4dbcd6d7018656d7e02347b02bd3e4cf8f68067eb8c16e33d218003edcbe8fed

General

Target

3fef6e454b6841ebc1ceae89248b53c1.exe
Size

220KB
MD5

3fef6e454b6841ebc1ceae89248b53c1
SHA1

6e48907fa770bb7a2b89c3b4535b962aa2e2a7b1
SHA256

4dbcd6d7018656d7e02347b02bd3e4cf8f68067eb8c16e33d218003edcbe8fed
SHA512

2caff4d1525cc5ecc7adfc7a79d398192d23702c4992af6a7caf1350410685636a76e933be115b11606037d942e3aac2ed11e2b4df47f45cda3e66202a9186ec
SSDEEP

6144:HpHdcNTSggNphV+kTVYLlu5U6ox1+ZpI3NeFb:HhNTV+KVYLQ5o1+ZK3wF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3068	win39.exe
2940	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2992	3fef6e454b6841ebc1ceae89248b53c1.exe
2992	3fef6e454b6841ebc1ceae89248b53c1.exe
3068	win39.exe
3068	win39.exe
3068	win39.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\runAPI94 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runAPI79.exe\""	3fef6e454b6841ebc1ceae89248b53c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	win39.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2992 set thread context of 3068	2992	3fef6e454b6841ebc1ceae89248b53c1.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3068	2992	3fef6e454b6841ebc1ceae89248b53c1.exe	28
PID 2992 wrote to memory of 3068	2992	3fef6e454b6841ebc1ceae89248b53c1.exe	28
PID 2992 wrote to memory of 3068	2992	3fef6e454b6841ebc1ceae89248b53c1.exe	28
PID 2992 wrote to memory of 3068	2992	3fef6e454b6841ebc1ceae89248b53c1.exe	28
PID 2992 wrote to memory of 3068	2992	3fef6e454b6841ebc1ceae89248b53c1.exe	28
PID 2992 wrote to memory of 3068	2992	3fef6e454b6841ebc1ceae89248b53c1.exe	28
PID 2992 wrote to memory of 3068	2992	3fef6e454b6841ebc1ceae89248b53c1.exe	28
PID 2992 wrote to memory of 3068	2992	3fef6e454b6841ebc1ceae89248b53c1.exe	28
PID 2992 wrote to memory of 3068	2992	3fef6e454b6841ebc1ceae89248b53c1.exe	28
PID 2992 wrote to memory of 3068	2992	3fef6e454b6841ebc1ceae89248b53c1.exe	28
PID 2992 wrote to memory of 3068	2992	3fef6e454b6841ebc1ceae89248b53c1.exe	28
PID 2992 wrote to memory of 3068	2992	3fef6e454b6841ebc1ceae89248b53c1.exe	28
PID 3068 wrote to memory of 2940	3068	win39.exe	29
PID 3068 wrote to memory of 2940	3068	win39.exe	29
PID 3068 wrote to memory of 2940	3068	win39.exe	29
PID 3068 wrote to memory of 2940	3068	win39.exe	29

C:\Users\Admin\AppData\Local\Temp\3fef6e454b6841ebc1ceae89248b53c1.exe
"C:\Users\Admin\AppData\Local\Temp\3fef6e454b6841ebc1ceae89248b53c1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\win39.exe
  C:\Users\Admin\AppData\Local\Temp\win39.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\win39.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
memory/2992-0-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2992-2-0x0000000000B40000-0x0000000000B80000-memory.dmp

Filesize
256KB

Download
memory/2992-1-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2992-36-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/3068-18-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3068-26-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3068-16-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3068-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3068-20-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3068-22-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3068-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3068-14-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3068-28-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3068-29-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3068-31-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3068-32-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3068-10-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3068-37-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads