3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6

General

Target

3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
Size

11.4MB
MD5

c3ff781f8e11d548af1e13c5804f88a3
SHA1

e24e84a693914c3c3ffe354fb6720a725c4b7b95
SHA256

3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6
SHA512

a23cf49b5a84bff4903e903e3d5e00e6c13082752ddf06d2586e884248d1362bc3c08bb6ea78182c8a1bbe941211353e19ee504ba54cbcb2d0b538f830e80354
SSDEEP

196608:jpPaI0j0GGXh1toX6qpZLEkeHaC8h06T9S3QxshY033boETZWIE+jAmlgw17CDTl:jpzxGgdo8keHQK6Je/hY0HkEd6mqw1Gl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe

Loads dropped DLL 1 IoCs

pid	Process
2568	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\H:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\N:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\T:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\J:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\L:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\M:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\Q:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\S:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\U:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\Z:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\B:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\E:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\K:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\O:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\P:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\X:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\A:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\I:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\R:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\V:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\W:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
File opened (read-only)	\??\Y:	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2700	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2568	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
2568	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
2568	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
2568	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
2568	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
2700	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
2700	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
2700	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
2700	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
2700	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2700	2568	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe	30
PID 2568 wrote to memory of 2700	2568	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe	30
PID 2568 wrote to memory of 2700	2568	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe	30
PID 2568 wrote to memory of 2700	2568	3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe	30

C:\Users\Admin\AppData\Local\Temp\3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
"C:\Users\Admin\AppData\Local\Temp\3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568
- C:\ÅÌ¹Å»ðÁú\3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
  C:\ÅÌ¹Å»ðÁú\3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5185bc9a55a99fc47d81630ff1370e4c.ini

Filesize
21KB

MD5
252074dd4a89128c116c82bae39aecca

SHA1
6cfe434abf9e0c36ed83f5a26cb7d8a2f3054df4

SHA256
fcacb616a8a1f3ca4a7ee3acbdd5653ee88ea0fb886f7593bee12c56bb498695

SHA512
b6385e8f10a994812088e173c25d3aaa31c7fb0376916ba81f383918f8e77b8c07b1ab85d7588a5e42d625d2904cb819a445127b8c36c25d69ec267e4a79a2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5185bc9a55a99fc47d81630ff1370e4c.ini

Filesize
2KB

MD5
d9cec07521f3d14e1d43991bf04838b6

SHA1
dc8bae42a97724e9507558b6a9243e4f10cf3496

SHA256
d777e0fe6b180f8c76d310f8a2c5b2be44a7d35d3898ad1af058385e0bf9441c

SHA512
2bc9a5960e8e8c5db7e9e6690f4f285015ee83a46acbc8c66d0d21a0691b28383e7db50af608c107784c208feed1da76b917591df86df5dc35c84f227b6158a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\97c971af16c5770f2a165646b9c85047.txt

Filesize
12B

MD5
b939451ae28835685f71af726a6f5fcf

SHA1
0d1234ae007268d660ffe03120e6d6f134d4da48

SHA256
21e247dfebb64855ee18f663a08264207c506074ff69668a3d8503e8a1a02640

SHA512
6d31c158f9e5679c086019c5115235fda25339acc1643748c814956918bf5d0b73320ee0c50f7aacbcbd75a4ef8999ffdb0c6c959911d5c238f8bcbdc0a87c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.dat

Filesize
102B

MD5
20a60f98556f6a44df8f29a6f309ea4a

SHA1
7834f5122403ea21df8da22e44c0269c1ed7caa4

SHA256
b56480ca1307a8521be10230c71a61e5cc4c9f608e551fc076ee68520e4dd9e7

SHA512
91347655cdc40aa8e69b77d5d67b79784cf83172eb3703909cf690b8443e0afb9d3e0419c852db2f88e437d42345a7a3a640c9f9b2f58bd6fc7dbdc0ee81c59e

Download Submit
C:\ÅÌ¹Å»ðÁú\3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe

Filesize
11.4MB

MD5
c3ff781f8e11d548af1e13c5804f88a3

SHA1
e24e84a693914c3c3ffe354fb6720a725c4b7b95

SHA256
3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6

SHA512
a23cf49b5a84bff4903e903e3d5e00e6c13082752ddf06d2586e884248d1362bc3c08bb6ea78182c8a1bbe941211353e19ee504ba54cbcb2d0b538f830e80354

Download Submit
C:\ÅÌ¹Å»ðÁú\3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe

Filesize
11.4MB

MD5
c3ff781f8e11d548af1e13c5804f88a3

SHA1
e24e84a693914c3c3ffe354fb6720a725c4b7b95

SHA256
3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6

SHA512
a23cf49b5a84bff4903e903e3d5e00e6c13082752ddf06d2586e884248d1362bc3c08bb6ea78182c8a1bbe941211353e19ee504ba54cbcb2d0b538f830e80354

Download Submit
\ÅÌ¹Å»ðÁú\3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6.exe

Filesize
11.4MB

MD5
c3ff781f8e11d548af1e13c5804f88a3

SHA1
e24e84a693914c3c3ffe354fb6720a725c4b7b95

SHA256
3f1d85d9c3020e8f5d5ae29a5af347158571ff1f959ca0d7bef9b42a40c0e3c6

SHA512
a23cf49b5a84bff4903e903e3d5e00e6c13082752ddf06d2586e884248d1362bc3c08bb6ea78182c8a1bbe941211353e19ee504ba54cbcb2d0b538f830e80354

Download Submit
memory/2568-75-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2568-91-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2568-54-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2568-76-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2568-55-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2700-227-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-240-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-73-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-72-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2700-90-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-226-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-89-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2700-231-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-232-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-92-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-241-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-242-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-243-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-244-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-245-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-246-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-247-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/2700-248-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing