dee9cb87e2151d18db0a25be238171624efc1538fb2a506d20606c3b7ec63b43

General

Target

1786.exe
Size

71KB
MD5

97d142cd0dd05b2cdc0cab39fe1a3d69
SHA1

d60436101f8787bdf607b7f25d5c8b1b7c45ae53
SHA256

dee9cb87e2151d18db0a25be238171624efc1538fb2a506d20606c3b7ec63b43
SHA512

8fc0f29484f76df0b515397e11a1c6f6de59ad99d8e6f2546cab435280eed91a19d43f7f9ae74b9526ba751634bd3dbfb929107cc89f86360d79ff60e478a526
SSDEEP

1536:HLtlV7smTrzn3bUJ2krRe6Rm8wEeTa7TPxa7e3hci:H/amTrj3C2gZU8feTafxa5i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4312	1786.exe
5020	1786.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5020	1786.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 4312	1420	1786.exe	69
PID 1420 wrote to memory of 4312	1420	1786.exe	69
PID 4876 wrote to memory of 5020	4876	1786.exe	76
PID 4876 wrote to memory of 5020	4876	1786.exe	76

C:\Users\Admin\AppData\Local\Temp\1786.exe
"C:\Users\Admin\AppData\Local\Temp\1786.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Public\1786.exe
  "C:\Users\Public\1786.exe"
  2⤵
  - Executes dropped EXE
  PID:4312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\1786.exe
"C:\Users\Admin\AppData\Local\Temp\1786.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Public\1786.exe
  "C:\Users\Public\1786.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:5020

C:\Users\Admin\AppData\Local\Temp\1786.exe
"C:\Users\Admin\AppData\Local\Temp\1786.exe"
1⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\1786.exe
"C:\Users\Admin\AppData\Local\Temp\1786.exe"
1⤵
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
bcff3cc9377dd9aa54dc3bb8e1cc779c

SHA1
1f316d0d191f890690cf06c4eacf804c034d81a9

SHA256
b2dc714b294bd823f6e024f82cf7ff110aadd14af726aa259dce6546180cda20

SHA512
5fd638450561f7e92bf1310032695651995104881aca743ed9285e54dcaaa3610b59d453505ba431320abef5567618035e346dc0dfa72ebf0fb509ef379ddc1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_B02FB26D2BD635FEF015582E4B06FD72

Filesize
1KB

MD5
bba7a78c360ad52bb03610755393f46d

SHA1
2d9c7b11ac34a4bbb314424fe5524052adc64697

SHA256
94d0be5a4b408138caa6680bda99e9fb1baa5d862cd12370304007b4d4952d96

SHA512
d3e5ac5cb1d21bc0e9542744867119569c15eadd2820ddcf63f23231c87273806df6532e4ba9096cb1b2d5cd22a7bad63307490ffe7eddfabf4d8fb74d14fca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
7158c73b0208675c9eda5811269c214d

SHA1
2a369dcc789e6a5c19e8ee3d8080900f7b0b0387

SHA256
34d35742336954be4e62875cb0e65bf05e30b04b727d57b953ebe7b8325a1813

SHA512
e1115613f4bc0b52981bfa6e574e483eb522d0f0f4a96cd477a06864c04168a9d3fbdbbfa31a797cbfd65c844e2e95209cdea19848c4b47ecb5705be3df52f98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_B02FB26D2BD635FEF015582E4B06FD72

Filesize
532B

MD5
10ed30c47f60afb989c6b46ee843d1db

SHA1
c66ae725821ce78cbac2487b4b91789448f4143b

SHA256
85ea590439d57bfdfd4e10af7b96be84162321fa67d02c6bafd8e6d2cd9e7267

SHA512
8dce10cdf636b021eb8bcf4449dfbbf2758431adf0f4c2341f150f9264abb325deeb0c95118837eec08b8494875e277d40db58ea31ac13de5ff3bc89d3284330

Download Submit
C:\Users\Public\1786.exe

Filesize
71KB

MD5
97d142cd0dd05b2cdc0cab39fe1a3d69

SHA1
d60436101f8787bdf607b7f25d5c8b1b7c45ae53

SHA256
dee9cb87e2151d18db0a25be238171624efc1538fb2a506d20606c3b7ec63b43

SHA512
8fc0f29484f76df0b515397e11a1c6f6de59ad99d8e6f2546cab435280eed91a19d43f7f9ae74b9526ba751634bd3dbfb929107cc89f86360d79ff60e478a526

Download Submit
C:\Users\Public\1786.exe

Filesize
71KB

MD5
97d142cd0dd05b2cdc0cab39fe1a3d69

SHA1
d60436101f8787bdf607b7f25d5c8b1b7c45ae53

SHA256
dee9cb87e2151d18db0a25be238171624efc1538fb2a506d20606c3b7ec63b43

SHA512
8fc0f29484f76df0b515397e11a1c6f6de59ad99d8e6f2546cab435280eed91a19d43f7f9ae74b9526ba751634bd3dbfb929107cc89f86360d79ff60e478a526

Download Submit
C:\Users\Public\1786.exe

Filesize
71KB

MD5
97d142cd0dd05b2cdc0cab39fe1a3d69

SHA1
d60436101f8787bdf607b7f25d5c8b1b7c45ae53

SHA256
dee9cb87e2151d18db0a25be238171624efc1538fb2a506d20606c3b7ec63b43

SHA512
8fc0f29484f76df0b515397e11a1c6f6de59ad99d8e6f2546cab435280eed91a19d43f7f9ae74b9526ba751634bd3dbfb929107cc89f86360d79ff60e478a526

Download Submit
C:\Users\Public\1786.exe

Filesize
71KB

MD5
97d142cd0dd05b2cdc0cab39fe1a3d69

SHA1
d60436101f8787bdf607b7f25d5c8b1b7c45ae53

SHA256
dee9cb87e2151d18db0a25be238171624efc1538fb2a506d20606c3b7ec63b43

SHA512
8fc0f29484f76df0b515397e11a1c6f6de59ad99d8e6f2546cab435280eed91a19d43f7f9ae74b9526ba751634bd3dbfb929107cc89f86360d79ff60e478a526

Download Submit
memory/5020-134-0x0000000180000000-0x0000000180064000-memory.dmp

Filesize
400KB

Download
memory/5020-135-0x0000000003B90000-0x0000000003BF0000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing