48e12867b2a256b2676efd76f7672bb5a3b111a0304157b98c6c86c7d76b2d5e

General

Target

03577bf55d4aefea88aaa1eed68e3a19.exe
Size

181KB
MD5

03577bf55d4aefea88aaa1eed68e3a19
SHA1

b993c81ba18ced9d41fc59ac647bea489b2e15f5
SHA256

48e12867b2a256b2676efd76f7672bb5a3b111a0304157b98c6c86c7d76b2d5e
SHA512

b9997d745b61f8e0e240f6282976bc4897fbcd969be45753d8c9ea0a820f48d75992923d98387f305b2505882e9a58547ff3b18e7d53ca7bd1415f0b1b01f155
SSDEEP

3072:1d9xR3G2BZMbBLBaYw0coLujNHIHaTTg4atGleXOMJrbB60FT+bBNXXl:1d93ZBZMbqYgomHIH3eMxF8BNXXl

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr34.exe	inf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr34.exe	inf.exe

Executes dropped EXE 2 IoCs

pid	Process
2256	inf.exe
2936	smgr34.exe

Loads dropped DLL 12 IoCs

pid	Process
2424	03577bf55d4aefea88aaa1eed68e3a19.exe
2424	03577bf55d4aefea88aaa1eed68e3a19.exe
2256	inf.exe
2256	inf.exe
2256	inf.exe
2256	inf.exe
2256	inf.exe
2256	inf.exe
2936	smgr34.exe
2936	smgr34.exe
2936	smgr34.exe
2936	smgr34.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zlib4.dll	inf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2256	2424	03577bf55d4aefea88aaa1eed68e3a19.exe	19
PID 2424 wrote to memory of 2256	2424	03577bf55d4aefea88aaa1eed68e3a19.exe	19
PID 2424 wrote to memory of 2256	2424	03577bf55d4aefea88aaa1eed68e3a19.exe	19
PID 2424 wrote to memory of 2256	2424	03577bf55d4aefea88aaa1eed68e3a19.exe	19
PID 2424 wrote to memory of 2256	2424	03577bf55d4aefea88aaa1eed68e3a19.exe	19
PID 2424 wrote to memory of 2256	2424	03577bf55d4aefea88aaa1eed68e3a19.exe	19
PID 2424 wrote to memory of 2256	2424	03577bf55d4aefea88aaa1eed68e3a19.exe	19
PID 2256 wrote to memory of 2936	2256	inf.exe	18
PID 2256 wrote to memory of 2936	2256	inf.exe	18
PID 2256 wrote to memory of 2936	2256	inf.exe	18
PID 2256 wrote to memory of 2936	2256	inf.exe	18
PID 2256 wrote to memory of 2936	2256	inf.exe	18
PID 2256 wrote to memory of 2936	2256	inf.exe	18
PID 2256 wrote to memory of 2936	2256	inf.exe	18

C:\Users\Admin\AppData\Local\Temp\03577bf55d4aefea88aaa1eed68e3a19.exe
"C:\Users\Admin\AppData\Local\Temp\03577bf55d4aefea88aaa1eed68e3a19.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\WINDOWS\inf.exe
  "C:\Users\Admin\AppData\Local\Temp\WINDOWS\inf.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2256

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr34.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr34.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\WINDOWS\inf.exe

Filesize
38KB

MD5
4fb080f215e51616ff645f384c6b282a

SHA1
f0803140e2782c78e9a738cae956c6cdb0052ecf

SHA256
735ffb87b2e0f7f7ce40cf4e322f2c91bdb7f56ed74272f6383b8e3e2e028589

SHA512
e823f1012be897148f461e30de945d3ba53572289789f078d7c01a9afc95d59a5d58a47b1600f88f7c9319ea7966e756818f2a5c8a6808f5c734ded21bbf90f5

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWS\zlib4.dll

Filesize
151KB

MD5
5d7a4013f4da7be570ed30c1992563b2

SHA1
9ee822d06a31c9a3e7b0d1951a9ce1467e729b1a

SHA256
a27d35302b792fa25ca285eca7ca0321a6e1e14531be6cfc77c154e280223c4b

SHA512
a5f04ba5b932df8a6bfcc05cd54811726e76a86a4975fc5b85394906a3d57cebe040d76f09262c8c041870b92493af9f207471c0bdd3f9aee8ced205c9be01d5

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWS\zlib4.dll

Filesize
37KB

MD5
bd3bea1fe25d67da78fb460c0c95955d

SHA1
4b3530e4c073655671dd4daf304800e3b789ab13

SHA256
46336b209c550f1230cef7ec2afe06a920f6b551eb672af734f0ae32b5c5dac5

SHA512
b885d651557647009eaff29e164de3f84388b63e7a3034e608c3a8ae60ffdeebcb2984e13219c5347e3b60a1237aa5513c386a3318886c110338f7efd0d87136

Download Submit
memory/2256-37-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/2256-15-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/2256-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2424-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2936-30-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/2936-39-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/2936-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2936-41-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/2936-45-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/2936-51-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/2936-59-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing