6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e

General

Target

6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
Size

11.0MB
MD5

3b48bae8a78673557477d95cb1f72497
SHA1

34774326f59c24ed2e9604158b0efb9dbc9f8021
SHA256

6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e
SHA512

4958070710b2b2993c70ea1901f58a98713c07e38ecaaec2a704c6973fb0601afed9a79ca36ce44f2e986eac08adc7ebac1526282ac9e367d627ea7d6815878f
SSDEEP

196608:p0GJxCMWJitkSNukRc2+El9CETJTaxEC89l+JlQnri1mdEiZBENhj0SgEyev2V+Z:pxDsJitbc6lZBwf89olQricJ7L5Ov2UZ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 2012	920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe	95
PID 920 wrote to memory of 2012	920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe	95
PID 920 wrote to memory of 2012	920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe	95
PID 920 wrote to memory of 4116	920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe	96
PID 920 wrote to memory of 4116	920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe	96
PID 920 wrote to memory of 4116	920	6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe	96

C:\Users\Admin\AppData\Local\Temp\6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe
"C:\Users\Admin\AppData\Local\Temp\6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\*60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exe"
  2⤵
  PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\*.dll"
  2⤵
  PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\560228d5b306da6d9df69d35dda253d8.ini

Filesize
2KB

MD5
14379b05fec98219e9d5bb2f7c16221d

SHA1
37829fe2050a37d757cc9417ef5301b1bd30a059

SHA256
08f157eece5052f4da25bd8d3bc93e390d934fe38ce02128fa4bddde4ee3ec86

SHA512
c30fae68fa5b93e5ab4a6002732089c5098ec89c146f39badbbc9f81adb652ea96f637abf97d0c8795126108b47931f2b040ad5f9c56de9749402299c377ec25

Download Submit
C:\Users\Admin\AppData\Local\Temp\560228d5b306da6d9df69d35dda253d8A.ini

Filesize
1KB

MD5
008933c3db3fe610673312574dcf2a19

SHA1
11c01680e1498d1c0936f62b80aa1b7c846b6949

SHA256
b9216e69d90ac3e52b6b3f33aeee070bab479890601dc41034226a92065e5531

SHA512
8bceec2b15b5fb6bd16c53d558da7a7baae9355b1a164c6bbd549f718df0b5bd60785cfb7b0d029bccc5f77b3a131b620bbac9ee609a2b32d1457e6aa2fdea8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6fc60d6049d8b81e1918130958e2f3b0d95e0ce0342dd43c12f9efa0cecf657e.exepack.tmp

Filesize
2KB

MD5
b4f0f55518101fd63ab71837e6e69691

SHA1
db3086c0030171aab915cdc25eeca22fc261825d

SHA256
1ea86b38a091daa4ebc3127a0de7928815a487757af07acdad35993e0f2cc54b

SHA512
efd24bf2cac39020fe1840938f29ed74d9d1a658e3cdd5f3d166f610214ab3eeff1c7c2118c06ab27f93805ceb20b8c57d4000743494e18bee86f40c19cdd4f1

Download Submit
memory/920-5-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/920-0-0x0000000000400000-0x0000000001CB4000-memory.dmp

Filesize
24.7MB

Download
memory/920-2-0x0000000000400000-0x0000000001CB4000-memory.dmp

Filesize
24.7MB

Download
memory/920-1-0x0000000003A10000-0x0000000003A13000-memory.dmp

Filesize
12KB

Download
memory/920-331-0x0000000000400000-0x0000000001CB4000-memory.dmp

Filesize
24.7MB

Download
memory/920-332-0x0000000000400000-0x0000000001CB4000-memory.dmp

Filesize
24.7MB

Download
memory/920-335-0x0000000003A10000-0x0000000003A13000-memory.dmp

Filesize
12KB

Download
memory/920-336-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/920-337-0x0000000000400000-0x0000000001CB4000-memory.dmp

Filesize
24.7MB

Download
memory/920-340-0x0000000000400000-0x0000000001CB4000-memory.dmp

Filesize
24.7MB

Download
memory/920-345-0x0000000000400000-0x0000000001CB4000-memory.dmp

Filesize
24.7MB

Download

Analysis

Sharing