1e7abeab7b40ca56a3f6a8d49cfd86b567bce43b790e01a9d7688789944373fb

General

Target

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
Size

1.1MB
MD5

0ede5189d2124e2de33daca7dfacecd8
SHA1

b5b62e468bbc494bf039a2b84748a1c54ddf21cb
SHA256

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660
SHA512

dc97f9c4a840ad4968b5ab04824f5253b538103a11735c301e68862acf60469734dded0c322610d2138afb6b87eaa7db56551d1d1b38c7f1480ede0190dfe18e
SSDEEP

12288:jy0Vd6+UYMUiv4MBBlLakiL5R6ftjGFwWod5wgEBit9QVXdNo:j9ygM3lLalRajGeWmwgEBisVt6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

1476 svhost.exe
Loads dropped DLL 1 IoCs

Processes:

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

pid process

2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 bot.whatismyipaddress.com

pid	process
1476	svhost.exe

flow	ioc
3	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

description	pid	process	target process
PID 2032 set thread context of 1476	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

pid	process
2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

description pid process

Token: SeDebugPrivilege 2032 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

description	pid	process
Token: SeDebugPrivilege	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 1208	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	cmd.exe
PID 2032 wrote to memory of 1208	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	cmd.exe
PID 2032 wrote to memory of 1208	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	cmd.exe
PID 2032 wrote to memory of 1208	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	cmd.exe
PID 1208 wrote to memory of 296	1208	cmd.exe	reg.exe
PID 1208 wrote to memory of 296	1208	cmd.exe	reg.exe
PID 1208 wrote to memory of 296	1208	cmd.exe	reg.exe
PID 1208 wrote to memory of 296	1208	cmd.exe	reg.exe
PID 2032 wrote to memory of 1476	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2032 wrote to memory of 1476	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2032 wrote to memory of 1476	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2032 wrote to memory of 1476	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2032 wrote to memory of 1476	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2032 wrote to memory of 1476	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2032 wrote to memory of 1476	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2032 wrote to memory of 1476	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2032 wrote to memory of 1476	2032	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
"C:\Users\Admin\AppData\Local\Temp\9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
3⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
Filesize
1.1MB

MD5
0ede5189d2124e2de33daca7dfacecd8

SHA1
b5b62e468bbc494bf039a2b84748a1c54ddf21cb

SHA256
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660

SHA512
dc97f9c4a840ad4968b5ab04824f5253b538103a11735c301e68862acf60469734dded0c322610d2138afb6b87eaa7db56551d1d1b38c7f1480ede0190dfe18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
memory/1476-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1476-66-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1476-65-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1476-67-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1476-64-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1476-69-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1476-72-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1476-74-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1476-76-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/1476-78-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/2032-58-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads