39479abc333ad1ba0b7cef2ba6c385e354be3cb787328503e630353a7b050f10

General

Target

39479abc333ad1ba0b7cef2ba6c385e354be3cb787328503e630353a7b050f10.exe
Size

1.1MB
MD5

583d37942faedf8e44bd1a1878a560fc
SHA1

0dbf4cb93e0ad0721b048fbde62bbb137646b5a4
SHA256

39479abc333ad1ba0b7cef2ba6c385e354be3cb787328503e630353a7b050f10
SHA512

2b73d599d8fcb0fe0fb38befdc276b0e34e3b04b6c0bcee012af5cfb6db4d26c1e9872bad77c7241b98d81442f72c5e08e8732cf5ed9227b026c4702e0b0181c
SSDEEP

24576:VU3x9NhM3GOIeNfseZL9R2sXTFA+G64jrl80n0GXfeaai:Vw7M3GOIaBZL9R2sXTF9/4jrl80nlzai

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Q031c = "C:\\ProgramData\\3sr9FDb7F2gpD8Xz\\Q031c.exe"	Q031c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Q031c.exe

Executes dropped EXE 1 IoCs

pid	Process
2004	Q031c.exe

Loads dropped DLL 2 IoCs

pid	Process
2004	Q031c.exe
2004	Q031c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2004	Q031c.exe
2004	Q031c.exe
2004	Q031c.exe
2004	Q031c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	Q031c.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2004	Q031c.exe
2004	Q031c.exe
2004	Q031c.exe
2004	Q031c.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 1632	4856	39479abc333ad1ba0b7cef2ba6c385e354be3cb787328503e630353a7b050f10.exe	86
PID 4856 wrote to memory of 1632	4856	39479abc333ad1ba0b7cef2ba6c385e354be3cb787328503e630353a7b050f10.exe	86
PID 4856 wrote to memory of 444	4856	39479abc333ad1ba0b7cef2ba6c385e354be3cb787328503e630353a7b050f10.exe	88
PID 4856 wrote to memory of 444	4856	39479abc333ad1ba0b7cef2ba6c385e354be3cb787328503e630353a7b050f10.exe	88
PID 444 wrote to memory of 2004	444	cmd.exe	90
PID 444 wrote to memory of 2004	444	cmd.exe	90
PID 444 wrote to memory of 2004	444	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\39479abc333ad1ba0b7cef2ba6c385e354be3cb787328503e630353a7b050f10.exe
"C:\Users\Admin\AppData\Local\Temp\39479abc333ad1ba0b7cef2ba6c385e354be3cb787328503e630353a7b050f10.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c mkdir C:\ProgramData\3sr9FDb7F2gpD8Xz
  2⤵
  PID:1632
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c C:\ProgramData\3sr9FDb7F2gpD8Xz\Q031c.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\ProgramData\3sr9FDb7F2gpD8Xz\Q031c.exe
    C:\ProgramData\3sr9FDb7F2gpD8Xz\Q031c.exe
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\3sr9FDb7F2gpD8Xz\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\ProgramData\3sr9FDb7F2gpD8Xz\Q031c.exe

Filesize
16KB

MD5
973b4b2658796840ad6ff9ac1cb21383

SHA1
2ae4808a1d7e450707a9f928ea13cd73e5040431

SHA256
f671045566c60930dc459aa30e2bb38f25525e670bf72f7b69c1f918ae3d9565

SHA512
42e313fae2f84c6ecc7b5c2c4178bcbcf3043fd239d9b05f5614b64e2d8841a7fe54a0786c1b5752bb1b54079b9873d6ade63e7b00cb4118a007d3d0360d6b4c

Download Submit
C:\ProgramData\3sr9FDb7F2gpD8Xz\Q031c.exe

Filesize
16KB

MD5
973b4b2658796840ad6ff9ac1cb21383

SHA1
2ae4808a1d7e450707a9f928ea13cd73e5040431

SHA256
f671045566c60930dc459aa30e2bb38f25525e670bf72f7b69c1f918ae3d9565

SHA512
42e313fae2f84c6ecc7b5c2c4178bcbcf3043fd239d9b05f5614b64e2d8841a7fe54a0786c1b5752bb1b54079b9873d6ade63e7b00cb4118a007d3d0360d6b4c

Download Submit
C:\ProgramData\3sr9FDb7F2gpD8Xz\Q031c.txt

Filesize
915B

MD5
46868fa44781a501088586680694e1be

SHA1
f58776e05884daab122a0a7ad17d1b0485b637d3

SHA256
bd4873230364fb5e8f14d68368b98b403713530a1b7e94bac070205b2262e7e6

SHA512
39e61b6f7bfdfc87097a5326f1f33a81fcac5871ea485a72cb461dc744b31dd603c3cd68d24a2f9c8671144f7a26c408722ad20aa71fb76a0e81ef0917c0e423

Download Submit
C:\ProgramData\3sr9FDb7F2gpD8Xz\jli.dll

Filesize
604KB

MD5
41c0881a2ed7e8f264b6fb150c71fb68

SHA1
e7d2dcf5361a3863ebbc3a9144abc782ff34dc7c

SHA256
073031b8844a870a00c4edff435e4025e18f30912cc0b22dd31196666f5b1aa6

SHA512
b8ef5dbbb502d0cf78de5dcfdadf818c5ecc59706f0c57a3830a5c61d154ac78be72a9f821777156749572e223dd072c732d69bf621b669b7406d73decc25959

Download Submit
C:\ProgramData\3sr9FDb7F2gpD8Xz\jli.dll

Filesize
604KB

MD5
41c0881a2ed7e8f264b6fb150c71fb68

SHA1
e7d2dcf5361a3863ebbc3a9144abc782ff34dc7c

SHA256
073031b8844a870a00c4edff435e4025e18f30912cc0b22dd31196666f5b1aa6

SHA512
b8ef5dbbb502d0cf78de5dcfdadf818c5ecc59706f0c57a3830a5c61d154ac78be72a9f821777156749572e223dd072c732d69bf621b669b7406d73decc25959

Download Submit
C:\ProgramData\3sr9FDb7F2gpD8Xz\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
memory/2004-24-0x0000000003CF0000-0x0000000003D46000-memory.dmp

Filesize
344KB

Download
memory/2004-30-0x0000000004700000-0x0000000004875000-memory.dmp

Filesize
1.5MB

Download
memory/2004-13-0x0000000002B20000-0x0000000002C07000-memory.dmp

Filesize
924KB

Download
memory/2004-12-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2004-16-0x0000000002B20000-0x0000000002C07000-memory.dmp

Filesize
924KB

Download
memory/2004-17-0x0000000002B20000-0x0000000002C07000-memory.dmp

Filesize
924KB

Download
memory/2004-18-0x0000000002B20000-0x0000000002C07000-memory.dmp

Filesize
924KB

Download
memory/2004-19-0x0000000002B20000-0x0000000002C07000-memory.dmp

Filesize
924KB

Download
memory/2004-20-0x0000000003AD0000-0x0000000003CE1000-memory.dmp

Filesize
2.1MB

Download
memory/2004-42-0x0000000004880000-0x00000000048D2000-memory.dmp

Filesize
328KB

Download
memory/2004-26-0x00000000040A0000-0x000000000418B000-memory.dmp

Filesize
940KB

Download
memory/2004-41-0x0000000004880000-0x00000000048D2000-memory.dmp

Filesize
328KB

Download
memory/2004-29-0x00000000041B0000-0x0000000004249000-memory.dmp

Filesize
612KB

Download
memory/2004-14-0x0000000002B20000-0x0000000002C07000-memory.dmp

Filesize
924KB

Download
memory/2004-31-0x0000000004700000-0x0000000004875000-memory.dmp

Filesize
1.5MB

Download
memory/2004-33-0x0000000004880000-0x00000000048D2000-memory.dmp

Filesize
328KB

Download
memory/2004-34-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/2004-35-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/2004-36-0x0000000003AD0000-0x0000000003CE1000-memory.dmp

Filesize
2.1MB

Download
memory/2004-37-0x0000000003CF0000-0x0000000003D46000-memory.dmp

Filesize
344KB

Download
memory/2004-38-0x00000000040A0000-0x000000000418B000-memory.dmp

Filesize
940KB

Download
memory/2004-39-0x00000000041B0000-0x0000000004249000-memory.dmp

Filesize
612KB

Download
memory/2004-40-0x0000000004700000-0x0000000004875000-memory.dmp

Filesize
1.5MB

Download
memory/4856-5-0x00007FF64F6A0000-0x00007FF64F8D8000-memory.dmp

Filesize
2.2MB

Download
memory/4856-0-0x00007FF64F6A0000-0x00007FF64F8D8000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads