79f77aad0de46a5dc1dac3a6b6c6bed156f9da1795c3823a55e7dd2c8e5060d3

General

Target

04e8c55b4f62449b397a4a0777f1efe6.exe
Size

991KB
MD5

04e8c55b4f62449b397a4a0777f1efe6
SHA1

5a4868f849512e4ae0ad2abbc06d5fd34c970fb1
SHA256

79f77aad0de46a5dc1dac3a6b6c6bed156f9da1795c3823a55e7dd2c8e5060d3
SHA512

6ada2f2e02e585d8b7651c4b335c0ac4c2308d5d602cf8fe207a2fca41386a3f352931ad2a33be1c77ca14cba4f55be5efe068d8590cf77d2bf96c9e0e964a5a
SSDEEP

24576:X4weEUfNjRSQQ6EUhZfXA1UmQKbpbG0X2f5w+6pYvgT26OqF:IlkQQ6de7o7fT7vrQF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2056	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2100	0293925.exe

Loads dropped DLL 4 IoCs

pid	Process
2056	cmd.exe
2056	cmd.exe
2100	0293925.exe
2100	0293925.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\04e8c55b4f62449b397a4a0777f1efe6 = "\"C:\\Users\\Admin\\AppData\\Local\\0293925.exe\" 0 37 "	04e8c55b4f62449b397a4a0777f1efe6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\0293925 = "\"C:\\Users\\Admin\\AppData\\Local\\0293925.exe\" 0 39 "	0293925.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1136	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2100	0293925.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2100	0293925.exe
2100	0293925.exe
2100	0293925.exe
2100	0293925.exe
2100	0293925.exe
2100	0293925.exe
2100	0293925.exe
2100	0293925.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2100	0293925.exe
2100	0293925.exe
2100	0293925.exe
2100	0293925.exe
2100	0293925.exe
2100	0293925.exe
2100	0293925.exe
2100	0293925.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2056	1968	04e8c55b4f62449b397a4a0777f1efe6.exe	29
PID 1968 wrote to memory of 2056	1968	04e8c55b4f62449b397a4a0777f1efe6.exe	29
PID 1968 wrote to memory of 2056	1968	04e8c55b4f62449b397a4a0777f1efe6.exe	29
PID 1968 wrote to memory of 2056	1968	04e8c55b4f62449b397a4a0777f1efe6.exe	29
PID 2056 wrote to memory of 1136	2056	cmd.exe	30
PID 2056 wrote to memory of 1136	2056	cmd.exe	30
PID 2056 wrote to memory of 1136	2056	cmd.exe	30
PID 2056 wrote to memory of 1136	2056	cmd.exe	30
PID 2056 wrote to memory of 2100	2056	cmd.exe	31
PID 2056 wrote to memory of 2100	2056	cmd.exe	31
PID 2056 wrote to memory of 2100	2056	cmd.exe	31
PID 2056 wrote to memory of 2100	2056	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\04e8c55b4f62449b397a4a0777f1efe6.exe
"C:\Users\Admin\AppData\Local\Temp\04e8c55b4f62449b397a4a0777f1efe6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\61964.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 04e8c55b4f62449b397a4a0777f1efe6 /f
    3⤵
    - Modifies registry key
    PID:1136
- - C:\Users\Admin\AppData\Local\0293925.exe
    C:\Users\Admin\AppData\Local\0293925.exe -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0293925.exe

Filesize
477KB

MD5
f1b993289f58380af906977228cf9c45

SHA1
7130513d895ded4d3cf7d2463cba53235a63f1da

SHA256
cde5dba0600e195dc7e6ca472a23ccd412a8031dae8bd66d454acc06e55f8d28

SHA512
7523a55b0925d7496183905c7b7e62548680e320e20174f9d4f8b75018ebd25a993f28761be1581fe7d36ecc6df42713de7c0dfee14136543288368aacbee547

Download Submit
C:\Users\Admin\AppData\Local\0293925.exe

Filesize
487KB

MD5
7260b325e554991e97b9f804bae8994e

SHA1
a0ff329182e02597ddd4b084c77a3fc48b419fc2

SHA256
4439db690a7ecf76af26b33de2d64e0f6cfd255fdff66d404bf8539afe2285a0

SHA512
d13315845add95763970e3177304f44e5fad80cc3aefb522cf0e255948ee92467c4f4e35e299aa7bdb7e84ead7f1e687095e043060336676ca0ab75a2f07f5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\61964.bat

Filesize
422B

MD5
93ba8d0e580f9391315888f98d7fa658

SHA1
4367fd21df86234ae32c097c85c69302212df790

SHA256
84af8b56a2f2c30f223faae9b3ff7d75dea3fb02a676c9c1921fa88126c17bd4

SHA512
c3252c8ff6b6dc7c4d5663a837ab4687602ecc57430d477a68c131259e8635ddefa61da8c49a7eaaee65ab793ec3f911f2cbb2531eb5faffa5867d96e02d2325

Download Submit
\Users\Admin\AppData\Local\0293925.exe

Filesize
465KB

MD5
fe2bc833d576af036195322773c9c2bc

SHA1
6a4b82ba2f39bd06d6e92a2c5ea540fa6eaf4e38

SHA256
b785a64461ebf5c2d7a0b78b5c123408d6d6be181bbbaf3c1b98cb815ff3ea57

SHA512
02724780739b1ab39137b8472acaf5489314463266658918205889515f259624a3c81a84fd20218e696769c3ab709b0136517833804a6171375e3f3b84d3a167

Download Submit
\Users\Admin\AppData\Local\0293925.exe

Filesize
394KB

MD5
689905796b98183311fef8646c841d9c

SHA1
2cb06010475c5d305d66f5ec0630e421aa10cc43

SHA256
572a382f772ddc362e94ee1087589e66ce9def9a538967d1822a9dc14749e60b

SHA512
77584894b4efaf074a9beda5664c412eb60300401aa036c6b076b3e48fdf6b370c20287bc8bccaf184e5a002a076a04de6e1e7aba051fc4d883e0f883dd256d9

Download Submit
\Users\Admin\AppData\Local\0293925.exe

Filesize
179KB

MD5
da4127c710b271eea9e57fad9cccfdd5

SHA1
20279d2717769dcae95148431682234758e8c159

SHA256
cd0fc88aab25037e264938e786e10d37a3ab3e36da4f7a6e9774c1103e047d2e

SHA512
3b1d208f263aa52e05ee16ae00ddd9e159e963d5b9a67dfe42961500c9b315790518ae60fc26cbd99489b3dbce1a79462c9ce7e878c709252793fc86f5c397d5

Download Submit
\Users\Admin\AppData\Local\0293925.exe

Filesize
570KB

MD5
d922ab80d7be138d9c947f2d0e9c46ab

SHA1
0db6050cd0703214606378ca83d806f35250a82f

SHA256
bc18828a2b4d42a5b8188f1b2668c741c65720b492cdd991808c78c00e860b69

SHA512
c52d947a3262b8898f8efdb369a289bf19cc6be158626395ee380db8fbdc221da834f5f8b90b63b67fb803d0438a9f94f837f7cd7edbfdd493cd2ad9e931f017

Download Submit
memory/1968-2-0x0000000000270000-0x0000000000470000-memory.dmp

Filesize
2.0MB

Download
memory/1968-4-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1968-3-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1968-14-0x0000000001000000-0x0000000001439FFF-memory.dmp

Filesize
4.2MB

Download
memory/1968-1-0x0000000001000000-0x0000000001439FFF-memory.dmp

Filesize
4.2MB

Download
memory/2100-28-0x0000000001000000-0x0000000001439FFF-memory.dmp

Filesize
4.2MB

Download
memory/2100-33-0x0000000001000000-0x0000000001439FFF-memory.dmp

Filesize
4.2MB

Download
memory/2100-22-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2100-27-0x0000000001000000-0x0000000001439FFF-memory.dmp

Filesize
4.2MB

Download
memory/2100-29-0x0000000000290000-0x0000000000490000-memory.dmp

Filesize
2.0MB

Download
memory/2100-21-0x0000000000290000-0x0000000000490000-memory.dmp

Filesize
2.0MB

Download
memory/2100-30-0x0000000001000000-0x0000000001439FFF-memory.dmp

Filesize
4.2MB

Download
memory/2100-31-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2100-32-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2100-24-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2100-35-0x0000000001000000-0x0000000001439FFF-memory.dmp

Filesize
4.2MB

Download
memory/2100-36-0x0000000001000000-0x0000000001439FFF-memory.dmp

Filesize
4.2MB

Download
memory/2100-37-0x0000000001000000-0x0000000001439FFF-memory.dmp

Filesize
4.2MB

Download
memory/2100-38-0x0000000001000000-0x0000000001439FFF-memory.dmp

Filesize
4.2MB

Download
memory/2100-39-0x0000000001000000-0x0000000001439FFF-memory.dmp

Filesize
4.2MB

Download
memory/2100-40-0x0000000001000000-0x0000000001439FFF-memory.dmp

Filesize
4.2MB

Download
memory/2100-45-0x0000000001000000-0x0000000001439FFF-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads