333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2

General

Target

333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe
Size

53KB
MD5

68a682d9d0e33e688c6ea49056830b41
SHA1

187ee68d2b5e58f2eec215d1b52a85550de13ac2
SHA256

333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2
SHA512

9d332e646685d466f121dba4ad2cbf7b8f1f4460b83fad92f74e72469050f0d8262340bc8ca71e3188dd17e1b96bd604e337391747fbf8612867cd5d418de431
SSDEEP

768:mOcxeXxZFPgs1qjFh9EQylblq9w/VM8H7wKjwXbIkbd:mOcx6Zpgsgjb9EQaq9oVlbwKkXcI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1584	0437ec0.tmp

Deletes itself 1 IoCs

pid	Process
1788	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
752	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe
752	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.220.123
Destination IP	208.67.220.222
Destination IP	208.67.220.220
Destination IP	208.67.222.220
Destination IP	208.67.222.123

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	0437ec0.tmp
File opened (read-only)	\??\H:	0437ec0.tmp
File opened (read-only)	\??\M:	0437ec0.tmp
File opened (read-only)	\??\N:	0437ec0.tmp
File opened (read-only)	\??\W:	0437ec0.tmp
File opened (read-only)	\??\J:	0437ec0.tmp
File opened (read-only)	\??\K:	0437ec0.tmp
File opened (read-only)	\??\Q:	0437ec0.tmp
File opened (read-only)	\??\U:	0437ec0.tmp
File opened (read-only)	\??\X:	0437ec0.tmp
File opened (read-only)	\??\Y:	0437ec0.tmp
File opened (read-only)	\??\G:	0437ec0.tmp
File opened (read-only)	\??\L:	0437ec0.tmp
File opened (read-only)	\??\O:	0437ec0.tmp
File opened (read-only)	\??\P:	0437ec0.tmp
File opened (read-only)	\??\R:	0437ec0.tmp
File opened (read-only)	\??\V:	0437ec0.tmp
File opened (read-only)	\??\E:	0437ec0.tmp
File opened (read-only)	\??\I:	0437ec0.tmp
File opened (read-only)	\??\S:	0437ec0.tmp
File opened (read-only)	\??\T:	0437ec0.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\usp10.dll	0437ec0.tmp

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1584	0437ec0.tmp
1584	0437ec0.tmp
1584	0437ec0.tmp
1584	0437ec0.tmp
1584	0437ec0.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	752	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe
Token: SeIncBasePriorityPrivilege	1584	0437ec0.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1584	752	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	28
PID 752 wrote to memory of 1584	752	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	28
PID 752 wrote to memory of 1584	752	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	28
PID 752 wrote to memory of 1584	752	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	28
PID 752 wrote to memory of 1788	752	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	29
PID 752 wrote to memory of 1788	752	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	29
PID 752 wrote to memory of 1788	752	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	29
PID 752 wrote to memory of 1788	752	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	29
PID 1584 wrote to memory of 1860	1584	0437ec0.tmp	33
PID 1584 wrote to memory of 1860	1584	0437ec0.tmp	33
PID 1584 wrote to memory of 1860	1584	0437ec0.tmp	33
PID 1584 wrote to memory of 1860	1584	0437ec0.tmp	33

C:\Users\Admin\AppData\Local\Temp\333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe
"C:\Users\Admin\AppData\Local\Temp\333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\0437ec0.tmp
  "C:\Users\Admin\AppData\Local\Temp\0437ec0.tmp"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\0437ec0.tmp"
    3⤵
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe"
  2⤵
  - Deletes itself
  PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0437ec0.tmp

Filesize
53KB

MD5
dcd0e1bf91b35a195cd0b00d71259593

SHA1
0ffdb1d9e3a93a56d964845174e158b6b4715e1a

SHA256
5f2912df649501aeeb3aa5334ac39c9185f6633787ec9f4bb93dde920a2a76fb

SHA512
fc0ac336c6da70c01b43d9daf75f1d6a5b2c22caf8c65e55c4a388a70d2a1cf2bb97d8bcd35c5ca30de77ef2949228160150cdf8932219c69729b7974a0633a1

Download Submit
\Users\Admin\AppData\Local\Temp\0437ec0.tmp

Filesize
53KB

MD5
dcd0e1bf91b35a195cd0b00d71259593

SHA1
0ffdb1d9e3a93a56d964845174e158b6b4715e1a

SHA256
5f2912df649501aeeb3aa5334ac39c9185f6633787ec9f4bb93dde920a2a76fb

SHA512
fc0ac336c6da70c01b43d9daf75f1d6a5b2c22caf8c65e55c4a388a70d2a1cf2bb97d8bcd35c5ca30de77ef2949228160150cdf8932219c69729b7974a0633a1

Download Submit
\Users\Admin\AppData\Local\Temp\0437ec0.tmp

Filesize
53KB

MD5
dcd0e1bf91b35a195cd0b00d71259593

SHA1
0ffdb1d9e3a93a56d964845174e158b6b4715e1a

SHA256
5f2912df649501aeeb3aa5334ac39c9185f6633787ec9f4bb93dde920a2a76fb

SHA512
fc0ac336c6da70c01b43d9daf75f1d6a5b2c22caf8c65e55c4a388a70d2a1cf2bb97d8bcd35c5ca30de77ef2949228160150cdf8932219c69729b7974a0633a1

Download Submit
memory/752-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1584-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1584-61-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1584-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1584-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing