c18328409dbffaf6825e65ec6a41091c7baa59c779f9dfa37647f98bd5000329

General

Target

712af955d45e4cb10d26b4e27d58de3c.exe
Size

324KB
MD5

712af955d45e4cb10d26b4e27d58de3c
SHA1

94eaaf79d768c90de818e04ca68d7da627138333
SHA256

c18328409dbffaf6825e65ec6a41091c7baa59c779f9dfa37647f98bd5000329
SHA512

a6a9f261d1f0e10d87a2f5fdd6f14f708a5cbc7347206b01b0bc2f9bce840471370a92c048193080b0a49687b3a8cdea4c222925201c911487983d0f4fd05c92
SSDEEP

6144:FqzanIDYbcdsx+GmlWzB+P+VZGrIorLaHo9b1q7kN8+Q:F5Z+GmlGhIIoKHoBBu+Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2760	StartUp.exe
2664	ctfmon.exe

Loads dropped DLL 5 IoCs

pid	Process
2940	712af955d45e4cb10d26b4e27d58de3c.exe
2940	712af955d45e4cb10d26b4e27d58de3c.exe
2760	StartUp.exe
2760	StartUp.exe
2664	ctfmon.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	712af955d45e4cb10d26b4e27d58de3c.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	StartUp.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf	StartUp.exe
File created	C:\Windows\inf\MyEgg.exe	StartUp.exe
File created	C:\Windows\nAdin.com	StartUp.exe
File opened for modification	C:\Windows\inf\ctfmon.exe	StartUp.exe
File opened for modification	C:\Windows\inf\Ad32.exe	StartUp.exe
File opened for modification	C:\Windows\inf\msvbvm60.dll	712af955d45e4cb10d26b4e27d58de3c.exe
File created	C:\Windows\ntpad.cmd	ctfmon.exe
File opened for modification	C:\Windows\inf\ctfmon.exe	ctfmon.exe
File created	C:\Windows\SYSTEM\msvbvm60.dll	712af955d45e4cb10d26b4e27d58de3c.exe
File created	C:\Windows\inf\ctfmon.exe	StartUp.exe
File opened for modification	C:\Windows\SYSTEM\msvbvm60.dll	712af955d45e4cb10d26b4e27d58de3c.exe
File created	C:\Windows\inf\msvbvm60.dll	712af955d45e4cb10d26b4e27d58de3c.exe
File opened for modification	C:\Windows\inf\MyEgg.exe	StartUp.exe
File opened for modification	C:\Windows\nAdin.com	StartUp.exe
File created	C:\Windows\inf\Ad32.exe	StartUp.exe
File opened for modification	C:\Windows\ntpad.cmd	ctfmon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2940	712af955d45e4cb10d26b4e27d58de3c.exe
2940	712af955d45e4cb10d26b4e27d58de3c.exe
2760	StartUp.exe
2760	StartUp.exe
2664	ctfmon.exe
2664	ctfmon.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2760	2940	712af955d45e4cb10d26b4e27d58de3c.exe	17
PID 2940 wrote to memory of 2760	2940	712af955d45e4cb10d26b4e27d58de3c.exe	17
PID 2940 wrote to memory of 2760	2940	712af955d45e4cb10d26b4e27d58de3c.exe	17
PID 2940 wrote to memory of 2760	2940	712af955d45e4cb10d26b4e27d58de3c.exe	17
PID 2760 wrote to memory of 2664	2760	StartUp.exe	16
PID 2760 wrote to memory of 2664	2760	StartUp.exe	16
PID 2760 wrote to memory of 2664	2760	StartUp.exe	16
PID 2760 wrote to memory of 2664	2760	StartUp.exe	16

C:\Users\Admin\AppData\Local\Temp\712af955d45e4cb10d26b4e27d58de3c.exe
"C:\Users\Admin\AppData\Local\Temp\712af955d45e4cb10d26b4e27d58de3c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\StartUp.exe
  "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\StartUp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\inf\Ad32.exe
    C:\Windows\inf\Ad32.exe
    3⤵
    PID:1560

C:\Windows\inf\ctfmon.exe
C:\Windows\inf\ctfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1560-304-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1560-300-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1560-294-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1560-290-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1560-288-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1560-180-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2664-287-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2664-53-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2760-21-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2760-188-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2760-179-0x00000000004A0000-0x00000000004BD000-memory.dmp

Filesize
116KB

Download
memory/2760-178-0x00000000004A0000-0x00000000004BD000-memory.dmp

Filesize
116KB

Download
memory/2760-44-0x00000000004A0000-0x00000000004BD000-memory.dmp

Filesize
116KB

Download
memory/2760-50-0x00000000004A0000-0x00000000004BD000-memory.dmp

Filesize
116KB

Download
memory/2940-189-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2940-13-0x0000000001D50000-0x0000000001D6D000-memory.dmp

Filesize
116KB

Download
memory/2940-19-0x0000000001D50000-0x0000000001D6D000-memory.dmp

Filesize
116KB

Download
memory/2940-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing