1e7abeab7b40ca56a3f6a8d49cfd86b567bce43b790e01a9d7688789944373fb

General

Target

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
Size

1.1MB
MD5

0ede5189d2124e2de33daca7dfacecd8
SHA1

b5b62e468bbc494bf039a2b84748a1c54ddf21cb
SHA256

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660
SHA512

dc97f9c4a840ad4968b5ab04824f5253b538103a11735c301e68862acf60469734dded0c322610d2138afb6b87eaa7db56551d1d1b38c7f1480ede0190dfe18e
SSDEEP

12288:jy0Vd6+UYMUiv4MBBlLakiL5R6ftjGFwWod5wgEBit9QVXdNo:j9ygM3lLalRajGeWmwgEBisVt6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

1596 svhost.exe

pid	process
1596	svhost.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 bot.whatismyipaddress.com

flow	ioc
19	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

description	pid	process	target process
PID 2456 set thread context of 1596	2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe

Drops file in Windows directory 3 IoCs

Processes:

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
File created	C:\Windows\assembly\Desktop.ini	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

pid	process
2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

description pid process

Token: SeDebugPrivilege 2456 9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

description	pid	process
Token: SeDebugPrivilege	2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.execmd.exe

description	pid	process	target process
PID 2456 wrote to memory of 3552	2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	cmd.exe
PID 2456 wrote to memory of 3552	2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	cmd.exe
PID 2456 wrote to memory of 3552	2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	cmd.exe
PID 3552 wrote to memory of 5100	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 5100	3552	cmd.exe	reg.exe
PID 3552 wrote to memory of 5100	3552	cmd.exe	reg.exe
PID 2456 wrote to memory of 1596	2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2456 wrote to memory of 1596	2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2456 wrote to memory of 1596	2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2456 wrote to memory of 1596	2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2456 wrote to memory of 1596	2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2456 wrote to memory of 1596	2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2456 wrote to memory of 1596	2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe
PID 2456 wrote to memory of 1596	2456	9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe
"C:\Users\Admin\AppData\Local\Temp\9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
3⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
Filesize
1.1MB

MD5
0ede5189d2124e2de33daca7dfacecd8

SHA1
b5b62e468bbc494bf039a2b84748a1c54ddf21cb

SHA256
9fab4fe1086f37247ca27d6d66a3cbcb72400bf1bbf567665652d41034ecb660

SHA512
dc97f9c4a840ad4968b5ab04824f5253b538103a11735c301e68862acf60469734dded0c322610d2138afb6b87eaa7db56551d1d1b38c7f1480ede0190dfe18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
memory/1596-143-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1596-146-0x0000000001350000-0x0000000001360000-memory.dmp

Filesize
64KB

Download
memory/1596-149-0x0000000001350000-0x0000000001360000-memory.dmp

Filesize
64KB

Download
memory/2456-133-0x0000000001030000-0x0000000001040000-memory.dmp

Filesize
64KB

Download
memory/2456-147-0x0000000001030000-0x0000000001040000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads