cd00de3bdb7fc3e3c7c2d384bc63c5c5138032e7a803fcb92ccaa606d6500efc

General

Target

3d34cc9393bfa2f4c58ce0ae349d1c8b.exe
Size

860KB
MD5

3d34cc9393bfa2f4c58ce0ae349d1c8b
SHA1

d314798fa8c8a6bea3e4ef03fd04fcbeec51dc94
SHA256

cd00de3bdb7fc3e3c7c2d384bc63c5c5138032e7a803fcb92ccaa606d6500efc
SHA512

80b168efa7c47ac0a8dcb3b0a9c5b1672a845e745bfbbd7d667c738248c743ee21bf65bd70bae272608e3f52649fb1e4430e499d147a9b04080ecf323ff7ab7d
SSDEEP

24576:1rX9KZJuzVfT43WtwUwhGQp0l4nTyYOAxpamZQ72:1rXUzuzVLSWeUEGR6TyYDamOK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2780	52364525.exe

Loads dropped DLL 5 IoCs

pid	Process
2840	cmd.exe
2840	cmd.exe
2780	52364525.exe
2780	52364525.exe
2780	52364525.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\52364525 = "C:\\ProgramData\\52364525\\52364525.exe"	3d34cc9393bfa2f4c58ce0ae349d1c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\52364525 = "C:\\PROGRA~3\\52364525\\52364525.exe"	52364525.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2780	52364525.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2780	52364525.exe
2780	52364525.exe
2780	52364525.exe
2780	52364525.exe
2780	52364525.exe
2780	52364525.exe
2780	52364525.exe
2780	52364525.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2780	52364525.exe
2780	52364525.exe
2780	52364525.exe
2780	52364525.exe
2780	52364525.exe
2780	52364525.exe
2780	52364525.exe
2780	52364525.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2724	3000	3d34cc9393bfa2f4c58ce0ae349d1c8b.exe	28
PID 3000 wrote to memory of 2724	3000	3d34cc9393bfa2f4c58ce0ae349d1c8b.exe	28
PID 3000 wrote to memory of 2724	3000	3d34cc9393bfa2f4c58ce0ae349d1c8b.exe	28
PID 3000 wrote to memory of 2724	3000	3d34cc9393bfa2f4c58ce0ae349d1c8b.exe	28
PID 2724 wrote to memory of 2840	2724	cmd.exe	30
PID 2724 wrote to memory of 2840	2724	cmd.exe	30
PID 2724 wrote to memory of 2840	2724	cmd.exe	30
PID 2724 wrote to memory of 2840	2724	cmd.exe	30
PID 2840 wrote to memory of 2780	2840	cmd.exe	31
PID 2840 wrote to memory of 2780	2840	cmd.exe	31
PID 2840 wrote to memory of 2780	2840	cmd.exe	31
PID 2840 wrote to memory of 2780	2840	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\3d34cc9393bfa2f4c58ce0ae349d1c8b.exe
"C:\Users\Admin\AppData\Local\Temp\3d34cc9393bfa2f4c58ce0ae349d1c8b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\52364525\52364525.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\52364525\52364525.exe /i
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\PROGRA~3\52364525\52364525.exe
      C:\PROGRA~3\52364525\52364525.exe /i
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\52364525\52364525.bat

Filesize
230B

MD5
2262e18b10a7f223f753a1b7839d53a7

SHA1
773a0f2a5a0f95fb096c37b9bbcd8ee7cf2ca81b

SHA256
d63886903c16c961642e0fe861e4c175f047650e0a17354f1e26ba545d8e6170

SHA512
4b04e6aeea04b20015122911117ee66af9704584bc67ed5c2fdc4b663d525c20a0bb9412c361503be9ed8c7ac9cbdbbf1e1d484958690351898a92d765e80af1

Download Submit
\PROGRA~3\52364525\52364525.exe

Filesize
860KB

MD5
3d34cc9393bfa2f4c58ce0ae349d1c8b

SHA1
d314798fa8c8a6bea3e4ef03fd04fcbeec51dc94

SHA256
cd00de3bdb7fc3e3c7c2d384bc63c5c5138032e7a803fcb92ccaa606d6500efc

SHA512
80b168efa7c47ac0a8dcb3b0a9c5b1672a845e745bfbbd7d667c738248c743ee21bf65bd70bae272608e3f52649fb1e4430e499d147a9b04080ecf323ff7ab7d

Download Submit
memory/2780-34-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2780-32-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2780-46-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2780-41-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2780-40-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2780-22-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2780-21-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2780-23-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2780-24-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2780-30-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2780-31-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2780-39-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2780-33-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2780-38-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2780-35-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2780-37-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3000-1-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3000-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3000-2-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/3000-14-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3000-3-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads