f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe

General

Target

f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe
Size

3.2MB
MD5

1a19335da191ce5f77403d20e5fc680f
SHA1

da60210c8f5f471d18863b62aa383a3205d0b96c
SHA256

f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe
SHA512

d3ccd3d893df358fec8dd66b4e22ba9167b920ed396a07684afbd64bf20cf64fdf3e1b1ddcae622b74765f32ee2b93b7eb9836c33ba3615f86ab5093669cc2ca
SSDEEP

49152:SRkOnruZoZrwo4vmccDwZVh4PGnNuyKW9gU562:SP0oNpcQquyKdX2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4592	Tempioefn.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe
4592	Tempioefn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\i:	f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe
File opened (read-only)	\??\e:	Tempioefn.exe
File opened (read-only)	\??\f:	Tempioefn.exe
File opened (read-only)	\??\h:	Tempioefn.exe
File opened (read-only)	\??\i:	Tempioefn.exe
File opened (read-only)	\??\g:	Tempioefn.exe
File opened (read-only)	\??\j:	Tempioefn.exe
File opened (read-only)	\??\e:	f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe
File opened (read-only)	\??\f:	f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe
File opened (read-only)	\??\g:	f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe
File opened (read-only)	\??\h:	f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe
File opened (read-only)	\??\j:	f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Windows Media Player\Helps\kblog.dat	f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\Helps\kblog.dat	Tempioefn.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4592	Tempioefn.exe
4592	Tempioefn.exe
2736	f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 4592	2736	f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe	83
PID 2736 wrote to memory of 4592	2736	f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe	83
PID 2736 wrote to memory of 4592	2736	f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe	83

C:\Users\Admin\AppData\Local\Temp\f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe
"C:\Users\Admin\AppData\Local\Temp\f5f27d8ccfcac8bd4dbe561c10829df9aa402427bc4e3fa8cb6ca67a1caa4efe.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\Office\Tempioefn.exe
  C:\Users\Admin\AppData\Local\Temp\Office\Tempioefn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Office\Tempioefn.exe

Filesize
2.2MB

MD5
40850d4d6c937de937707141d9bd9f72

SHA1
61892e625e37f1f517f4e371e578d1623e92f208

SHA256
9b403ec68ed8ecd3b199b18f5648cc44c73e170fb80de3e7bc0f2e2a0832e37a

SHA512
4f1e719b445782317839bb85f24543ab3311decd19ab68678fcb64e2870db31fe44f7c3d41504c195623833d89adef0500fb667311ce979cd242a23aad5af1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Office\Tempioefn.exe

Filesize
2.2MB

MD5
40850d4d6c937de937707141d9bd9f72

SHA1
61892e625e37f1f517f4e371e578d1623e92f208

SHA256
9b403ec68ed8ecd3b199b18f5648cc44c73e170fb80de3e7bc0f2e2a0832e37a

SHA512
4f1e719b445782317839bb85f24543ab3311decd19ab68678fcb64e2870db31fe44f7c3d41504c195623833d89adef0500fb667311ce979cd242a23aad5af1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghtlsaee.dll

Filesize
284KB

MD5
0c81b27c852d4ac989e768c3087f6b94

SHA1
e68e8a15f06f754787a3a04afc81464fecdd1010

SHA256
50c4973360da1d1156754fc10157cdc0f60bde4556da21f59ee92f08708af645

SHA512
a8ced227cb08c4b57cb0276a1a2d69ffa5dced6428f928d700bfe2faf9094adf179a9470d2b567aec307240067f3f9a3939793d4e4d7dc62f121138f8a784244

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghtlsaee.dll

Filesize
284KB

MD5
0c81b27c852d4ac989e768c3087f6b94

SHA1
e68e8a15f06f754787a3a04afc81464fecdd1010

SHA256
50c4973360da1d1156754fc10157cdc0f60bde4556da21f59ee92f08708af645

SHA512
a8ced227cb08c4b57cb0276a1a2d69ffa5dced6428f928d700bfe2faf9094adf179a9470d2b567aec307240067f3f9a3939793d4e4d7dc62f121138f8a784244

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghtlsaee.dll

Filesize
284KB

MD5
0c81b27c852d4ac989e768c3087f6b94

SHA1
e68e8a15f06f754787a3a04afc81464fecdd1010

SHA256
50c4973360da1d1156754fc10157cdc0f60bde4556da21f59ee92f08708af645

SHA512
a8ced227cb08c4b57cb0276a1a2d69ffa5dced6428f928d700bfe2faf9094adf179a9470d2b567aec307240067f3f9a3939793d4e4d7dc62f121138f8a784244

Download Submit

Analysis

Sharing