a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576

General

Target

a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe
Size

196KB
MD5

a426ba5d126ddde014ed21f3d9389557
SHA1

eebf33d738fe11666dafdf069bf16b943ebf6cb4
SHA256

a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576
SHA512

15b13e58743020c9c42c67dcd77dd180cb830e42af141b31e111e98b2c68ef7805dcbc792bc014738f9d57ad73070844382bc9a5f078a02de56c9d84517a204e
SSDEEP

3072:emNGXPOxpg/3vjLXm0zMr+kdKgezl0Km6g63B5Fu+TsuZfq:H3g/3vHm0zMqhbBRwuZC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1152	efowbz.exe

Deletes itself 1 IoCs

pid	Process
1476	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1476	cmd.exe
1476	cmd.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	efowbz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	efowbz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	efowbz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\iwawd\\command	efowbz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	efowbz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\iwawd	efowbz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\iwawd	efowbz.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1176	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1476	1496	a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe	28
PID 1496 wrote to memory of 1476	1496	a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe	28
PID 1496 wrote to memory of 1476	1496	a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe	28
PID 1496 wrote to memory of 1476	1496	a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe	28
PID 1476 wrote to memory of 1152	1476	cmd.exe	30
PID 1476 wrote to memory of 1152	1476	cmd.exe	30
PID 1476 wrote to memory of 1152	1476	cmd.exe	30
PID 1476 wrote to memory of 1152	1476	cmd.exe	30
PID 1476 wrote to memory of 1176	1476	cmd.exe	31
PID 1476 wrote to memory of 1176	1476	cmd.exe	31
PID 1476 wrote to memory of 1176	1476	cmd.exe	31
PID 1476 wrote to memory of 1176	1476	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe
"C:\Users\Admin\AppData\Local\Temp\a52f0e32b78ea81e8cf3204428ef03e1a26ca5e5d99bb63a2675b7212943e576.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\sdstehz.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\efowbz.exe
    "C:\Users\Admin\AppData\Local\Temp\efowbz.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:1152
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\efowbz.exe

Filesize
148KB

MD5
629d37b575b55a4f781bcb76e94ec649

SHA1
6ae90ac43e8e60a5f0971f3b05e095218f411f87

SHA256
ac6dbea3864846224c1209cab38ced7ef13300c716dfad2214cbb42dd4af41b2

SHA512
6032abc92126a5f3621c8c2e33f67cfaba9354e99ab0fd223d7eb5e149ffde281dec3401efe9b4db7ecf15effa3e042cb689c48a43385425e51f21caa5b4884b

Download Submit
C:\Users\Admin\AppData\Local\Temp\efowbz.exe

Filesize
148KB

MD5
629d37b575b55a4f781bcb76e94ec649

SHA1
6ae90ac43e8e60a5f0971f3b05e095218f411f87

SHA256
ac6dbea3864846224c1209cab38ced7ef13300c716dfad2214cbb42dd4af41b2

SHA512
6032abc92126a5f3621c8c2e33f67cfaba9354e99ab0fd223d7eb5e149ffde281dec3401efe9b4db7ecf15effa3e042cb689c48a43385425e51f21caa5b4884b

Download Submit
C:\Users\Admin\AppData\Local\Temp\houtmi.bat

Filesize
188B

MD5
5ea169d365f9a39cccccf57b55d4850f

SHA1
67fff568616eaccd877a06195920a606a708e91f

SHA256
2f2f46553335860304820fa155a3d4148ce82eb0ada79e1d7e802d5a64b56655

SHA512
3ca24aee8aa43be33390ba331097b470dd04b1749c18ef595784328f26f816e8888f6d6ca571d73a21858a3f5651fe328d0802da2bb1bb2c89fcf31a2f916ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdstehz.bat

Filesize
124B

MD5
e956be6723c876f6ee325cdfb83dc453

SHA1
291ba43403d8011d6d82f7b157e1a790b18a3ff6

SHA256
ec8089bd3bf93f20a77cdc3a1ad854a2e7768de1491d9158ae533335944d0f63

SHA512
fb47aa3bbdbaafeab76b4ee1462b0c74e30279d950c1eda9525bf4be15bde1f81b6ecf9079540171eda6b09534c0aee6c4f1f27a051e4cae1da2349ddb0a2b9d

Download Submit
\Users\Admin\AppData\Local\Temp\efowbz.exe

Filesize
148KB

MD5
629d37b575b55a4f781bcb76e94ec649

SHA1
6ae90ac43e8e60a5f0971f3b05e095218f411f87

SHA256
ac6dbea3864846224c1209cab38ced7ef13300c716dfad2214cbb42dd4af41b2

SHA512
6032abc92126a5f3621c8c2e33f67cfaba9354e99ab0fd223d7eb5e149ffde281dec3401efe9b4db7ecf15effa3e042cb689c48a43385425e51f21caa5b4884b

Download Submit
\Users\Admin\AppData\Local\Temp\efowbz.exe

Filesize
148KB

MD5
629d37b575b55a4f781bcb76e94ec649

SHA1
6ae90ac43e8e60a5f0971f3b05e095218f411f87

SHA256
ac6dbea3864846224c1209cab38ced7ef13300c716dfad2214cbb42dd4af41b2

SHA512
6032abc92126a5f3621c8c2e33f67cfaba9354e99ab0fd223d7eb5e149ffde281dec3401efe9b4db7ecf15effa3e042cb689c48a43385425e51f21caa5b4884b

Download Submit
memory/1496-54-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing