8ee76799220183625f317f176086db2c95af7099c1c0edf8dd6eff3711c4ad4f

General

Target

3d15e6c18de827e82a8020e1c6475ba8.exe
Size

123KB
MD5

3d15e6c18de827e82a8020e1c6475ba8
SHA1

4cac5c1f282875a7b3026b76c63eaea9bd71ce7d
SHA256

8ee76799220183625f317f176086db2c95af7099c1c0edf8dd6eff3711c4ad4f
SHA512

e600a8d516dccf91877853fffca0208d789f8972ebe2992eba65b57269cc4351e90687f5f6b1035305f7d9163eca6cfc44c8a42c2a065f9f4f6974b41a7c5fba
SSDEEP

1536:S8VEUVSldQEUWgxvOaxMz3+ZkewyJir7uFz3/MLurpRdCpCA1dW:S8VEbdsW+vO6Mz3h9roz1rpRkzd

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1716	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8515eb34d8f9de5af815466e9715b3e5.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8515eb34d8f9de5af815466e9715b3e5.exe	Trojan.exe

Executes dropped EXE 1 IoCs

pid	Process
1644	Trojan.exe

Loads dropped DLL 1 IoCs

pid	Process
1748	3d15e6c18de827e82a8020e1c6475ba8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\8515eb34d8f9de5af815466e9715b3e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8515eb34d8f9de5af815466e9715b3e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Trojan.exe\" .."	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1644	1748	3d15e6c18de827e82a8020e1c6475ba8.exe	21
PID 1748 wrote to memory of 1644	1748	3d15e6c18de827e82a8020e1c6475ba8.exe	21
PID 1748 wrote to memory of 1644	1748	3d15e6c18de827e82a8020e1c6475ba8.exe	21
PID 1748 wrote to memory of 1644	1748	3d15e6c18de827e82a8020e1c6475ba8.exe	21
PID 1644 wrote to memory of 1716	1644	Trojan.exe	20
PID 1644 wrote to memory of 1716	1644	Trojan.exe	20
PID 1644 wrote to memory of 1716	1644	Trojan.exe	20
PID 1644 wrote to memory of 1716	1644	Trojan.exe	20

C:\Users\Admin\AppData\Local\Temp\3d15e6c18de827e82a8020e1c6475ba8.exe
"C:\Users\Admin\AppData\Local\Temp\3d15e6c18de827e82a8020e1c6475ba8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Roaming\Trojan.exe
  "C:\Users\Admin\AppData\Roaming\Trojan.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1644

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Trojan.exe" "Trojan.exe" ENABLE
1⤵
- Modifies Windows Firewall
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8515eb34d8f9de5af815466e9715b3e5.exe

Filesize
28KB

MD5
9c5aa5dc4fa3daa5fa6b5f04d3bcf966

SHA1
f50ffe9f26f921394d6c0f90ba189404624d71b8

SHA256
a90fb349dfdc8d785bca4e9c61f43dc1b7154e269b4edcd9e7bf265ce6d76d63

SHA512
263af48c85a9afcedd29b2f9e9ccfef05ef07cf465beda60b289838d1dc91ab9d590eac509050d3fe34cf0ff5672430d75c602c17d8b6e03ee451b6b79988074

Download Submit
C:\Users\Admin\AppData\Roaming\Trojan.exe

Filesize
7KB

MD5
7e62913e47b8917629fe904ad7470693

SHA1
90c1cd0303e010796f1bdd24b314a8d85cc2ed78

SHA256
fefe5f5532a3502f333bc4573bf6f007328c7276ecc66cc5d31cac046df39d94

SHA512
b8c6e73be3ddd1625efb27687be7184d11eb2efbf7bbd8e1d1db5fed16ab5c94573816d5b1d002e003c1593c70a001f42f0b91917b153a9d43ccd31f7f6430f5

Download Submit
C:\Users\Admin\AppData\Roaming\Trojan.exe

Filesize
45KB

MD5
446d23d238934dcd4d3fc9ead0fb298b

SHA1
ce29726c14dc718ddc5daba1b8fb287cdbb9dc49

SHA256
6cac7d76f90ec259d6b400cc390bd583963cdc265871bc10a4bcdfd60f675e67

SHA512
99c959d955a18e612cc89f3ad837796e8461e537e973b323e428440066bde651ce84375d8b94428eeb026a09eecac7495edcd71473f330cd6590354b1559ac7e

Download Submit
\Users\Admin\AppData\Roaming\Trojan.exe

Filesize
58KB

MD5
c4000810e6f45d125abe150c52eddeb3

SHA1
7afc968da36fad1dea0cc3351a71f17974d7866a

SHA256
f72929acc569349a538455e41dcd4968e1c1aeb28cb1f5e1d26c244f46e3886b

SHA512
a4a3c891f01e73efe332337b8c696a00b1f1664e8bf8f02c1e2e24749e0cf4aa05bbbf24a1411e76bb1461fe584b20dfd55a60abac4d21f448914dab042d3978

Download Submit
memory/1644-12-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1644-14-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1644-13-0x00000000021A0000-0x00000000021E0000-memory.dmp

Filesize
256KB

Download
memory/1644-17-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-0-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-1-0x0000000000740000-0x0000000000780000-memory.dmp

Filesize
256KB

Download
memory/1748-2-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-11-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads