21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678

General

Target

21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
Size

12.4MB
MD5

7044915e733fda84650e589dac5ef95f
SHA1

6a5b6601b065898675cf65267c1d5e05ec5fb3c3
SHA256

21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678
SHA512

a62e2526e97cb9bbe6c041ee5c848e5a43a2380d83bec0db13450e50ea4b4fc8ab8eea12d953555efdfc16fc241227846d472bca9d1a2c223dec6f64b2844ca3
SSDEEP

393216:b/NlbXEOb4mYRKQo1KueMwEvCUy9oRbfbOGh:b/NljEOUmhQo1Kue/EvCLSDqGh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2848	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe

Loads dropped DLL 1 IoCs

pid	Process
2076	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\Q:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\R:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\S:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\Y:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\A:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\B:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\E:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\G:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\I:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\N:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\H:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\J:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\K:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\M:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\U:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\W:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\L:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\P:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\T:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\V:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\X:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
File opened (read-only)	\??\Z:	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2848	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2076	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
2076	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
2076	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
2076	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
2076	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
2848	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
2848	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
2848	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
2848	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
2848	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2848	2076	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe	29
PID 2076 wrote to memory of 2848	2076	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe	29
PID 2076 wrote to memory of 2848	2076	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe	29
PID 2076 wrote to memory of 2848	2076	21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe	29

C:\Users\Admin\AppData\Local\Temp\21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
"C:\Users\Admin\AppData\Local\Temp\21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076
- C:\21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678\21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
  C:\21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678\21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678\21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe

Filesize
12.4MB

MD5
7044915e733fda84650e589dac5ef95f

SHA1
6a5b6601b065898675cf65267c1d5e05ec5fb3c3

SHA256
21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678

SHA512
a62e2526e97cb9bbe6c041ee5c848e5a43a2380d83bec0db13450e50ea4b4fc8ab8eea12d953555efdfc16fc241227846d472bca9d1a2c223dec6f64b2844ca3

Download Submit
C:\21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678\21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe

Filesize
12.4MB

MD5
7044915e733fda84650e589dac5ef95f

SHA1
6a5b6601b065898675cf65267c1d5e05ec5fb3c3

SHA256
21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678

SHA512
a62e2526e97cb9bbe6c041ee5c848e5a43a2380d83bec0db13450e50ea4b4fc8ab8eea12d953555efdfc16fc241227846d472bca9d1a2c223dec6f64b2844ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f97a0044289555bef5057045ff2c0ad.ini

Filesize
18KB

MD5
05bd4fd84371753bba968efd931e9cc2

SHA1
c905666190a47e11713f69f8a53e05bb66dc29ee

SHA256
1907ed0d471956525516a15bce092e679902ecff9550c5e49ce7841f536f0176

SHA512
9a935f55fc38c3381e2e28479360ba239e8c64c38b143b8371b7f39512c91a0416245f1eaa169b86206c782dfb83d081d969e0aff3ff3de32ce659d892a773aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d6c93e5bc6e486d43ec8c36a59ab2fd.tmp

Filesize
67B

MD5
225ed407f12376451a63e81feb899375

SHA1
38225422785cfb3a7b6524ee0211ae77497eb7ce

SHA256
af27c07eee39a7acab578c93c65c788845f20ead230feb29e9bfe980843b7a1d

SHA512
5f44aa66635d34242ecb05cc79bda33211b7e5479861dd486b88d78d5d2c9b4eb2a4fa0770c2db54c6222016a97d27da4f2e0855062a2825b7a4ddb8c0390a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.tmp

Filesize
102B

MD5
2ea600782f6d9cf9d05337d833f09dea

SHA1
3992be167faf9ffbc0a210017bc42f4e6ca6b8fa

SHA256
19bb6670e02692762e07fe1e00a66f647ec3e2f91b2ee7ed2bf6c82c88607b32

SHA512
bd91184619adf76411c4c8cc8f5b926b097f39a437be38e820d41df190dc39d34dc4522277a40bdeb3a1364c141b5145641283b8e2057c2cc54187ea2c13176e

Download Submit
\21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678\21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678.exe

Filesize
12.4MB

MD5
7044915e733fda84650e589dac5ef95f

SHA1
6a5b6601b065898675cf65267c1d5e05ec5fb3c3

SHA256
21522be9ceffae83725a8dba8bc537bf8ec4e385ee84ca35ca5c3f157db0c678

SHA512
a62e2526e97cb9bbe6c041ee5c848e5a43a2380d83bec0db13450e50ea4b4fc8ab8eea12d953555efdfc16fc241227846d472bca9d1a2c223dec6f64b2844ca3

Download Submit
memory/2076-65-0x0000000006980000-0x00000000071B5000-memory.dmp

Filesize
8.2MB

Download
memory/2076-70-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2076-69-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/2076-54-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/2076-57-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2076-56-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/2076-55-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2848-66-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/2848-67-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing