118e8852955e42d6d1cf8ec503e6a69667877e5e15483769174de319b96e30f7

General

Target

70b14a52290e93ee5c6cca772292ee2a.exe
Size

270KB
MD5

70b14a52290e93ee5c6cca772292ee2a
SHA1

da2bdcfc7902677537efb2a731f2766d0ca76708
SHA256

118e8852955e42d6d1cf8ec503e6a69667877e5e15483769174de319b96e30f7
SHA512

0be37f61770d7f5489843b74e0267c14a7479c430571c8b3c808180b45c8872855375bfcc8faaf2dfe0bc3bf54e0555d56abce36895b68298d383740b3c049e1
SSDEEP

6144:3saocyLC3BKkQ0zopNvR90vfQ2pdTAPOTt6KKDPB8EKcF1w:3toboBFNzojaY2/kGhAD5Iuw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2372	ins5.exe
2776	8326f16e-dd66-11e2-a752-00259033c1da.exe

Loads dropped DLL 3 IoCs

pid	Process
2356	70b14a52290e93ee5c6cca772292ee2a.exe
2356	70b14a52290e93ee5c6cca772292ee2a.exe
2372	ins5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2776	8326f16e-dd66-11e2-a752-00259033c1da.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	8326f16e-dd66-11e2-a752-00259033c1da.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2776	8326f16e-dd66-11e2-a752-00259033c1da.exe
2776	8326f16e-dd66-11e2-a752-00259033c1da.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2372	2356	70b14a52290e93ee5c6cca772292ee2a.exe	28
PID 2356 wrote to memory of 2372	2356	70b14a52290e93ee5c6cca772292ee2a.exe	28
PID 2356 wrote to memory of 2372	2356	70b14a52290e93ee5c6cca772292ee2a.exe	28
PID 2356 wrote to memory of 2372	2356	70b14a52290e93ee5c6cca772292ee2a.exe	28
PID 2356 wrote to memory of 2372	2356	70b14a52290e93ee5c6cca772292ee2a.exe	28
PID 2356 wrote to memory of 2372	2356	70b14a52290e93ee5c6cca772292ee2a.exe	28
PID 2356 wrote to memory of 2372	2356	70b14a52290e93ee5c6cca772292ee2a.exe	28
PID 2372 wrote to memory of 2776	2372	ins5.exe	30
PID 2372 wrote to memory of 2776	2372	ins5.exe	30
PID 2372 wrote to memory of 2776	2372	ins5.exe	30
PID 2372 wrote to memory of 2776	2372	ins5.exe	30
PID 2372 wrote to memory of 2776	2372	ins5.exe	30
PID 2372 wrote to memory of 2776	2372	ins5.exe	30
PID 2372 wrote to memory of 2776	2372	ins5.exe	30

C:\Users\Admin\AppData\Local\Temp\70b14a52290e93ee5c6cca772292ee2a.exe
"C:\Users\Admin\AppData\Local\Temp\70b14a52290e93ee5c6cca772292ee2a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\nsd5BD.tmp\ins5.exe
  C:\Users\Admin\AppData\Local\Temp\nsd5BD.tmp\ins5.exe 8326f16e-dd66-11e2-a752-00259033c1da.exe /t102a964eed3f48d55fbed8c5df45e8 /dT132032024S102a964eed3f48d55fbed8c5df45e8 /e9107993 /u8326f16e-dd66-11e2-a752-00259033c1da
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\nsd5BD.tmp\8326f16e-dd66-11e2-a752-00259033c1da.exe
    "C:\Users\Admin\AppData\Local\Temp\nsd5BD.tmp\8326f16e-dd66-11e2-a752-00259033c1da.exe" /t102a964eed3f48d55fbed8c5df45e8 /dT132032024S102a964eed3f48d55fbed8c5df45e8 /e9107993 /u8326f16e-dd66-11e2-a752-00259033c1da
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd5BD.tmp\8326f16e-dd66-11e2-a752-00259033c1da.exe

Filesize
250KB

MD5
035e4f28801f8a2f5c9a51750b1d8bc0

SHA1
6083a072e75b146941dc759796e1b539fd4846db

SHA256
46dd0dcd46ed04a5819e21810339dc160a28c6d77a12661549d4a6875c4312be

SHA512
b5f0b19672c425d5025411bb0bfb9f604723bf11ba0a04b202330d2675655e1b7cb31bd51314d77f000edb668307fcf9661e20d12238e2095961cb0b1277d945

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5BD.tmp\ins5.exe

Filesize
214KB

MD5
081f1ef743489a25c99fdd25f6d4f70d

SHA1
dfdbd1caf714644f6c1b1b383f717028c39a2db0

SHA256
ed6b25ef9345aa31303cdc1cad322b1607eda3bf7bfefe7445105baddd59c635

SHA512
bf2962affa9ffb92cbaa17389a71b6ecf548cf6629237444a4b078bdcbd29cdd825055e2fe49530053c864bb1ad42726c083bb7db6d20b0afc939363365ec4ca

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5BD.tmp\nsExec.dll

Filesize
8KB

MD5
9f4abe9c1c095cdb505df5db52644d44

SHA1
94295f495f5535e0143107d3ca34141c943ec0b5

SHA256
e41bd375070919e1e194a7c1ca722a30d648a7fa7a4b5c33fb05660813c18bdf

SHA512
d1b6ab6d3e51f69e6ec79aa23629afc9ddedd8a7a668ea61b06bec115c95e2a35dca3ff9b9eb649e4bfece9a2fcd0832fed45f2308dca874f6e819708ed48169

Download Submit
memory/2356-29-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-25-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-13-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-12-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/2372-11-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-22-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-21-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-23-0x00000000006D0000-0x0000000000710000-memory.dmp

Filesize
256KB

Download
memory/2776-24-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing