9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89

General

Target

9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe
Size

15.8MB
MD5

88c4d7d64fed2d4067e130f163aff0f5
SHA1

fdbe4df2c5500a280b3eadef490c23521c7b884a
SHA256

9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89
SHA512

90a65376054d55f7d495aa254e62274bf5dae4835ceb5f64371b9d69d4f29e6362426b132dda549653d999daf10b64a896f05815623dc1c92429579f6a8f3eb3
SSDEEP

393216:NP8u11Vsq9t0HC1DmLEUx0PHmylDnfQBypJEf2QI:NkCsqAi1DmJx0GypJEfg

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
2396	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2204	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
828	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Loads dropped DLL 3 IoCs

pid	Process
1196	9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe
1196	9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe
2204	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1196	9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe
1196	9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe
2204	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
2204	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
828	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
828	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2204	1196	9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe	30
PID 1196 wrote to memory of 2204	1196	9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe	30
PID 1196 wrote to memory of 2204	1196	9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe	30
PID 1196 wrote to memory of 2204	1196	9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe	30
PID 1196 wrote to memory of 2396	1196	9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe	31
PID 1196 wrote to memory of 2396	1196	9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe	31
PID 1196 wrote to memory of 2396	1196	9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe	31
PID 1196 wrote to memory of 2396	1196	9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe	31
PID 2204 wrote to memory of 828	2204	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	32
PID 2204 wrote to memory of 828	2204	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	32
PID 2204 wrote to memory of 828	2204	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	32
PID 2204 wrote to memory of 828	2204	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	32
PID 2204 wrote to memory of 1140	2204	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	33
PID 2204 wrote to memory of 1140	2204	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	33
PID 2204 wrote to memory of 1140	2204	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	33
PID 2204 wrote to memory of 1140	2204	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	33

C:\Users\Admin\AppData\Local\Temp\9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe
"C:\Users\Admin\AppData\Local\Temp\9e7a9075f7768c7de19e90ea81daae9082c3f26f6d4f82cd22d337ae3d81bf89.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
  "C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
    "C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:828
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
    3⤵
    PID:1140
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  - Deletes itself
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
275B

MD5
f9849e00841c0d05e5c1f09e16ee4f94

SHA1
dea3430f659a07940fbc1aa11ca9b8e6759e9d18

SHA256
0900fc9577f8ca50ffc6731ef91e66c3f715aac2b346f8c45e3fa27d965ad5ba

SHA512
e831c373b0012ef62c077e25e852121ea08782f6c50b5715694e0a199fcfbf38d3972be6c6716c12bdceec1e5a2dd6dde25b49c4ef0810be0a4b95a9869e9d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
230B

MD5
151b71b54d34e4f2b0b69d83adb0d735

SHA1
5f01862b18c2eb52696bd4ff4625f1c1a3e9cf34

SHA256
cd725db722b7323b3f92ed1f63904d768f965142d17d966c828d0eb246e72730

SHA512
590191f90893efe5d188e52567b3b9d5efc0fdd289e099c52685354b01bf8122201b34f0a48dbf33b9b5fef3cacad6e142f9a0952a2e4a452755eae59cd563b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Filesize
15.8MB

MD5
b8365b1012185bcc787632a75fac6111

SHA1
24c89b5b7123a116a8e91753621df651b5c5bc11

SHA256
9527eadb8f63516236cd6abf5f2a09a3d40f58624194aae580be9126273deaa5

SHA512
b5e922f3399eb1fc63291244941adbc7d7f63718864afa0b14870175cdd2d1101326bad6d327ff2fab53557ccc297968c3b2d8cf117eb95becceedd936d6cbbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Filesize
15.8MB

MD5
b8365b1012185bcc787632a75fac6111

SHA1
24c89b5b7123a116a8e91753621df651b5c5bc11

SHA256
9527eadb8f63516236cd6abf5f2a09a3d40f58624194aae580be9126273deaa5

SHA512
b5e922f3399eb1fc63291244941adbc7d7f63718864afa0b14870175cdd2d1101326bad6d327ff2fab53557ccc297968c3b2d8cf117eb95becceedd936d6cbbc

Download Submit
\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Filesize
15.8MB

MD5
b8365b1012185bcc787632a75fac6111

SHA1
24c89b5b7123a116a8e91753621df651b5c5bc11

SHA256
9527eadb8f63516236cd6abf5f2a09a3d40f58624194aae580be9126273deaa5

SHA512
b5e922f3399eb1fc63291244941adbc7d7f63718864afa0b14870175cdd2d1101326bad6d327ff2fab53557ccc297968c3b2d8cf117eb95becceedd936d6cbbc

Download Submit
\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Filesize
15.8MB

MD5
b8365b1012185bcc787632a75fac6111

SHA1
24c89b5b7123a116a8e91753621df651b5c5bc11

SHA256
9527eadb8f63516236cd6abf5f2a09a3d40f58624194aae580be9126273deaa5

SHA512
b5e922f3399eb1fc63291244941adbc7d7f63718864afa0b14870175cdd2d1101326bad6d327ff2fab53557ccc297968c3b2d8cf117eb95becceedd936d6cbbc

Download Submit
\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Filesize
15.8MB

MD5
b8365b1012185bcc787632a75fac6111

SHA1
24c89b5b7123a116a8e91753621df651b5c5bc11

SHA256
9527eadb8f63516236cd6abf5f2a09a3d40f58624194aae580be9126273deaa5

SHA512
b5e922f3399eb1fc63291244941adbc7d7f63718864afa0b14870175cdd2d1101326bad6d327ff2fab53557ccc297968c3b2d8cf117eb95becceedd936d6cbbc

Download Submit
memory/828-21-0x0000000000400000-0x00000000022BA000-memory.dmp

Filesize
30.7MB

Download
memory/1196-0-0x0000000000400000-0x00000000022B6000-memory.dmp

Filesize
30.7MB

Download
memory/2204-11-0x0000000000400000-0x00000000022BA000-memory.dmp

Filesize
30.7MB

Download

Analysis

Sharing