a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61

General

Target

a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
Size

536KB
MD5

0dcdc1a0b4a002c2c25c856db183b5f4
SHA1

12ed6403d248f9b8f8a3aa89b396945a18e32b8a
SHA256

a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61
SHA512

f3eddb943bd31223283adf94373f60c36bfc0a0c0dd9920bd481d420805972d1945305d3a26779d17890e43025bccf88f5da8be54138e6d7f2af4d39efcdad09
SSDEEP

12288:nXV9Hedhr6eecMwIsf8c2a7rGNrkty0fkhAlmvl:nXLHerxfIsf8c2aErmyFAel

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\U:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\V:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\W:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\Y:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\S:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\X:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\A:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\E:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\L:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\M:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\O:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\Q:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\B:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\R:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\Z:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\P:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\T:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\F:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\G:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\H:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\I:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\J:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
File opened (read-only)	\??\N:	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 896 set thread context of 828	896	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe	28

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
896	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
828	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 828	896	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe	28
PID 896 wrote to memory of 828	896	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe	28
PID 896 wrote to memory of 828	896	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe	28
PID 896 wrote to memory of 828	896	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe	28
PID 896 wrote to memory of 828	896	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe	28
PID 896 wrote to memory of 828	896	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe	28
PID 896 wrote to memory of 828	896	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe	28
PID 896 wrote to memory of 828	896	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe	28
PID 896 wrote to memory of 828	896	a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe	28

C:\Users\Admin\AppData\Local\Temp\a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe
"C:\Users\Admin\AppData\Local\Temp\a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896
- C:\Users\Admin\AppData\Local\Temp\a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.EXE
  "C:\Users\Admin\AppData\Local\Temp\a56a71568e2fae3cae4e7eab6acb227c82006ebd1cecfb1e008f0d9408878f61.EXE"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/828-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/896-56-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing