit
memory/900-142-0x0000000000400000-0x00000000004C7200-memory.dmp

Filesize
796KB

Download
memory/900-144-0x0000000000400000-0x00000000004C7200-memory.dmp

Filesize
796KB

Download

Analysis

Sharing