71584ebf6fdb7b6ccd19dc2df02368c33671ca26d7898bc132db0890e8ba3c58

General

Target

18f1dc5062c2e7a2645a7dfd1fe441d2.exe
Size

855KB
MD5

18f1dc5062c2e7a2645a7dfd1fe441d2
SHA1

6aba03408c3af2a27c1eeca275679078077c94e5
SHA256

71584ebf6fdb7b6ccd19dc2df02368c33671ca26d7898bc132db0890e8ba3c58
SHA512

cd06712f4f28011de4bdc29d5c204f9e03a37ddec7dc190c47db971a5acaa04703708f278c88c551f9b472d29b6f8d5d97b6ecd50d391d92b337012fa1e82f96
SSDEEP

24576:cXk1hgiqByCwNsb0EWKJqNVG77//NKSuI7:cXQSjYsTDJGG7jrJ7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2000	229433620.exe

Loads dropped DLL 4 IoCs

pid	Process
2844	cmd.exe
2844	cmd.exe
2000	229433620.exe
2000	229433620.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\18f1dc5062c2e7a2645a7dfd1fe441d2 = "\"C:\\Users\\Admin\\AppData\\Local\\229433620.exe\" 0 27 "	18f1dc5062c2e7a2645a7dfd1fe441d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\229433620 = "\"C:\\Users\\Admin\\AppData\\Local\\229433620.exe\" 0 41 "	229433620.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2360	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2000	229433620.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2000	229433620.exe
2000	229433620.exe
2000	229433620.exe
2000	229433620.exe
2000	229433620.exe
2000	229433620.exe
2000	229433620.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2000	229433620.exe
2000	229433620.exe
2000	229433620.exe
2000	229433620.exe
2000	229433620.exe
2000	229433620.exe
2000	229433620.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2844	1140	18f1dc5062c2e7a2645a7dfd1fe441d2.exe	29
PID 1140 wrote to memory of 2844	1140	18f1dc5062c2e7a2645a7dfd1fe441d2.exe	29
PID 1140 wrote to memory of 2844	1140	18f1dc5062c2e7a2645a7dfd1fe441d2.exe	29
PID 1140 wrote to memory of 2844	1140	18f1dc5062c2e7a2645a7dfd1fe441d2.exe	29
PID 2844 wrote to memory of 2360	2844	cmd.exe	30
PID 2844 wrote to memory of 2360	2844	cmd.exe	30
PID 2844 wrote to memory of 2360	2844	cmd.exe	30
PID 2844 wrote to memory of 2360	2844	cmd.exe	30
PID 2844 wrote to memory of 2000	2844	cmd.exe	31
PID 2844 wrote to memory of 2000	2844	cmd.exe	31
PID 2844 wrote to memory of 2000	2844	cmd.exe	31
PID 2844 wrote to memory of 2000	2844	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\18f1dc5062c2e7a2645a7dfd1fe441d2.exe
"C:\Users\Admin\AppData\Local\Temp\18f1dc5062c2e7a2645a7dfd1fe441d2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\548243.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 18f1dc5062c2e7a2645a7dfd1fe441d2 /f
    3⤵
    - Modifies registry key
    PID:2360
- - C:\Users\Admin\AppData\Local\229433620.exe
    C:\Users\Admin\AppData\Local\229433~1.EXE -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\548243.bat

Filesize
424B

MD5
3e49c98fac01bbb8f5a6ee237fdd1093

SHA1
44ec5430afb7f3f6687aa4e04db8adc186f9e21e

SHA256
44e359f5337c0bfd4ae7ddd0a59086209052c52eb55e9d3ef63f1ec716c408c7

SHA512
5651caff8e0c729a7aba82aaa4508e72995edd0d8e7fb1ac8720b0826184f75551603de93687a37d0bf18eac05586fe7b40a0f3f609b8eaa4741eb4433d4a31e

Download Submit
\Users\Admin\AppData\Local\229433620.exe

Filesize
855KB

MD5
18f1dc5062c2e7a2645a7dfd1fe441d2

SHA1
6aba03408c3af2a27c1eeca275679078077c94e5

SHA256
71584ebf6fdb7b6ccd19dc2df02368c33671ca26d7898bc132db0890e8ba3c58

SHA512
cd06712f4f28011de4bdc29d5c204f9e03a37ddec7dc190c47db971a5acaa04703708f278c88c551f9b472d29b6f8d5d97b6ecd50d391d92b337012fa1e82f96

Download Submit
memory/1140-1-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download
memory/1140-2-0x00000000002D0000-0x00000000004D0000-memory.dmp

Filesize
2.0MB

Download
memory/1140-3-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1140-4-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1140-14-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download
memory/2000-29-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download
memory/2000-33-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2000-23-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2000-25-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2000-28-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download
memory/2000-21-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download
memory/2000-30-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download
memory/2000-31-0x00000000003B0000-0x00000000005B0000-memory.dmp

Filesize
2.0MB

Download
memory/2000-32-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2000-22-0x00000000003B0000-0x00000000005B0000-memory.dmp

Filesize
2.0MB

Download
memory/2000-34-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download
memory/2000-36-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download
memory/2000-37-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download
memory/2000-38-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download
memory/2000-39-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download
memory/2000-40-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download
memory/2000-41-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download
memory/2000-45-0x0000000001000000-0x0000000001439FF1-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads