d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c

General

Target

d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c.exe
Size

15.9MB
MD5

e2f0b0753d4f0273862d6fdaae835cff
SHA1

2083828a3ffb3acb8bb257da7efd5d1fb9606eca
SHA256

d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c
SHA512

3603e0b534c2d062c4994795310b84c15e21dada699d622ee4564ef64c8476ee779fb47fb5e16f166ca17788e4fdc81a4118a5c886ee3232efc58b563b79b69b
SSDEEP

393216:8l51ujP+wovICN00IFa1M0LHb57F8h2qiZ2LOGDTxrmmB84FoClZS:8l50bs0bBwkh2qiZ49rjFox

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1908	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
1520	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2752	d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c.exe
2752	d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c.exe
1908	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
1908	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
1520	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
1520	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 1908	2752	d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c.exe	90
PID 2752 wrote to memory of 1908	2752	d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c.exe	90
PID 2752 wrote to memory of 1908	2752	d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c.exe	90
PID 2752 wrote to memory of 4468	2752	d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c.exe	91
PID 2752 wrote to memory of 4468	2752	d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c.exe	91
PID 2752 wrote to memory of 4468	2752	d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c.exe	91
PID 1908 wrote to memory of 1520	1908	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	92
PID 1908 wrote to memory of 1520	1908	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	92
PID 1908 wrote to memory of 1520	1908	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	92
PID 1908 wrote to memory of 3924	1908	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	93
PID 1908 wrote to memory of 3924	1908	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	93
PID 1908 wrote to memory of 3924	1908	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	93

C:\Users\Admin\AppData\Local\Temp\d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c.exe
"C:\Users\Admin\AppData\Local\Temp\d5aa5334bef163db8f773146c4e4dacd3d81286e380bd2c4574be4dc7bef5b8c.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
  "C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
    "C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1520
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
    3⤵
    PID:3924
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
230B

MD5
151b71b54d34e4f2b0b69d83adb0d735

SHA1
5f01862b18c2eb52696bd4ff4625f1c1a3e9cf34

SHA256
cd725db722b7323b3f92ed1f63904d768f965142d17d966c828d0eb246e72730

SHA512
590191f90893efe5d188e52567b3b9d5efc0fdd289e099c52685354b01bf8122201b34f0a48dbf33b9b5fef3cacad6e142f9a0952a2e4a452755eae59cd563b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
275B

MD5
2540f8d6250d8d68686a7101cf91975b

SHA1
43a3e3d76f32b06578170573883fdc8920895746

SHA256
8827bbfbc2f74f4b97499c59de224e1f085b164e5552fc701b6f583fd63357f3

SHA512
b4ef38dbf76d782433a5006a1c2fe7d5fab95db896d58b4b42fe6f8c7b46eae78ce69ed9d2e14cd04f0503efa668c7d7f0a096b1c9660be2c51828dbc4042d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Filesize
15.9MB

MD5
92e9f180fefc8f6e4376513498903d48

SHA1
e7fb20b661987db4e023f3f073408062f05c8d99

SHA256
a3b3f0a7bb9bb7cc0f588d220429edba88fffdaf4f8c87f44fca1c039fd12d6c

SHA512
a9bbc4722aa73a88cbc75a2d7097c92bcb6321ae8e43c866ce8981c71397c86c4138b243bb29aaef5927ba6b2da5c7ad2dc7ef4dfde64cee9c34c1734030f19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Filesize
15.9MB

MD5
92e9f180fefc8f6e4376513498903d48

SHA1
e7fb20b661987db4e023f3f073408062f05c8d99

SHA256
a3b3f0a7bb9bb7cc0f588d220429edba88fffdaf4f8c87f44fca1c039fd12d6c

SHA512
a9bbc4722aa73a88cbc75a2d7097c92bcb6321ae8e43c866ce8981c71397c86c4138b243bb29aaef5927ba6b2da5c7ad2dc7ef4dfde64cee9c34c1734030f19d

Download Submit
memory/1520-151-0x0000000000400000-0x00000000022C3000-memory.dmp

Filesize
30.8MB

Download
memory/1908-142-0x0000000000400000-0x00000000022C3000-memory.dmp

Filesize
30.8MB

Download
memory/2752-133-0x0000000000400000-0x00000000022C2000-memory.dmp

Filesize
30.8MB

Download

Analysis

Sharing