295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6

General

Target

295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe
Size

726KB
MD5

d0e77b07603d7c8c6f3a3a762836f138
SHA1

a2f1f9a447e406b489b984fa5403a36e79d28911
SHA256

295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6
SHA512

f98b81f9b7cda9bce17a995560b6fa9b21fc1765fd48fd6d468444c4236b4c3bfdf925e14956406d34dd268ced6cd083900f3307601e8404ac1c6c5a53f8e348
SSDEEP

12288:vCatIwPtT2lwPtT2VpmxqDbHks2XnFxXKdOUzD1Duc:vzVPtT2OPtT2VpmUHU3F4Tzlu

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1700	bootinst.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
604	attrib.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	cmd.exe
1732	cmd.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe
File opened (read-only)	\??\E:	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1732	1080	295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe	28
PID 1080 wrote to memory of 1732	1080	295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe	28
PID 1080 wrote to memory of 1732	1080	295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe	28
PID 1080 wrote to memory of 1732	1080	295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe	28
PID 1732 wrote to memory of 604	1732	cmd.exe	30
PID 1732 wrote to memory of 604	1732	cmd.exe	30
PID 1732 wrote to memory of 604	1732	cmd.exe	30
PID 1732 wrote to memory of 604	1732	cmd.exe	30
PID 1732 wrote to memory of 1700	1732	cmd.exe	31
PID 1732 wrote to memory of 1700	1732	cmd.exe	31
PID 1732 wrote to memory of 1700	1732	cmd.exe	31
PID 1732 wrote to memory of 1700	1732	cmd.exe	31
PID 1732 wrote to memory of 1424	1732	cmd.exe	32
PID 1732 wrote to memory of 1424	1732	cmd.exe	32
PID 1732 wrote to memory of 1424	1732	cmd.exe	32
PID 1732 wrote to memory of 1424	1732	cmd.exe	32
PID 1732 wrote to memory of 1780	1732	cmd.exe	34
PID 1732 wrote to memory of 1780	1732	cmd.exe	34
PID 1732 wrote to memory of 1780	1732	cmd.exe	34
PID 1732 wrote to memory of 1780	1732	cmd.exe	34
PID 1732 wrote to memory of 1124	1732	cmd.exe	36
PID 1732 wrote to memory of 1124	1732	cmd.exe	36
PID 1732 wrote to memory of 1124	1732	cmd.exe	36
PID 1732 wrote to memory of 1124	1732	cmd.exe	36

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
604	attrib.exe

C:\Users\Admin\AppData\Local\Temp\295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe
"C:\Users\Admin\AppData\Local\Temp\295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy C:\Users\Admin\AppData\Roaming\win7Res\grldr E:\grldr / b>NUL 2>NUL &attrib E:\grldr +h +s +r &C:\Users\Admin\AppData\Roaming\win7Res\bootinst /nt60 E: &cscript C:\Windows\system32\slmgr.vbs -ilc C:\Users\Admin\AppData\Roaming\win7Res\Certificate.xrm-ms &cscript C:\Windows\system32\slmgr.vbs -ipk 49PB6-6BJ6Y-KHGCQ-7DDY6-TF7CD &C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\attrib.exe
    attrib E:\grldr +h +s +r
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:604
- - C:\Users\Admin\AppData\Roaming\win7Res\bootinst.exe
    C:\Users\Admin\AppData\Roaming\win7Res\bootinst /nt60 E:
    3⤵
    - Executes dropped EXE
    PID:1700
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Windows\system32\slmgr.vbs -ilc C:\Users\Admin\AppData\Roaming\win7Res\Certificate.xrm-ms
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Windows\system32\slmgr.vbs -ipk 49PB6-6BJ6Y-KHGCQ-7DDY6-TF7CD
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\win7Res\Certificate.xrm-ms

Filesize
2KB

MD5
f25832af6a684360950dbb15589de34a

SHA1
17ff1d21005c1695ae3dcbdc3435017c895fff5d

SHA256
266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

SHA512
e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

Download Submit
C:\Users\Admin\AppData\Roaming\win7Res\bootinst.exe

Filesize
85KB

MD5
70c5f6f69cdc6c5b8240622cf7d90380

SHA1
d7fa00497a3d3279b547dfc913e23052b9287060

SHA256
d7aba1fa037041412052bfdc0127d44bd63597bf01151058d3edf585186387be

SHA512
447ffe8f7216e38695a85e09e5085564ec6d4b35c6770ee8864300fbaad50b0855f9535f1c0fb78a57b090cec9478e24338c8ef54b4986b87abcfdde986df798

Download Submit
C:\Users\Admin\AppData\Roaming\win7Res\bootinst.exe

Filesize
85KB

MD5
70c5f6f69cdc6c5b8240622cf7d90380

SHA1
d7fa00497a3d3279b547dfc913e23052b9287060

SHA256
d7aba1fa037041412052bfdc0127d44bd63597bf01151058d3edf585186387be

SHA512
447ffe8f7216e38695a85e09e5085564ec6d4b35c6770ee8864300fbaad50b0855f9535f1c0fb78a57b090cec9478e24338c8ef54b4986b87abcfdde986df798

Download Submit
C:\Users\Admin\AppData\Roaming\win7Res\grldr

Filesize
199KB

MD5
560b738b2357d5a92190d4ddf2966991

SHA1
5d3ed31bd12c97eadc594bcf10e758a67c4e7552

SHA256
38c658da9d95ef05fea051054f021bfbfed67b7aff32a996a4b32edc9f31c287

SHA512
7a25caacf68367a64d81fdb5a5629cb60dbca4425b27987d0c0885da0bfbfd410f0ea77810552a00601bcb32855f575a00082c9c4fbb78a591d0cc24ad09ecf3

Download Submit
\??\E:\grldr

Filesize
199KB

MD5
560b738b2357d5a92190d4ddf2966991

SHA1
5d3ed31bd12c97eadc594bcf10e758a67c4e7552

SHA256
38c658da9d95ef05fea051054f021bfbfed67b7aff32a996a4b32edc9f31c287

SHA512
7a25caacf68367a64d81fdb5a5629cb60dbca4425b27987d0c0885da0bfbfd410f0ea77810552a00601bcb32855f575a00082c9c4fbb78a591d0cc24ad09ecf3

Download Submit
\Users\Admin\AppData\Roaming\win7Res\bootinst.exe

Filesize
85KB

MD5
70c5f6f69cdc6c5b8240622cf7d90380

SHA1
d7fa00497a3d3279b547dfc913e23052b9287060

SHA256
d7aba1fa037041412052bfdc0127d44bd63597bf01151058d3edf585186387be

SHA512
447ffe8f7216e38695a85e09e5085564ec6d4b35c6770ee8864300fbaad50b0855f9535f1c0fb78a57b090cec9478e24338c8ef54b4986b87abcfdde986df798

Download Submit
\Users\Admin\AppData\Roaming\win7Res\bootinst.exe

Filesize
85KB

MD5
70c5f6f69cdc6c5b8240622cf7d90380

SHA1
d7fa00497a3d3279b547dfc913e23052b9287060

SHA256
d7aba1fa037041412052bfdc0127d44bd63597bf01151058d3edf585186387be

SHA512
447ffe8f7216e38695a85e09e5085564ec6d4b35c6770ee8864300fbaad50b0855f9535f1c0fb78a57b090cec9478e24338c8ef54b4986b87abcfdde986df798

Download Submit
memory/1080-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1080-67-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1080-71-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads