3a7e73d197980a72cfa212a4ebb2eab809c1cf1abf0be5e7ffde4275d513b477

General

Target

32050adefb91ca7c5a7fecbf86647784.exe
Size

393KB
MD5

32050adefb91ca7c5a7fecbf86647784
SHA1

b0c08e13b33aef6b13ce50078484be426888b023
SHA256

3a7e73d197980a72cfa212a4ebb2eab809c1cf1abf0be5e7ffde4275d513b477
SHA512

bf7469872038646a581711b3c453d9a6669b2a985d6ee8505faabdaa16cbdc64fef20c4e5bccbac3be929af35996df3608f236c9ee3b17f8785b2947a44128c3
SSDEEP

6144:TbXE9OiTGfhEClq98bd3BTznTiVrDpXA7U4ze4FGkxKawNSH:fU9XiuiHbdxTznTor2lGkx5N

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1984	iphone.exe

Loads dropped DLL 5 IoCs

pid	Process
2300	32050adefb91ca7c5a7fecbf86647784.exe
2300	32050adefb91ca7c5a7fecbf86647784.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\kk2\kk1\monkeypad.jpg	DllHost.exe
File opened for modification	C:\Program Files (x86)\kk2\kk1\data.txt	32050adefb91ca7c5a7fecbf86647784.exe
File opened for modification	C:\Program Files (x86)\kk2\kk1\bramapod.bat	32050adefb91ca7c5a7fecbf86647784.exe
File opened for modification	C:\Program Files (x86)\kk2\kk1\monkeypad.jpg	32050adefb91ca7c5a7fecbf86647784.exe
File opened for modification	C:\Program Files (x86)\kk2\kk1\iphone.exe	32050adefb91ca7c5a7fecbf86647784.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1952	1984	WerFault.exe	31

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2656	DllHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2720	2300	32050adefb91ca7c5a7fecbf86647784.exe	28
PID 2300 wrote to memory of 2720	2300	32050adefb91ca7c5a7fecbf86647784.exe	28
PID 2300 wrote to memory of 2720	2300	32050adefb91ca7c5a7fecbf86647784.exe	28
PID 2300 wrote to memory of 2720	2300	32050adefb91ca7c5a7fecbf86647784.exe	28
PID 2300 wrote to memory of 1984	2300	32050adefb91ca7c5a7fecbf86647784.exe	31
PID 2300 wrote to memory of 1984	2300	32050adefb91ca7c5a7fecbf86647784.exe	31
PID 2300 wrote to memory of 1984	2300	32050adefb91ca7c5a7fecbf86647784.exe	31
PID 2300 wrote to memory of 1984	2300	32050adefb91ca7c5a7fecbf86647784.exe	31
PID 1984 wrote to memory of 1952	1984	iphone.exe	34
PID 1984 wrote to memory of 1952	1984	iphone.exe	34
PID 1984 wrote to memory of 1952	1984	iphone.exe	34
PID 1984 wrote to memory of 1952	1984	iphone.exe	34

C:\Users\Admin\AppData\Local\Temp\32050adefb91ca7c5a7fecbf86647784.exe
"C:\Users\Admin\AppData\Local\Temp\32050adefb91ca7c5a7fecbf86647784.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\kk2\kk1\bramapod.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2720
- C:\Program Files (x86)\kk2\kk1\iphone.exe
  "C:\Program Files (x86)\kk2\kk1\iphone.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 188
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1952

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kk2\kk1\bramapod.bat

Filesize
2KB

MD5
d3e2b787c9bb557f868b37a2dda64c82

SHA1
77c7ee948c18f982c3c393f49552024a929a6a35

SHA256
4ce4840298e5362057936d7dc444ba68dc4f2a7a370476e318b8aee892f87ffe

SHA512
db1a37a27bb3e9fc41afcebc08735ec4990f7715ff6935cdad8476726c80a217bb663dbd68ccb780ffe29d5d4e546bdfa8caae8ba655a5f751cd64c9998b3634

Download Submit
C:\Program Files (x86)\kk2\kk1\data.txt

Filesize
2B

MD5
d645920e395fedad7bbbed0eca3fe2e0

SHA1
af3e133428b9e25c55bc59fe534248e6a0c0f17b

SHA256
d59eced1ded07f84c145592f65bdf854358e009c5cd705f5215bf18697fed103

SHA512
5e108bc2842d7716815913af0b3d5cb59563fa9116f71b9a17b37d6d445fe778a071b6abcf9b1c5bac2be00800c74e29d69774a66570908d5ea848dcc0abfa76

Download Submit
C:\Program Files (x86)\kk2\kk1\iphone.exe

Filesize
542KB

MD5
4f931bdf231525abd95125a84bd580f0

SHA1
08f6f1bd3f863a450b1daa901af83f2b0c0d0393

SHA256
90e7817f61cbec30e715c4db1382f87851bb27e2790210c59f0ae06c9cb6528c

SHA512
0d8b8a49f000ad4ed31524e1c6b7540ff666f483b4dbb93e878fe74a8faf5e8b9252b1a03a42f20d8cff4c64b254f3c015485ee9eed33d6def37c5c14352c249

Download Submit
C:\Program Files (x86)\kk2\kk1\iphone.exe

Filesize
512KB

MD5
9bff31d478b5c0899e7aca27637279cc

SHA1
48c0e1eefac5e63c75f79b269eac49dcc0056948

SHA256
fa877c1506f7ef2b887fd919145df4fc4885d326c826993ed2e0307600ce6c80

SHA512
24c6774198db36c9a87cb26eefc70b187a5441d7abe11077e04a3564787022fe77a57da1ff783916d6778e416ea7df5b42ff7af2e64a8f0a0ca540f802da3cd8

Download Submit
C:\Program Files (x86)\kk2\kk1\monkeypad.jpg

Filesize
30KB

MD5
9e5a20a18492de0cee9445c63bc0a116

SHA1
44fb0f70516424d8722838a89bc340f1d0ab2bb0

SHA256
f2db3283109737a0837a193cdf3d1900547ddeadaed4538359a9aeb7d7b5a8a4

SHA512
e35e5626910f1a3fd0576fae1d9532a142f6c9786234a603f60f80f081b0b9ffbf6333eb11107ce6dfa903d58d63444a0c5b1447c8ea0f7c20c341c2b44308e5

Download Submit
\Program Files (x86)\kk2\kk1\iphone.exe

Filesize
449KB

MD5
c43c82fa2ab5cee1398a8e9a65d8418e

SHA1
f6d3309fcbc761e275e6f54a5b93bca679337ed8

SHA256
bb9b3d8510978675542a42faad0b884462ca7dc694fd73a578bc9d0458786717

SHA512
1041fad80d4f1f9b1641458d70903712908546237ed25c6d842d4f24728bc49a8af186ec3375bc0d468fb5b633048996c5c088e65573fca58b2178a1381cc99b

Download Submit
memory/1984-54-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1984-60-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2300-51-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2300-39-0x00000000034E0000-0x00000000034E2000-memory.dmp

Filesize
8KB

Download
memory/2656-44-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2656-40-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2656-56-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing