a46cd89c1ba320cc0b79ae68aedc7916917d81ac5bd784d125a4e4ab5782f656

General

Target

4425ad6dfea244cb3eb93ee1ad5da337.exe
Size

132KB
MD5

4425ad6dfea244cb3eb93ee1ad5da337
SHA1

3b39247c2cade049845fc5f094d82cd3bac2cf2a
SHA256

a46cd89c1ba320cc0b79ae68aedc7916917d81ac5bd784d125a4e4ab5782f656
SHA512

a0fe987ba817e746101da19fd9598574403a995538f46ef0074c85440b0b5df193e31bb22014c947a292533ba9f3a452d70808859e1882f4456002a54f548f87
SSDEEP

1536:v2uXsNnWwlRmCg/AIifLMeAAtnhOW+B/SG4RJitU3JOWoxYQM:v2uXVC/DA8hOW+B/S1+U3JOWoxYQM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2456	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1648	S0UG0U.exe

Loads dropped DLL 2 IoCs

pid	Process
2728	4425ad6dfea244cb3eb93ee1ad5da337.exe
2728	4425ad6dfea244cb3eb93ee1ad5da337.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 1648	2728	4425ad6dfea244cb3eb93ee1ad5da337.exe	20
PID 2728 wrote to memory of 1648	2728	4425ad6dfea244cb3eb93ee1ad5da337.exe	20
PID 2728 wrote to memory of 1648	2728	4425ad6dfea244cb3eb93ee1ad5da337.exe	20
PID 2728 wrote to memory of 1648	2728	4425ad6dfea244cb3eb93ee1ad5da337.exe	20
PID 2728 wrote to memory of 2456	2728	4425ad6dfea244cb3eb93ee1ad5da337.exe	19
PID 2728 wrote to memory of 2456	2728	4425ad6dfea244cb3eb93ee1ad5da337.exe	19
PID 2728 wrote to memory of 2456	2728	4425ad6dfea244cb3eb93ee1ad5da337.exe	19
PID 2728 wrote to memory of 2456	2728	4425ad6dfea244cb3eb93ee1ad5da337.exe	19
PID 2728 wrote to memory of 2456	2728	4425ad6dfea244cb3eb93ee1ad5da337.exe	19
PID 2728 wrote to memory of 2456	2728	4425ad6dfea244cb3eb93ee1ad5da337.exe	19
PID 2728 wrote to memory of 2456	2728	4425ad6dfea244cb3eb93ee1ad5da337.exe	19
PID 1648 wrote to memory of 2844	1648	S0UG0U.exe	32
PID 1648 wrote to memory of 2844	1648	S0UG0U.exe	32
PID 1648 wrote to memory of 2844	1648	S0UG0U.exe	32
PID 1648 wrote to memory of 2844	1648	S0UG0U.exe	32
PID 1648 wrote to memory of 2844	1648	S0UG0U.exe	32
PID 1648 wrote to memory of 2844	1648	S0UG0U.exe	32
PID 1648 wrote to memory of 2844	1648	S0UG0U.exe	32

C:\Users\Admin\AppData\Local\Temp\4425ad6dfea244cb3eb93ee1ad5da337.exe
"C:\Users\Admin\AppData\Local\Temp\4425ad6dfea244cb3eb93ee1ad5da337.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat" "
  2⤵
  - Deletes itself
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\S0UG0U.exe
  C:\Users\Admin\AppData\Local\Temp\S0UG0U.exe arg2
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat" "
    3⤵
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat

Filesize
151B

MD5
0c868490208e3557d51b93d55feba643

SHA1
291b2565763664acf8f3d6488283abf8d769fc07

SHA256
2335ff1b9f935070ea7d57a267ec87a7269673c16e8551ec745afafb9bed26f8

SHA512
e3e9108d6bf873c4a6c2847e326399f2f21a436055117ed1d8e8d3a0585b6a7a7647f607c1e5963f18101090d909dedffcdbacecd364a38af0f0e99cc1495455

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat

Filesize
203B

MD5
115507210c26f15183e3b7f9fd158272

SHA1
dcf0393f6c59381fb3dbfb392f1588192360401a

SHA256
c947a5eb929ead589b237ea069eb97a77df1af5513d02714bf93f83804b9976c

SHA512
f2ffeec801159f58b394ad9655068b1328c65d039160b504ea166e9f28bcc42b3ec2617dc721dbd6033edf40a2c8d8ca12046d8b86c8f64f13352773ce7600c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\S0UG0U.exe

Filesize
132KB

MD5
4425ad6dfea244cb3eb93ee1ad5da337

SHA1
3b39247c2cade049845fc5f094d82cd3bac2cf2a

SHA256
a46cd89c1ba320cc0b79ae68aedc7916917d81ac5bd784d125a4e4ab5782f656

SHA512
a0fe987ba817e746101da19fd9598574403a995538f46ef0074c85440b0b5df193e31bb22014c947a292533ba9f3a452d70808859e1882f4456002a54f548f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\S0UG0U.exe

Filesize
70KB

MD5
87d624de0e768ca28af2cd3bd94a627b

SHA1
5962e0c1252ed8917f48f5266826887d398bf9ca

SHA256
bb7057abbc472e2f698c42e1e611ff9c1b917cd428fada5a5f55f7e06135a902

SHA512
5407f9732a2a47c7dbc6b40505f2e678bc47f6b7814eee3ff010fa74612747adc1cb4160b4a4351a2f0a39b8ef40abbd3b152ece3e7c09e96e0b0f15dafb689f

Download Submit
C:\Users\Admin\AppData\Local\Temp\S0UG0U.exe

Filesize
61KB

MD5
9918f24d65e913fdbbfc72e0ca0a2abb

SHA1
dfd7364ac978d726ac31d2aaae888ae774ac39a1

SHA256
2c8decad6a406528af2dd2e46619fad3f5c65b9cea822d348a45271891890790

SHA512
bcd35d343f0a3c9e91f98b342a9ae41ee87138f3015296d97fbdd71a42255f70b17c861186e665d67888d87a626190964936adb2387f06000b798a7435bcacf9

Download Submit
\Users\Admin\AppData\Local\Temp\S0UG0U.exe

Filesize
94KB

MD5
2b3f5672705285de6eac0443c32e7465

SHA1
446e425b9104a5c658c39aef35179d6ef2f924ad

SHA256
de10f8e18259eade8d72eb1edfad2e3d1d0004c35749cccfa1a581259df4c6dc

SHA512
aeb86ae4652b17760551e15afbf0463086fbc946ecc387ff817996681973631dbc386f75d65cf355946013bcc14a86cac2e4905e7a7b8063faefeb85297ea0ca

Download Submit
\Users\Admin\AppData\Local\Temp\S0UG0U.exe

Filesize
45KB

MD5
495c0b4594e96eed2de9d22221b75552

SHA1
aa2d010058569ad14208d00515009737c6e2cfa2

SHA256
ecd62d5296a002129c77651f7c2103221c6f9eb2509339da12aff0b78894b1d6

SHA512
8039bc1774ea6fce01b2dc6ee0083a69463e20553f7bcc3e10581ba4befaa94c4f3f9fd4273b6a0df48ff26314e16ac4757880b411f2cb4bd27c9762eea6e874

Download Submit

Analysis

Sharing