66676967121a4a6c888272333421b82973cb9b8c58d85b56aaa64be3ab2149bc

General

Target

e8fd17e6d28f1406f23069fc57dcbccc_JC.exe
Size

289KB
MD5

e8fd17e6d28f1406f23069fc57dcbccc
SHA1

84ed8ef932642a7ac4e14c5aaf574fcefb5fdde1
SHA256

66676967121a4a6c888272333421b82973cb9b8c58d85b56aaa64be3ab2149bc
SHA512

f245c1b7b65b9784ea24aa4c911082821a3acbf8b99ea90117b5b1d8355264e17e619b2017da8ce3c269a6e50bb40bd4c4b84bd7a74b92b84c8d361303447691
SSDEEP

6144:U5wLulwRBdtGFGo6YpO9sxkECzJLaQVbU5:zua7dtGFGn7GxklJLJbU5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2712	RKVEEQN.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	cmd.exe
1968	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\RKVEEQN.exe	e8fd17e6d28f1406f23069fc57dcbccc_JC.exe
File opened for modification	C:\windows\SysWOW64\RKVEEQN.exe	e8fd17e6d28f1406f23069fc57dcbccc_JC.exe
File created	C:\windows\SysWOW64\RKVEEQN.exe.bat	e8fd17e6d28f1406f23069fc57dcbccc_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1688	e8fd17e6d28f1406f23069fc57dcbccc_JC.exe
2712	RKVEEQN.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1688	e8fd17e6d28f1406f23069fc57dcbccc_JC.exe
1688	e8fd17e6d28f1406f23069fc57dcbccc_JC.exe
2712	RKVEEQN.exe
2712	RKVEEQN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1968	1688	e8fd17e6d28f1406f23069fc57dcbccc_JC.exe	28
PID 1688 wrote to memory of 1968	1688	e8fd17e6d28f1406f23069fc57dcbccc_JC.exe	28
PID 1688 wrote to memory of 1968	1688	e8fd17e6d28f1406f23069fc57dcbccc_JC.exe	28
PID 1688 wrote to memory of 1968	1688	e8fd17e6d28f1406f23069fc57dcbccc_JC.exe	28
PID 1968 wrote to memory of 2712	1968	cmd.exe	30
PID 1968 wrote to memory of 2712	1968	cmd.exe	30
PID 1968 wrote to memory of 2712	1968	cmd.exe	30
PID 1968 wrote to memory of 2712	1968	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\e8fd17e6d28f1406f23069fc57dcbccc_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e8fd17e6d28f1406f23069fc57dcbccc_JC.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\RKVEEQN.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\windows\SysWOW64\RKVEEQN.exe
    C:\windows\system32\RKVEEQN.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\RKVEEQN.exe

Filesize
289KB

MD5
9a66e7cd1c73af404c2083c8e7ffccef

SHA1
afa18f043a5725a7eb42f7d55016e020fad9f0df

SHA256
7cda0f9ca118a97d32de76061d9671296ff819d9aa535023d28eb9c1d59c0593

SHA512
54513fbb50ff30f1a8a16b0ae06527d5ade4983c86f37ea2f8e732573deafcbf2d9b59ad296aa5f0dd4d0167a34e0e1a8ff01fc31f6bcf2ed935ad91a9a76d2e

Download Submit
C:\Windows\SysWOW64\RKVEEQN.exe.bat

Filesize
78B

MD5
688e155a356004741029cb33a983a5aa

SHA1
5f53de71e61770e84cc8cb1de514027864be31f6

SHA256
4903535b8038257ce952991d397175eb12a35178287d2c4d78ad39988238e820

SHA512
aff7056c9e59a631f08068bafe39c685b9d4a0a304fb3f70da8579171bdf0a70670b5fc1655429a2c8f5938a37d66af79abb7fe3916b52ac7e8a065a50643c58

Download Submit
C:\windows\SysWOW64\RKVEEQN.exe

Filesize
289KB

MD5
9a66e7cd1c73af404c2083c8e7ffccef

SHA1
afa18f043a5725a7eb42f7d55016e020fad9f0df

SHA256
7cda0f9ca118a97d32de76061d9671296ff819d9aa535023d28eb9c1d59c0593

SHA512
54513fbb50ff30f1a8a16b0ae06527d5ade4983c86f37ea2f8e732573deafcbf2d9b59ad296aa5f0dd4d0167a34e0e1a8ff01fc31f6bcf2ed935ad91a9a76d2e

Download Submit
C:\windows\SysWOW64\RKVEEQN.exe.bat

Filesize
78B

MD5
688e155a356004741029cb33a983a5aa

SHA1
5f53de71e61770e84cc8cb1de514027864be31f6

SHA256
4903535b8038257ce952991d397175eb12a35178287d2c4d78ad39988238e820

SHA512
aff7056c9e59a631f08068bafe39c685b9d4a0a304fb3f70da8579171bdf0a70670b5fc1655429a2c8f5938a37d66af79abb7fe3916b52ac7e8a065a50643c58

Download Submit
\Windows\SysWOW64\RKVEEQN.exe

Filesize
289KB

MD5
9a66e7cd1c73af404c2083c8e7ffccef

SHA1
afa18f043a5725a7eb42f7d55016e020fad9f0df

SHA256
7cda0f9ca118a97d32de76061d9671296ff819d9aa535023d28eb9c1d59c0593

SHA512
54513fbb50ff30f1a8a16b0ae06527d5ade4983c86f37ea2f8e732573deafcbf2d9b59ad296aa5f0dd4d0167a34e0e1a8ff01fc31f6bcf2ed935ad91a9a76d2e

Download Submit
\Windows\SysWOW64\RKVEEQN.exe

Filesize
289KB

MD5
9a66e7cd1c73af404c2083c8e7ffccef

SHA1
afa18f043a5725a7eb42f7d55016e020fad9f0df

SHA256
7cda0f9ca118a97d32de76061d9671296ff819d9aa535023d28eb9c1d59c0593

SHA512
54513fbb50ff30f1a8a16b0ae06527d5ade4983c86f37ea2f8e732573deafcbf2d9b59ad296aa5f0dd4d0167a34e0e1a8ff01fc31f6bcf2ed935ad91a9a76d2e

Download Submit
memory/1688-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2712-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2712-22-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing