c87a7927b960e441bdee32f1636629cd8a894883f161e9a7e658126a4ceb654e

General

Target

3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
Size

208KB
MD5

3c93857d991f5cff4dac3e46c65a2dbb
SHA1

b537ceec3d34c0840211170c7a17529578796146
SHA256

c87a7927b960e441bdee32f1636629cd8a894883f161e9a7e658126a4ceb654e
SHA512

057d147d4cc602ec0a44454db03c7fa1f69732a124906a4fa96372f10eb3a16a5e7ca203c57801fc7c331556b92902b8179a21a0e0b340e57a3b2549c6ace0c1
SSDEEP

3072:MUQNYp/nDIs0YFnF2m2HAPg68jVmo8qNhvDC4r4NLthEjQT6j:YNYp/DI2nF2m2HAUjVmkvW4rQEj1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	WZYO.exe

Loads dropped DLL 2 IoCs

pid	Process
2644	cmd.exe
2644	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\WZYO.exe	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
File created	C:\windows\SysWOW64\WZYO.exe.bat	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
File created	C:\windows\SysWOW64\WZYO.exe	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2736	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
2632	WZYO.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2736	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
2736	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
2632	WZYO.exe
2632	WZYO.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2644	2736	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe	28
PID 2736 wrote to memory of 2644	2736	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe	28
PID 2736 wrote to memory of 2644	2736	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe	28
PID 2736 wrote to memory of 2644	2736	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe	28
PID 2644 wrote to memory of 2632	2644	cmd.exe	30
PID 2644 wrote to memory of 2632	2644	cmd.exe	30
PID 2644 wrote to memory of 2632	2644	cmd.exe	30
PID 2644 wrote to memory of 2632	2644	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3c93857d991f5cff4dac3e46c65a2dbb_JC.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\WZYO.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\windows\SysWOW64\WZYO.exe
    C:\windows\system32\WZYO.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WZYO.exe

Filesize
208KB

MD5
2329f1391bff8c031ede1e52c01c412a

SHA1
5a39f9a35a860e513c85d0efb5937859f2b42b1b

SHA256
1a256271d3236200f5d97dbfb17c87ab50095faa2398b874a53d2a4627116eec

SHA512
5f9172e353d1d65ea8a75a36edad4eaa8f548502351b1720de843fa5f7d069f609e700dc9115b5d5adf4301b28e2dbfb4e44f8df2c293d0b4add0b3e93eba088

Download Submit
C:\Windows\SysWOW64\WZYO.exe.bat

Filesize
72B

MD5
3dea428ba9116da4e335c079cf02e7a2

SHA1
812649aaa9266a7b09369658b1f4acb3ad018d6b

SHA256
4ff2880715046976635462cd0e13e402216f35e1ad88afc0d926e1ffed0161fc

SHA512
3fb75becc83e0858f1a363df43b677249b3166dbbf11e76630804f72760d08291694b10ebecfe1f2f59232b25e3b06b46b9383b4dd9edecd862d5b1412f15bb1

Download Submit
C:\windows\SysWOW64\WZYO.exe

Filesize
208KB

MD5
2329f1391bff8c031ede1e52c01c412a

SHA1
5a39f9a35a860e513c85d0efb5937859f2b42b1b

SHA256
1a256271d3236200f5d97dbfb17c87ab50095faa2398b874a53d2a4627116eec

SHA512
5f9172e353d1d65ea8a75a36edad4eaa8f548502351b1720de843fa5f7d069f609e700dc9115b5d5adf4301b28e2dbfb4e44f8df2c293d0b4add0b3e93eba088

Download Submit
C:\windows\SysWOW64\WZYO.exe.bat

Filesize
72B

MD5
3dea428ba9116da4e335c079cf02e7a2

SHA1
812649aaa9266a7b09369658b1f4acb3ad018d6b

SHA256
4ff2880715046976635462cd0e13e402216f35e1ad88afc0d926e1ffed0161fc

SHA512
3fb75becc83e0858f1a363df43b677249b3166dbbf11e76630804f72760d08291694b10ebecfe1f2f59232b25e3b06b46b9383b4dd9edecd862d5b1412f15bb1

Download Submit
\Windows\SysWOW64\WZYO.exe

Filesize
208KB

MD5
2329f1391bff8c031ede1e52c01c412a

SHA1
5a39f9a35a860e513c85d0efb5937859f2b42b1b

SHA256
1a256271d3236200f5d97dbfb17c87ab50095faa2398b874a53d2a4627116eec

SHA512
5f9172e353d1d65ea8a75a36edad4eaa8f548502351b1720de843fa5f7d069f609e700dc9115b5d5adf4301b28e2dbfb4e44f8df2c293d0b4add0b3e93eba088

Download Submit
\Windows\SysWOW64\WZYO.exe

Filesize
208KB

MD5
2329f1391bff8c031ede1e52c01c412a

SHA1
5a39f9a35a860e513c85d0efb5937859f2b42b1b

SHA256
1a256271d3236200f5d97dbfb17c87ab50095faa2398b874a53d2a4627116eec

SHA512
5f9172e353d1d65ea8a75a36edad4eaa8f548502351b1720de843fa5f7d069f609e700dc9115b5d5adf4301b28e2dbfb4e44f8df2c293d0b4add0b3e93eba088

Download Submit
memory/2632-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2632-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2644-17-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2736-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2736-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing