aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4

General

Target

aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe
Size

345KB
MD5

3573ae2f0fc7906647c4d5ae40ccf5ce
SHA1

3e96da3eac35005ad11a7790be33077820f4fb5b
SHA256

aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4
SHA512

d5e88622ab7f72b46fb4af82947c34a901975b74caa9e28913a980424fe70b2d863ed39d3e78bc9ef9267e7f637f22f331341d405587ae1eeeaeef42c3ab9d1f
SSDEEP

6144:joKC4aGm1USwU9sllfoMKeUcrkqk2EmYqlVskmeHUt+J53VV/z55m+m8w:AHbwHLf9KedkoEmlzJUeFWCw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3256	efehqoyqana.exe

Loads dropped DLL 2 IoCs

pid	Process
4696	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe
4696	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Autorun.inf	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe
File created	D:\Autorun.inf	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe
File opened for modification	D:\Autorun.inf	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe
File created	C:\Autorun.inf	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5008 set thread context of 4696	5008	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4696	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe
4696	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4696	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe
Token: SeSecurityPrivilege	4696	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe
Token: SeSecurityPrivilege	4696	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe
Token: SeSecurityPrivilege	4696	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 4696	5008	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe	83
PID 5008 wrote to memory of 4696	5008	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe	83
PID 5008 wrote to memory of 4696	5008	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe	83
PID 5008 wrote to memory of 4696	5008	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe	83
PID 5008 wrote to memory of 4696	5008	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe	83
PID 5008 wrote to memory of 4696	5008	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe	83
PID 5008 wrote to memory of 4696	5008	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe	83
PID 5008 wrote to memory of 4696	5008	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe	83
PID 4696 wrote to memory of 3256	4696	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe	85
PID 4696 wrote to memory of 3256	4696	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe	85
PID 4696 wrote to memory of 3256	4696	aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe	85

C:\Users\Admin\AppData\Local\Temp\aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe
"C:\Users\Admin\AppData\Local\Temp\aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe"
1⤵
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\aff770ca9c3f11e858d46027b5313e302bb3ebe1e970e886913f8619d2a52ee4.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Users\Admin\AppData\Roaming\Etusweul\efehqoyqana.exe
    "C:\Users\Admin\AppData\Roaming\Etusweul\efehqoyqana.exe"
    3⤵
    - Executes dropped EXE
    PID:3256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp461.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp482.tmp

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Users\Admin\AppData\Roaming\Etusweul\efehqoyqana.exe

Filesize
345KB

MD5
6910958c3f4b0f2a452d37a26ab2b85d

SHA1
0e25073ef2fb14e330c036438445e0737639c9d7

SHA256
f241ed328fa22539e75145f58a3b50bd99f0a59893381780590d420b9fcd3535

SHA512
549558dc764ae42de0e6a3a7c2f7543fc50b1e85bdbdb158f37d049ce65618b5fef1f36c37a26c57af7da727f39e5104e31e5ff13cc70dd76a96e73414e79095

Download Submit
C:\Users\Admin\AppData\Roaming\Etusweul\efehqoyqana.exe

Filesize
345KB

MD5
6910958c3f4b0f2a452d37a26ab2b85d

SHA1
0e25073ef2fb14e330c036438445e0737639c9d7

SHA256
f241ed328fa22539e75145f58a3b50bd99f0a59893381780590d420b9fcd3535

SHA512
549558dc764ae42de0e6a3a7c2f7543fc50b1e85bdbdb158f37d049ce65618b5fef1f36c37a26c57af7da727f39e5104e31e5ff13cc70dd76a96e73414e79095

Download Submit
memory/4696-136-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4696-140-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4696-141-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4696-139-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4696-137-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4696-135-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4696-133-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads