29d6cc5359edb9b0e33c13dbc9db1c8d5defc0eb76c78cc77b6e941fcb202452

General

Target

05d269bf444039a67a4f672c3f3e8add.exe
Size

1.0MB
MD5

05d269bf444039a67a4f672c3f3e8add
SHA1

b477973cfa7b35ab7b757be6f1ea691ea73912d0
SHA256

29d6cc5359edb9b0e33c13dbc9db1c8d5defc0eb76c78cc77b6e941fcb202452
SHA512

dabfc2f0fc57d7813786f1861b1d4f09e80b538b89943b9dbb8ae3324e8e8f94b387dfabf22fcec9545fd2117640086c9698141c1f18f4f31b17bfc3669c91c3
SSDEEP

24576:TWfAedhvZ95Paor1WmDQT3DsZq7iHEPT02NNeiNCA7mY0:T0vZ95PvWR7wdEjNC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1796	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2192	64072120.exe

Loads dropped DLL 4 IoCs

pid	Process
2752	cmd.exe
2752	cmd.exe
2192	64072120.exe
2192	64072120.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\64072120 = "C:\\ProgramData\\64072120\\64072120.exe"	05d269bf444039a67a4f672c3f3e8add.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\64072120 = "C:\\PROGRA~3\\64072120\\64072120.exe"	64072120.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2192	64072120.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2192	64072120.exe
2192	64072120.exe
2192	64072120.exe
2192	64072120.exe
2192	64072120.exe
2192	64072120.exe
2192	64072120.exe
2192	64072120.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2192	64072120.exe
2192	64072120.exe
2192	64072120.exe
2192	64072120.exe
2192	64072120.exe
2192	64072120.exe
2192	64072120.exe
2192	64072120.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1796	1640	05d269bf444039a67a4f672c3f3e8add.exe	20
PID 1640 wrote to memory of 1796	1640	05d269bf444039a67a4f672c3f3e8add.exe	20
PID 1640 wrote to memory of 1796	1640	05d269bf444039a67a4f672c3f3e8add.exe	20
PID 1640 wrote to memory of 1796	1640	05d269bf444039a67a4f672c3f3e8add.exe	20
PID 1796 wrote to memory of 2752	1796	cmd.exe	22
PID 1796 wrote to memory of 2752	1796	cmd.exe	22
PID 1796 wrote to memory of 2752	1796	cmd.exe	22
PID 1796 wrote to memory of 2752	1796	cmd.exe	22
PID 2752 wrote to memory of 2192	2752	cmd.exe	23
PID 2752 wrote to memory of 2192	2752	cmd.exe	23
PID 2752 wrote to memory of 2192	2752	cmd.exe	23
PID 2752 wrote to memory of 2192	2752	cmd.exe	23

C:\Users\Admin\AppData\Local\Temp\05d269bf444039a67a4f672c3f3e8add.exe
"C:\Users\Admin\AppData\Local\Temp\05d269bf444039a67a4f672c3f3e8add.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\64072120\64072120.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\64072120\64072120.exe /install
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\PROGRA~3\64072120\64072120.exe
      C:\PROGRA~3\64072120\64072120.exe /install
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\64072120\64072120.exe

Filesize
100KB

MD5
f1bf2faa5017950bebcdd9410ec9eceb

SHA1
9ef66b81041269f96b4d761ccb80dea93a592235

SHA256
2d30bfae998c4d4724c2bd9122d27b51d8002482a007097e47a16800bad39957

SHA512
d578bef087b63152b1773a240bd509684c1f214f695a4decdce5b8072f83594e114f3ee9f236d290379cbb5d979e9e8e393b7901f5fced10e435bd3c2b5b87e9

Download Submit
C:\PROGRA~3\64072120\64072120.exe

Filesize
92KB

MD5
752e6280b3e85384bc8030aca3cfe57b

SHA1
51b95cffba75c8a571c1197f38c73a2a3cb1160b

SHA256
ece9799c58a514617bfb7077e39bed931ac2192230bbaec2813ec92e34f40e86

SHA512
4a73b7a36267deb7073084f7e656efac46e5f75b62c0ae3dd8836d3e5b49d3a0e0b624498e9bf608d893bff7291c2e88698f6a334bb3f8f9fb9795cac46e3d95

Download Submit
C:\ProgramData\64072120\64072120.bat

Filesize
236B

MD5
3b627c86c060269864c5ed92091a4d23

SHA1
4dfcd88ff5e1db451f1fb9657b3c36c4772e6a53

SHA256
d4e2c0e393c8fc0857f1ef47e7377adc608b1273cc2648abf46b36bfc2b7a68d

SHA512
f4394f6bc2f3c94fe6ce40543e05df1c4a373963759aaadc36d0956f4217dd6224dd8ca875f74aaa163c8c2d492a2bda24b4eac599db959e0cae0f3310d3b15f

Download Submit
\PROGRA~3\64072120\64072120.exe

Filesize
23KB

MD5
dba2371f1a150adac49b00c0ce54e54c

SHA1
efed072708c03db8106f11d5f8f9a370bf81b301

SHA256
d65fa31ec9becee716f147f070f3c26deb9494008efbae90d0739e301223f930

SHA512
9dbeeb054ce0039a83f8cbdd44517e24f7991917c3a858f7e4cef8fa1c51fd584ee3a2b2617ab0102c736ed036c3487ffc77d19dee4a55dabf26361eb35c2ef9

Download Submit
\PROGRA~3\64072120\64072120.exe

Filesize
26KB

MD5
900f38495aa095be8aeff0eb1d59da4d

SHA1
cb68d5f239c29ce05e272003718b2af07c226721

SHA256
43f6124458aab427594dc703c396d4fe46f82104bbcf5bd30374034403037cad

SHA512
84d1bbc03a6e1fdbe1859dfdd4d6ab5905677484b0ca45623bb5160086fa83a72a59cefafbb326d1c1476001c0353156bb18ee99ca7ad776efae3184c90ba221

Download Submit
\PROGRA~3\64072120\64072120.exe

Filesize
171KB

MD5
11958b1a5c5e1f1bd98d817b1954560a

SHA1
fb51a8a3fb90278101e10e4df125cecddf9559b6

SHA256
331c7b792cb4a5392ace029c10142f476a595f8edff5754dc3722da6907bded5

SHA512
befd82ec6f92549f1128879465855b7c83978c52190cb58fee947df7726ce70793dc8976ac60614c866a1d379daeab02ceff2a6a1770f36fe21bf8006d404d39

Download Submit
\PROGRA~3\64072120\64072120.exe

Filesize
172KB

MD5
4784819aa3c613d6aad882543190bc41

SHA1
e0ee0732270296c601b42760a71b29b44c515c1f

SHA256
ea64f4def34d76988e23ff70d486a55c89ad66edb2ae6dd9125c54ac6d740570

SHA512
a82b9835e0fe62ff72ad57d97712c5a1e6f4338ef30aa2c5ece629f8afb511477713b9b330d09e0223a6dd7a3592df6827464bbff57ced60dd754929afe62a62

Download Submit
memory/1640-2-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/1640-3-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/1640-1-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1640-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1640-14-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-21-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-33-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-24-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-22-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/2192-27-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-28-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-26-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2192-23-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2192-34-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/2192-25-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-35-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-36-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2192-37-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-39-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-40-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-41-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-42-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-43-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-44-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2192-45-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads