1beed580b630ba354c9d608b6cc84550a3f7a02945721e119b73746eb01a23d1

General

Target

146bcdd801291ab58fba3cf8f3e7de70.exe
Size

198KB
MD5

146bcdd801291ab58fba3cf8f3e7de70
SHA1

aa1b8e232a914278092e1c69d7f9985867740e44
SHA256

1beed580b630ba354c9d608b6cc84550a3f7a02945721e119b73746eb01a23d1
SHA512

d3782f1d190d56a97b0b7cbf3848e250afacb740576f5b4a7df608650d956912d57c31dce93a462efd2993ffb86d7449a1360136322ce42e09b6b0d4247be180
SSDEEP

6144:ZsaocyLC1bE1qgDpJJxXCAkPBKx3ErxSnvSx:ZtobWo1VxXN3ErOw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1692	installer.exe
2668	8326f16e-dd66-11e2-a752-00259033c1da.exe

Loads dropped DLL 3 IoCs

pid	Process
1144	146bcdd801291ab58fba3cf8f3e7de70.exe
1144	146bcdd801291ab58fba3cf8f3e7de70.exe
1144	146bcdd801291ab58fba3cf8f3e7de70.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2668	8326f16e-dd66-11e2-a752-00259033c1da.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	8326f16e-dd66-11e2-a752-00259033c1da.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2668	8326f16e-dd66-11e2-a752-00259033c1da.exe
2668	8326f16e-dd66-11e2-a752-00259033c1da.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 1692	1144	146bcdd801291ab58fba3cf8f3e7de70.exe	19
PID 1144 wrote to memory of 1692	1144	146bcdd801291ab58fba3cf8f3e7de70.exe	19
PID 1144 wrote to memory of 1692	1144	146bcdd801291ab58fba3cf8f3e7de70.exe	19
PID 1144 wrote to memory of 1692	1144	146bcdd801291ab58fba3cf8f3e7de70.exe	19
PID 1692 wrote to memory of 2668	1692	installer.exe	22
PID 1692 wrote to memory of 2668	1692	installer.exe	22
PID 1692 wrote to memory of 2668	1692	installer.exe	22
PID 1692 wrote to memory of 2668	1692	installer.exe	22
PID 1692 wrote to memory of 2668	1692	installer.exe	22
PID 1692 wrote to memory of 2668	1692	installer.exe	22
PID 1692 wrote to memory of 2668	1692	installer.exe	22

C:\Users\Admin\AppData\Local\Temp\146bcdd801291ab58fba3cf8f3e7de70.exe
"C:\Users\Admin\AppData\Local\Temp\146bcdd801291ab58fba3cf8f3e7de70.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\nsy428E.tmp\installer.exe
  C:\Users\Admin\AppData\Local\Temp\nsy428E.tmp\installer.exe 8326f16e-dd66-11e2-a752-00259033c1da.exe /t10281b516a2fab5cb035724d4b92bd /dT132110401S10281b516a2fab5cb035724d4b92bd /e9107993 /u8326f16e-dd66-11e2-a752-00259033c1da
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\nsy428E.tmp\8326f16e-dd66-11e2-a752-00259033c1da.exe
    /t10281b516a2fab5cb035724d4b92bd /dT132110401S10281b516a2fab5cb035724d4b92bd /e9107993 /u8326f16e-dd66-11e2-a752-00259033c1da
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy428E.tmp\8326f16e-dd66-11e2-a752-00259033c1da.exe

Filesize
46KB

MD5
17f87a23c790a5183a86f96834745fd7

SHA1
e6992ddc8231ad3f15e8b4aae2da9f1ca3463993

SHA256
39b3436dffd49aa6112f3826308f91a5357653e101501a9d7855ee221caa4578

SHA512
147b5226f33fd2d23cbf3df0a5a39137b6fb46fcfa4f23b70aaf7cff8ad27c32214c56b54b0581bdc6bbf9ed9c48c69bd34525964d747fccea3cd5a6e171a158

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy428E.tmp\8326f16e-dd66-11e2-a752-00259033c1da.exe

Filesize
64KB

MD5
ea6dffb347bd1dc99077651c820d5822

SHA1
6611bfc61f1d178ebf28ddbb87b0fcb4dcb2d76c

SHA256
b3c29f5151187f39f600197bb3c457a26371784f26013121fb44fe10cfe2a453

SHA512
38307e4a0dd695399317ff298c7a2c40ea59e37a44b8ecb792f53189be87911f7007f945487cd59e8525be34a5e6311d9fb73f18fc9e4f2bc24bbe5f7d05d688

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy428E.tmp\installer.exe

Filesize
27KB

MD5
606d98dd7d3e734273b2240436958311

SHA1
dcc7c05206f86b9bba15d4d7ced5cda893b0fadc

SHA256
dbcf90b61bcb812dac0b5492e4778cdac88b84cabbc8dc537b0152ff33a5f8c7

SHA512
e8a81d31cda3a61459597c96127afd2cc44f28897bdbcc173937f9b71bf728ca9750613415cf920552df12169806f66eb14c354c4664865744b18b63e2f4af5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy428E.tmp\installer.exe

Filesize
13KB

MD5
fd974d6d8b34c786818863ca91032a18

SHA1
258b0ef567b6afbe51fe1562da02cf835387b0ba

SHA256
8ce5ca386eef29aa5b953a566726e9857353097295c397b79ca6942c0b69a8c2

SHA512
996e5b074ba95c81d5130c09c5384d1e0c49a30c00b88681b6581d32176ec2e2a8c92f548c4a8b14854625a6d86f68012c5be4d6cf45761032785e44d659f1f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy428E.tmp\installer.exe

Filesize
64KB

MD5
eeaabc60b606ebaa546950fa599ad129

SHA1
b9f43ebd706dc6ea4cf61a618f53189e61be22b5

SHA256
456d57aa2d13cd1b3bc1fb63b2ac85cb4ce8940a015bdb10226a6ea9965ef320

SHA512
1e8a65cd1b24f607f4d8a9ad80768b494140d54687996e6f4c5f39d5a550597403a74e4ca42a64ebac6afb07232aecdd745ed84db255745be912f953b09c1dc6

Download Submit
\Users\Admin\AppData\Local\Temp\nsy428E.tmp\installer.exe

Filesize
10KB

MD5
2df64cb7fb4df88162e3593d4b5508b5

SHA1
b05257cde1e3aab66140190161e60024b60260ca

SHA256
28f0ff1530f230920c0059294c1366188df3b18bff233ba7d82fe1ac9142e144

SHA512
6ba410b11519d0f737c40640d7f625c370b0ac84c9d20ea8844670ea2ca279aee15db8ff769e308f59b818b379f0dc05d59a3358f5043fef9c0f07f80918d08d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy428E.tmp\nsExec.dll

Filesize
8KB

MD5
9f4abe9c1c095cdb505df5db52644d44

SHA1
94295f495f5535e0143107d3ca34141c943ec0b5

SHA256
e41bd375070919e1e194a7c1ca722a30d648a7fa7a4b5c33fb05660813c18bdf

SHA512
d1b6ab6d3e51f69e6ec79aa23629afc9ddedd8a7a668ea61b06bec115c95e2a35dca3ff9b9eb649e4bfece9a2fcd0832fed45f2308dca874f6e819708ed48169

Download Submit
memory/1144-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1692-19-0x0000000000AA0000-0x0000000000B20000-memory.dmp

Filesize
512KB

Download
memory/1692-27-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-18-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-20-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-22-0x0000000000D10000-0x0000000000D50000-memory.dmp

Filesize
256KB

Download
memory/2668-21-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-24-0x0000000000D10000-0x0000000000D50000-memory.dmp

Filesize
256KB

Download
memory/2668-23-0x0000000000D10000-0x0000000000D50000-memory.dmp

Filesize
256KB

Download
memory/2668-25-0x0000000000D10000-0x0000000000D50000-memory.dmp

Filesize
256KB

Download
memory/2668-26-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing