7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4

General

Target

7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4.exe
Size

224KB
MD5

e6562be54a063accea33b6d698cbaddb
SHA1

f71625b5e14ba9b09a0ac430899ecc1217beeaea
SHA256

7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4
SHA512

bc47298c5b625ec0f1bf88ba942f0b9f95b21ec3dc912d97904718002c8600965b69400cca3a5f027d81245f9c43654f4728bc99e59ac73bd37149ec23ab500e
SSDEEP

6144:LnPdudwDg2HOO0PQ00j5Kl3whcgGBRLzm0sDmV/T:LnPd82ufPQ001G3cGBtlxT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1120	yzuqlqqr.exe
1280	yzuqlqqr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1120 set thread context of 1280	1120	yzuqlqqr.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1280	yzuqlqqr.exe
1280	yzuqlqqr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1120	yzuqlqqr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	yzuqlqqr.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 1120	4004	7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4.exe	85
PID 4004 wrote to memory of 1120	4004	7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4.exe	85
PID 4004 wrote to memory of 1120	4004	7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4.exe	85
PID 1120 wrote to memory of 1280	1120	yzuqlqqr.exe	87
PID 1120 wrote to memory of 1280	1120	yzuqlqqr.exe	87
PID 1120 wrote to memory of 1280	1120	yzuqlqqr.exe	87
PID 1120 wrote to memory of 1280	1120	yzuqlqqr.exe	87

C:\Users\Admin\AppData\Local\Temp\7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4.exe
"C:\Users\Admin\AppData\Local\Temp\7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\yzuqlqqr.exe
  "C:\Users\Admin\AppData\Local\Temp\yzuqlqqr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\yzuqlqqr.exe
    "C:\Users\Admin\AppData\Local\Temp\yzuqlqqr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nudjjbsiyk.swv

Filesize
127KB

MD5
d8fd03d127f8da7be9a48fb957c69d1b

SHA1
be9f6b9e9178a441a565e4af498fc1d5e736d94c

SHA256
e084328c6eb6a99c77ab7173176d99c441a785bf787e05ae527ef3a71cfa2470

SHA512
a7896f4622ddb4edfd14143f15666aba2e1f6b708e815f454ec164600d34ea8c6ec5eae123f6349d4d2a1a10ffb09cfdab92e92dd24efd4edc878d2eb33c0001

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzuqlqqr.exe

Filesize
176KB

MD5
5797df79a43848b62dde20649c6a5f44

SHA1
e91df03fff8371fc046d9fe771623ad088d4175a

SHA256
b711f2212e78918f8269a913966e1f7e0a178b499b9a10cbefb6cd2cd1166050

SHA512
62af53dec58ef05633ff2bc78b5de0db9c8ef7974b45155cce98e0ccbda2597ce42a676a97b58445366c65b10ee2748d1333f82cd6513703d9c30963408b4163

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzuqlqqr.exe

Filesize
176KB

MD5
5797df79a43848b62dde20649c6a5f44

SHA1
e91df03fff8371fc046d9fe771623ad088d4175a

SHA256
b711f2212e78918f8269a913966e1f7e0a178b499b9a10cbefb6cd2cd1166050

SHA512
62af53dec58ef05633ff2bc78b5de0db9c8ef7974b45155cce98e0ccbda2597ce42a676a97b58445366c65b10ee2748d1333f82cd6513703d9c30963408b4163

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzuqlqqr.exe

Filesize
176KB

MD5
5797df79a43848b62dde20649c6a5f44

SHA1
e91df03fff8371fc046d9fe771623ad088d4175a

SHA256
b711f2212e78918f8269a913966e1f7e0a178b499b9a10cbefb6cd2cd1166050

SHA512
62af53dec58ef05633ff2bc78b5de0db9c8ef7974b45155cce98e0ccbda2597ce42a676a97b58445366c65b10ee2748d1333f82cd6513703d9c30963408b4163

Download Submit
memory/1120-5-0x00000000013B0000-0x00000000013B2000-memory.dmp

Filesize
8KB

Download
memory/1280-13-0x0000000003280000-0x000000000328E000-memory.dmp

Filesize
56KB

Download
memory/1280-18-0x0000000005EB0000-0x0000000006454000-memory.dmp

Filesize
5.6MB

Download
memory/1280-9-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-14-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/1280-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-15-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/1280-17-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/1280-16-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/1280-10-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-19-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/1280-20-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/1280-21-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/1280-22-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/1280-23-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/1280-24-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/1280-25-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing