a0ded183c858c68f20aea5f65346b007fa2cc2867d54d3974a69983ff63d92f1

General

Target

583672a0eb2ad545927384a74172b077.exe
Size

2.5MB
MD5

583672a0eb2ad545927384a74172b077
SHA1

7ee8fd0d2f82c2abab4d7e5e8c1508e0dd4e5f0d
SHA256

a0ded183c858c68f20aea5f65346b007fa2cc2867d54d3974a69983ff63d92f1
SHA512

4175666c0bc161404b319181dcd1abcc8626febb56141d2adadff322c55e8b1d1ba36d80e08c2bcab9668076a597744e72970dd5400eeceb9002d306e88e19c7
SSDEEP

49152:oky796EvMtTx435MtV+Oj29Ls3t/cwCxHHlc2KP1z8o/MO2Uqed3yBI1r3:o7AEvgVOy29Ls3JslVYzjMO26i4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1724	583672a0eb2ad545927384a74172b077.tmp
2552	WMF.exe

Loads dropped DLL 5 IoCs

pid	Process
2116	583672a0eb2ad545927384a74172b077.exe
1724	583672a0eb2ad545927384a74172b077.tmp
1724	583672a0eb2ad545927384a74172b077.tmp
1724	583672a0eb2ad545927384a74172b077.tmp
1724	583672a0eb2ad545927384a74172b077.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2552	WMF.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1724	2116	583672a0eb2ad545927384a74172b077.exe	16
PID 2116 wrote to memory of 1724	2116	583672a0eb2ad545927384a74172b077.exe	16
PID 2116 wrote to memory of 1724	2116	583672a0eb2ad545927384a74172b077.exe	16
PID 2116 wrote to memory of 1724	2116	583672a0eb2ad545927384a74172b077.exe	16
PID 2116 wrote to memory of 1724	2116	583672a0eb2ad545927384a74172b077.exe	16
PID 2116 wrote to memory of 1724	2116	583672a0eb2ad545927384a74172b077.exe	16
PID 2116 wrote to memory of 1724	2116	583672a0eb2ad545927384a74172b077.exe	16
PID 1724 wrote to memory of 2552	1724	583672a0eb2ad545927384a74172b077.tmp	19
PID 1724 wrote to memory of 2552	1724	583672a0eb2ad545927384a74172b077.tmp	19
PID 1724 wrote to memory of 2552	1724	583672a0eb2ad545927384a74172b077.tmp	19
PID 1724 wrote to memory of 2552	1724	583672a0eb2ad545927384a74172b077.tmp	19

C:\Users\Admin\AppData\Local\Temp\is-OPQC8.tmp\583672a0eb2ad545927384a74172b077.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OPQC8.tmp\583672a0eb2ad545927384a74172b077.tmp" /SL5="$70122,2280122,153088,C:\Users\Admin\AppData\Local\Temp\583672a0eb2ad545927384a74172b077.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\is-VLAAH.tmp\WMF.exe
  "C:\Users\Admin\AppData\Local\Temp\is-VLAAH.tmp\WMF.exe" /aid=0 /sub=0 /sid=42 /name="Crysis*" /fid= /stats=iw06avU1WybnpD3IXpRBaNbk6ZI4JlyIALgIswDvUNErfqvoWrbIh1SyTZgbxHF9/RkmH4CTprkO/nBo1xkSnw== /param=0
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2552

C:\Users\Admin\AppData\Local\Temp\583672a0eb2ad545927384a74172b077.exe
"C:\Users\Admin\AppData\Local\Temp\583672a0eb2ad545927384a74172b077.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-OPQC8.tmp\583672a0eb2ad545927384a74172b077.tmp

Filesize
1.1MB

MD5
a098ba7ad530c703cf60b290d0586d55

SHA1
89e091c69fbad58e63ffb6ba8bfd5f2e2799dacf

SHA256
9523c2f2a426f77aeb655fbc14584496df32ca09ac24573ae1716cba0d593868

SHA512
a063b89379bcd0f1858a5cb280624190f58a1f7439d1df2a36f830e2c39e53ca75cbb3b4fa880c12af61779c261ea46f185fc2eb226052000e795f2b3b477225

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VLAAH.tmp\WMF.exe

Filesize
92KB

MD5
75b18b7f4ddf5e96e5a278e686615d35

SHA1
43164a58e3f21fca80cf5795bd34e452bf81ef17

SHA256
e387ec8c5605302bd5d913cacc25b822040210fc13d2ed1519b1359d370504c1

SHA512
16ceb2b97b8711a520c1f83ae89cb3d0e3907023cb0008fe71166359a1362f3aa2c06b59867090e24ab450ea6117431d4d6a530dc24fdd7b7faeef562cd515f5

Download Submit
\Users\Admin\AppData\Local\Temp\is-OPQC8.tmp\583672a0eb2ad545927384a74172b077.tmp

Filesize
1.1MB

MD5
8811a0652c18dbcf68955f99df537eb8

SHA1
70cff6c43c0f873295dc085018639dff02f33012

SHA256
d69f51e65e3944891ec9c392b3d7410d81f8f93e55b9071584bfd1d384862230

SHA512
ed2ff6cfe272a8ae260233a1bb653adc0eaae13388418a9dea692b9924999d89b8677b8669fa24dcb0c606cfca7045bef779e1c58547f3f17d5096cbbe31d60a

Download Submit
\Users\Admin\AppData\Local\Temp\is-VLAAH.tmp\WMF.exe

Filesize
1.1MB

MD5
92046c697c5b966dd1129b3de2d241a2

SHA1
7a2d238aeaf82b1d8534ecb1993fd92a99bccbc5

SHA256
47d970d683a91b69ef06f1be7292d788c8bcefa140c826f202541c2befdf4904

SHA512
5849dc07311c4cf37a35fc84f3cf0727af2b49101201f8c28e4f819fe3e641488496113f83a8d1cea273600172da35eb467d8a723d1c629e0ff9fe711e0aa7c7

Download Submit
\Users\Admin\AppData\Local\Temp\is-VLAAH.tmp\WMF.exe

Filesize
93KB

MD5
c76308e896d2efdaff515c845438e760

SHA1
da55af3e32109a76b781bebaa8341927cdd9c40e

SHA256
718fd2ac7c0573f2aa71318658ed88feb1acd5b06e1313923788229a70ff849a

SHA512
e470ae0ac7c2d5ff1ba9ccffd3fb96c3623b4a9451a789ae3a5f63eb851da372033a84539a41d55e1673e3bd40afbc2286106e6e4c0d3daffeb14c935f5ce214

Download Submit
\Users\Admin\AppData\Local\Temp\is-VLAAH.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1724-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1724-41-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1724-46-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2116-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2116-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2116-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2552-38-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2552-42-0x0000000000400000-0x00000000007E2000-memory.dmp

Filesize
3.9MB

Download
memory/2552-47-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing