59642e42bcae6a426b7d68bb5192c8bc07d1d1a88b511afd0fb52c9bda78c57f

General

Target

0e86bb71990b959fafb6622b61c634cb.exe
Size

63KB
MD5

0e86bb71990b959fafb6622b61c634cb
SHA1

9bcf0cf4818fb4d40dbdcb6e7a25e69afea1b5c2
SHA256

59642e42bcae6a426b7d68bb5192c8bc07d1d1a88b511afd0fb52c9bda78c57f
SHA512

0405cda45ac47fa28241336673f7cab5734fb1e74e7176051f715070641cbc86072d968c17f600259d8367f7df90606b370bec232ad4dd309eef197708241741
SSDEEP

1536:V3cpyORJLuB4P4AJJv4Romu/4awlmhpUljMg:V3c1fP4AJJv45n7jMg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2980	cmd.exe

Loads dropped DLL 9 IoCs

pid	Process
2644	0e86bb71990b959fafb6622b61c634cb.exe
2644	0e86bb71990b959fafb6622b61c634cb.exe
2644	0e86bb71990b959fafb6622b61c634cb.exe
2644	0e86bb71990b959fafb6622b61c634cb.exe
2644	0e86bb71990b959fafb6622b61c634cb.exe
2644	0e86bb71990b959fafb6622b61c634cb.exe
2644	0e86bb71990b959fafb6622b61c634cb.exe
2644	0e86bb71990b959fafb6622b61c634cb.exe
2644	0e86bb71990b959fafb6622b61c634cb.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Desktop\Internat Explorar\Desktop.ini	0e86bb71990b959fafb6622b61c634cb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tbgw.ico	0e86bb71990b959fafb6622b61c634cb.exe
File opened for modification	C:\Windows\tbgw.ico	0e86bb71990b959fafb6622b61c634cb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2656	2644	0e86bb71990b959fafb6622b61c634cb.exe	28
PID 2644 wrote to memory of 2656	2644	0e86bb71990b959fafb6622b61c634cb.exe	28
PID 2644 wrote to memory of 2656	2644	0e86bb71990b959fafb6622b61c634cb.exe	28
PID 2644 wrote to memory of 2656	2644	0e86bb71990b959fafb6622b61c634cb.exe	28
PID 2644 wrote to memory of 2656	2644	0e86bb71990b959fafb6622b61c634cb.exe	28
PID 2644 wrote to memory of 2656	2644	0e86bb71990b959fafb6622b61c634cb.exe	28
PID 2644 wrote to memory of 2656	2644	0e86bb71990b959fafb6622b61c634cb.exe	28
PID 2644 wrote to memory of 2980	2644	0e86bb71990b959fafb6622b61c634cb.exe	30
PID 2644 wrote to memory of 2980	2644	0e86bb71990b959fafb6622b61c634cb.exe	30
PID 2644 wrote to memory of 2980	2644	0e86bb71990b959fafb6622b61c634cb.exe	30
PID 2644 wrote to memory of 2980	2644	0e86bb71990b959fafb6622b61c634cb.exe	30
PID 2644 wrote to memory of 2980	2644	0e86bb71990b959fafb6622b61c634cb.exe	30
PID 2644 wrote to memory of 2980	2644	0e86bb71990b959fafb6622b61c634cb.exe	30
PID 2644 wrote to memory of 2980	2644	0e86bb71990b959fafb6622b61c634cb.exe	30

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2656	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0e86bb71990b959fafb6622b61c634cb.exe
"C:\Users\Admin\AppData\Local\Temp\0e86bb71990b959fafb6622b61c634cb.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" "C:\Users\Public\Desktop\Internat Explorar" +s
  2⤵
  - Views/modifies file attributes
  PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\temp_tmp.bat" "
  2⤵
  - Deletes itself
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp_tmp.bat

Filesize
186B

MD5
5b2f0817cf10403ea0f74f7c57667174

SHA1
5110ca95f4b79c9549649327752048447cbe9625

SHA256
2ca5e7da558d4a1d83bf8a5164b50f87aef0124509138ca63c4d93165aa5c9b6

SHA512
83c1ebed65e1446e2e92c5acd9c3d09befc5bda3d4ac04bbc23d643ba72fced5e9e8cf2601f260703d992fa137e6f25f0302ba33e5eac57978108757c6e02a7f

Download Submit
C:\Users\Public\Desktop\Internat Explorar\Desktop.ini

Filesize
75B

MD5
254a842845d5fe636a018ed64927573f

SHA1
405c601e91dbd53febdca03e5ccc1fd1b03107be

SHA256
bc4eaf790a990a2dbb8460775c257f603d2303a7ab282dd5f405264af202282c

SHA512
e817292fe07e880cd21e1cba72d4fec097fab51f21012a891bad6be6d43da8573a2ecc881a9c9c6a01dc421b55eb4734a79803899e51234ff4bd4c2a4a8a8acf

Download Submit
C:\Users\Public\Desktop\Internat Explorar\target.lnk

Filesize
1KB

MD5
de47000f2034dc530d07da111827af57

SHA1
86b34f70b275ea8ee8adb869d2420e09b044718a

SHA256
55375084a2fb9154a368cce0b9372ed6dd0342f11c2bdf5251ded25993714dae

SHA512
beb91fbcdf3d6497d59844a6da91055b7791016bcf9d97083b6cdffc1d2ee6439322dc19e098bdf0aa27e3b600305d6064ef645a24691dcae98da519debc892f

Download Submit
C:\Users\Public\Desktop\ÌÔ ±¦ Íø ¹º.lnk

Filesize
1KB

MD5
5ffaf2527bc8e175c988c8dc53dbc484

SHA1
7c069a0e54469453fdc91d57bfb0e82e2e539777

SHA256
2f58298a3e901293b80ad5ebc164e53e76e079c3e86252f1b34f702c55ada96e

SHA512
f90556ed1bd94a994d3a6573757f1214cfacb03ee5d6e1b8d277fb00f95371045e279b3a05189de7baf832605845d11a99196ac85de6c0ce050c611a9ab3b8ba

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7B0B.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7B0B.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit

Analysis

Sharing