a0c82f2656dd45e63714b5fb3395ee85fc085d766548e4104fa6c428a9b51edd

General

Target

53b93ce49c85e86415969c3381a83089.exe
Size

2.5MB
MD5

53b93ce49c85e86415969c3381a83089
SHA1

9eb02c75ab2f184ab20c3c3c4f849cd59605531e
SHA256

a0c82f2656dd45e63714b5fb3395ee85fc085d766548e4104fa6c428a9b51edd
SHA512

bcee02928fac5c55020a8596a99318a67ccf27ebbad5335f79f8ba2e4a8d67a32065a89f2bbc64cf1c10f4a4df823de50ffe13df0f3eeb44cc0885be3be6de1c
SSDEEP

49152:oky796EvMtTx435MtV+Oj29Ls3t/cwCxHHlc2KP1z8o/MO2Uqed3yBI1rH:o7AEvgVOy29Ls3JslVYzjMO26im

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2700	53b93ce49c85e86415969c3381a83089.tmp
2732	WMF.exe

Loads dropped DLL 5 IoCs

pid	Process
2880	53b93ce49c85e86415969c3381a83089.exe
2700	53b93ce49c85e86415969c3381a83089.tmp
2700	53b93ce49c85e86415969c3381a83089.tmp
2700	53b93ce49c85e86415969c3381a83089.tmp
2700	53b93ce49c85e86415969c3381a83089.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2732	WMF.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2700	2880	53b93ce49c85e86415969c3381a83089.exe	29
PID 2880 wrote to memory of 2700	2880	53b93ce49c85e86415969c3381a83089.exe	29
PID 2880 wrote to memory of 2700	2880	53b93ce49c85e86415969c3381a83089.exe	29
PID 2880 wrote to memory of 2700	2880	53b93ce49c85e86415969c3381a83089.exe	29
PID 2880 wrote to memory of 2700	2880	53b93ce49c85e86415969c3381a83089.exe	29
PID 2880 wrote to memory of 2700	2880	53b93ce49c85e86415969c3381a83089.exe	29
PID 2880 wrote to memory of 2700	2880	53b93ce49c85e86415969c3381a83089.exe	29
PID 2700 wrote to memory of 2732	2700	53b93ce49c85e86415969c3381a83089.tmp	30
PID 2700 wrote to memory of 2732	2700	53b93ce49c85e86415969c3381a83089.tmp	30
PID 2700 wrote to memory of 2732	2700	53b93ce49c85e86415969c3381a83089.tmp	30
PID 2700 wrote to memory of 2732	2700	53b93ce49c85e86415969c3381a83089.tmp	30

C:\Users\Admin\AppData\Local\Temp\53b93ce49c85e86415969c3381a83089.exe
"C:\Users\Admin\AppData\Local\Temp\53b93ce49c85e86415969c3381a83089.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\is-LN4LN.tmp\53b93ce49c85e86415969c3381a83089.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LN4LN.tmp\53b93ce49c85e86415969c3381a83089.tmp" /SL5="$4016E,2280122,153088,C:\Users\Admin\AppData\Local\Temp\53b93ce49c85e86415969c3381a83089.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\is-AV4T8.tmp\WMF.exe
    "C:\Users\Admin\AppData\Local\Temp\is-AV4T8.tmp\WMF.exe" /aid=0 /sub=0 /sid=42 /name="45.rar" /fid= /stats=6BMz7mxDTQUNpgijiDNnIJZog7fxDeuBKc4ef1AlCk8FrLFLRU4H9MeqJ72CH0OlmF2lmAjWG2SyXYHhzGSeNg== /param=0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-AV4T8.tmp\WMF.exe

Filesize
1.1MB

MD5
845b85bec6d65e66309dd7e059bab5e3

SHA1
4bd779b563e6aa1bda9c5bf2dbef5a6dda0cf329

SHA256
2fd7580f1e7cf0bd2d570dd49e4f601499ccf09983a030326f28ce5b6d480ef9

SHA512
9b6d7d6f38d8ed2ca91882d01af37b0a4a888c1ff658dd0f230a8534a0e6c0f4adcbc8e5cd0a5786c9ff99bb6c29bc6c569c9a4ef21759f32bdd606346c4cb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AV4T8.tmp\WMF.exe

Filesize
1.8MB

MD5
d556a5734103f687a1ea4a7d82e47e02

SHA1
ebd80ec6486d1bfb95248639af21e3907152aeb9

SHA256
8aa38f72eb391c0d76af138cd4330e8b6a8b879edf2863801c116472061978ff

SHA512
28c1793bf801dfe72d6daa76edb63f519e6dd138f3d88c00b6d86921e3d22b62992383aaa3dc6a0fb7f1ef3a71173482abc5f590034dff005a402ad133919185

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AV4T8.tmp\default.xml

Filesize
2KB

MD5
4c219b78a305d3e52c811542154bb224

SHA1
7efe3e383b29c808cfb3ad0fd90d627ea7b2b2bf

SHA256
a0dbdc08f771e32a5ef06f47b436afb270e860578971a974db0c34c0c1366a7c

SHA512
bced9584568b011c0b2013e48d6b9503f77b01c57e2049722326a40363ce42c533e590c4583cf0cf3a5391f3208db8135b5afdc27ae7359af3ded66b11e628b8

Download Submit
\Users\Admin\AppData\Local\Temp\is-AV4T8.tmp\WMF.exe

Filesize
2.9MB

MD5
5c45052710eb75f23c4007e4c8a4f906

SHA1
dba20ea245f28118df0da5cfa2ff788ceedd9872

SHA256
e454819d505e72d5af8043cb64b75bb64615bed160e0ef713af9c766a919110c

SHA512
a052e488999ab65cfc518eca6f671e50f5a0987d2c737b8a7e9005f9a940d0cdaec01da0d6780624df85a3fdb05634f5220935493ba740eaeee457b6f7029adf

Download Submit
\Users\Admin\AppData\Local\Temp\is-AV4T8.tmp\WMF.exe

Filesize
2.0MB

MD5
d5cef3dfe0ef5c78f31ef94b7537c478

SHA1
7dfed1a95258b4dc37624982bd2abc9a3233a4ee

SHA256
f9595bd815febb110651381a29f29255964371f7315b2f04f0c6b2e85cea2f42

SHA512
d3a4f2bbf94b40e7e3798ed0b818dfcd0aea8209d38d2f4e7d27bcd64e65be08306e73fc099b62d03b56ae14ec41f0aead897aadc27d5e9efc964c661f70114b

Download Submit
\Users\Admin\AppData\Local\Temp\is-AV4T8.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-LN4LN.tmp\53b93ce49c85e86415969c3381a83089.tmp

Filesize
1.1MB

MD5
8811a0652c18dbcf68955f99df537eb8

SHA1
70cff6c43c0f873295dc085018639dff02f33012

SHA256
d69f51e65e3944891ec9c392b3d7410d81f8f93e55b9071584bfd1d384862230

SHA512
ed2ff6cfe272a8ae260233a1bb653adc0eaae13388418a9dea692b9924999d89b8677b8669fa24dcb0c606cfca7045bef779e1c58547f3f17d5096cbbe31d60a

Download Submit
memory/2700-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2700-40-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2732-37-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2732-41-0x0000000000400000-0x00000000007E2000-memory.dmp

Filesize
3.9MB

Download
memory/2732-45-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2880-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2880-39-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing