eabd3aea00b5502e4d8fba25deec8516c3a9c399faa4801259069e4b4baff717

General

Target

2dc03de1ac40a9c7aeaac0cc8ed899c5.exe
Size

2.7MB
MD5

2dc03de1ac40a9c7aeaac0cc8ed899c5
SHA1

10df83f5384c95b14e5017c759f976f09716ebed
SHA256

eabd3aea00b5502e4d8fba25deec8516c3a9c399faa4801259069e4b4baff717
SHA512

d2b12363ac6145f83f0c2f756509d7636db187ac08b0dd13bffe05a23c1774bda40c23a9f98ae48efdcef04630b4f9cfa7ec324ef1d03932139eaadd8ec0af76
SSDEEP

49152:oJy796EvMtTx435MtV+O14pWPMPdEAnPc5aIgqINUB+EuWi0+CSqvVBI1rg:d7AEvgVOI4QPc6dIcRsoR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2136	2dc03de1ac40a9c7aeaac0cc8ed899c5.tmp
2668	WMF.exe

Loads dropped DLL 5 IoCs

pid	Process
2420	2dc03de1ac40a9c7aeaac0cc8ed899c5.exe
2136	2dc03de1ac40a9c7aeaac0cc8ed899c5.tmp
2136	2dc03de1ac40a9c7aeaac0cc8ed899c5.tmp
2136	2dc03de1ac40a9c7aeaac0cc8ed899c5.tmp
2136	2dc03de1ac40a9c7aeaac0cc8ed899c5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2668	WMF.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2136	2420	2dc03de1ac40a9c7aeaac0cc8ed899c5.exe	28
PID 2420 wrote to memory of 2136	2420	2dc03de1ac40a9c7aeaac0cc8ed899c5.exe	28
PID 2420 wrote to memory of 2136	2420	2dc03de1ac40a9c7aeaac0cc8ed899c5.exe	28
PID 2420 wrote to memory of 2136	2420	2dc03de1ac40a9c7aeaac0cc8ed899c5.exe	28
PID 2420 wrote to memory of 2136	2420	2dc03de1ac40a9c7aeaac0cc8ed899c5.exe	28
PID 2420 wrote to memory of 2136	2420	2dc03de1ac40a9c7aeaac0cc8ed899c5.exe	28
PID 2420 wrote to memory of 2136	2420	2dc03de1ac40a9c7aeaac0cc8ed899c5.exe	28
PID 2136 wrote to memory of 2668	2136	2dc03de1ac40a9c7aeaac0cc8ed899c5.tmp	29
PID 2136 wrote to memory of 2668	2136	2dc03de1ac40a9c7aeaac0cc8ed899c5.tmp	29
PID 2136 wrote to memory of 2668	2136	2dc03de1ac40a9c7aeaac0cc8ed899c5.tmp	29
PID 2136 wrote to memory of 2668	2136	2dc03de1ac40a9c7aeaac0cc8ed899c5.tmp	29

C:\Users\Admin\AppData\Local\Temp\2dc03de1ac40a9c7aeaac0cc8ed899c5.exe
"C:\Users\Admin\AppData\Local\Temp\2dc03de1ac40a9c7aeaac0cc8ed899c5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\is-Q699F.tmp\2dc03de1ac40a9c7aeaac0cc8ed899c5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q699F.tmp\2dc03de1ac40a9c7aeaac0cc8ed899c5.tmp" /SL5="$8011E,2423269,153088,C:\Users\Admin\AppData\Local\Temp\2dc03de1ac40a9c7aeaac0cc8ed899c5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\is-ERKGA.tmp\WMF.exe
    "C:\Users\Admin\AppData\Local\Temp\is-ERKGA.tmp\WMF.exe" /aid=0 /sub=0 /sid=42 /name="jack_and_jill_2011_ts_xvid-26k.rar" /fid= /stats=9HIMDhZ2/tvOzRZC2ENC7wGnMZwe+WLUQbI8qnY+2M0ZHOJFXWIaVxDh3oQBDolsYr06ORzKGKJqW3U5EJ4FmA== /param=0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-ERKGA.tmp\default.xml

Filesize
2KB

MD5
4c219b78a305d3e52c811542154bb224

SHA1
7efe3e383b29c808cfb3ad0fd90d627ea7b2b2bf

SHA256
a0dbdc08f771e32a5ef06f47b436afb270e860578971a974db0c34c0c1366a7c

SHA512
bced9584568b011c0b2013e48d6b9503f77b01c57e2049722326a40363ce42c533e590c4583cf0cf3a5391f3208db8135b5afdc27ae7359af3ded66b11e628b8

Download Submit
\Users\Admin\AppData\Local\Temp\is-ERKGA.tmp\WMF.exe

Filesize
3.4MB

MD5
4d6d6472286c4264630e55982266e230

SHA1
8d077d7276f46dd48092a45bb7a1b709de07e9f6

SHA256
932d9dc10676ba1b87b522bd369f47f006eadf64e7ae386985c5f502f8ec6f07

SHA512
bd916b51a659b22c3172b4734d580d2def02bef1261fde72b43c7ed5effbefa4292e3a8e337a57d2e9f615eff072f5fe2f3170538a5d2ed855069c1639665edc

Download Submit
\Users\Admin\AppData\Local\Temp\is-ERKGA.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q699F.tmp\2dc03de1ac40a9c7aeaac0cc8ed899c5.tmp

Filesize
1.1MB

MD5
8811a0652c18dbcf68955f99df537eb8

SHA1
70cff6c43c0f873295dc085018639dff02f33012

SHA256
d69f51e65e3944891ec9c392b3d7410d81f8f93e55b9071584bfd1d384862230

SHA512
ed2ff6cfe272a8ae260233a1bb653adc0eaae13388418a9dea692b9924999d89b8677b8669fa24dcb0c606cfca7045bef779e1c58547f3f17d5096cbbe31d60a

Download Submit
memory/2136-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2136-44-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2136-49-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2420-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2420-43-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2668-41-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2668-45-0x0000000000400000-0x0000000000801000-memory.dmp

Filesize
4.0MB

Download
memory/2668-50-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing