eecd0c3ecc0098784090692a619ddf39b75fb9dd5d9143722e62294096534948

General

Target

041446924f9462d185ce680cfe40b1cd.exe
Size

711KB
MD5

041446924f9462d185ce680cfe40b1cd
SHA1

ab5d1b015016e8ebf1024ef30c9a1fc3300d8423
SHA256

eecd0c3ecc0098784090692a619ddf39b75fb9dd5d9143722e62294096534948
SHA512

fbc25524652d3deccb3f6fef6a7d3db55c3f71de3ddd0a6a3180a7917ad56d309ffc356327a5221e00d724b212185168e719f7af03aed55ec2378cefe45dfcc5
SSDEEP

12288:hLshYUaIY8DeY4IqRZLRfaflAZlAD/xUNnCD/pTZFQP+bXStj0DQv63Ws6:hLWBY8SQqbFfamZaDZCsNG2bxi26

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2032	SFS1777.tmp
2844	SFS1796.tmp

Loads dropped DLL 6 IoCs

pid	Process
1244	041446924f9462d185ce680cfe40b1cd.exe
1244	041446924f9462d185ce680cfe40b1cd.exe
2032	SFS1777.tmp
2032	SFS1777.tmp
2844	SFS1796.tmp
2844	SFS1796.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Invocation\Motepad.exe	SFS1796.tmp
File created	C:\Program Files (x86)\Invocation\temple.EXE	SFS1796.tmp
File created	C:\Program Files (x86)\Invocation\invocation.txt	SFS1796.tmp
File opened for modification	C:\Program Files (x86)\Invocation\uninstal.exe	SFS1796.tmp
File opened for modification	C:\Program Files (x86)\Invocation\uninstal.ini	SFS1796.tmp
File opened for modification	C:\Program Files (x86)\Invocation\Motepad.exe	SFS1796.tmp
File opened for modification	C:\Program Files (x86)\Invocation\temple.EXE	SFS1796.tmp
File opened for modification	C:\Program Files (x86)\Invocation\invocation.txt	SFS1796.tmp
File opened for modification	C:\Program Files (x86)\Invocation\readthis.txt	SFS1796.tmp
File created	C:\Program Files (x86)\Invocation\readthis.txt	SFS1796.tmp
File created	C:\Program Files (x86)\Invocation\uninstal.exe	SFS1796.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2032	1244	041446924f9462d185ce680cfe40b1cd.exe	17
PID 1244 wrote to memory of 2032	1244	041446924f9462d185ce680cfe40b1cd.exe	17
PID 1244 wrote to memory of 2032	1244	041446924f9462d185ce680cfe40b1cd.exe	17
PID 1244 wrote to memory of 2032	1244	041446924f9462d185ce680cfe40b1cd.exe	17
PID 2032 wrote to memory of 2844	2032	SFS1777.tmp	16
PID 2032 wrote to memory of 2844	2032	SFS1777.tmp	16
PID 2032 wrote to memory of 2844	2032	SFS1777.tmp	16
PID 2032 wrote to memory of 2844	2032	SFS1777.tmp	16
PID 2032 wrote to memory of 2844	2032	SFS1777.tmp	16
PID 2032 wrote to memory of 2844	2032	SFS1777.tmp	16
PID 2032 wrote to memory of 2844	2032	SFS1777.tmp	16
PID 2844 wrote to memory of 2680	2844	SFS1796.tmp	30
PID 2844 wrote to memory of 2680	2844	SFS1796.tmp	30
PID 2844 wrote to memory of 2680	2844	SFS1796.tmp	30
PID 2844 wrote to memory of 2680	2844	SFS1796.tmp	30
PID 2844 wrote to memory of 2680	2844	SFS1796.tmp	30
PID 2844 wrote to memory of 2680	2844	SFS1796.tmp	30
PID 2844 wrote to memory of 2680	2844	SFS1796.tmp	30

C:\Users\Admin\AppData\Local\Temp\041446924f9462d185ce680cfe40b1cd.exe
"C:\Users\Admin\AppData\Local\Temp\041446924f9462d185ce680cfe40b1cd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\SFS1777.tmp
  "C:\Users\Admin\AppData\Local\Temp\SFS1777.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032

C:\Users\Admin\AppData\Local\Temp\SFS1796.tmp
"C:\Users\Admin\AppData\Local\Temp\SFS1796.tmp"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Invocation\readthis.txt
  2⤵
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SFS1777.tmp

Filesize
691KB

MD5
96de23fddcb50155dcc6345f4c21a6db

SHA1
dd6762249dcaf8a82394c880eef25971ff260fc0

SHA256
bf2f2d497a8ae8a23dc99fbd17be02f5adc20d9682878e8e0811418bef80bfb0

SHA512
92f07ce42784cab4819cf1b833fbb3b6ab8ec0e206966efed5c3d29eb9f2ca364d413c3b357a108c2092de210aeb1704214f5bd21c0f0eaf3cec4dac33bc767f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFS1796.tmp

Filesize
95KB

MD5
efc0e2c0358fd80812030eaf6c1b7adb

SHA1
6af9ede88e867fc9d3a91548cdf4a6474183df6f

SHA256
1684e0b3cee7d52533f7e9e84bf4dbca08b5e240d159c02a13819df7b79b3379

SHA512
ef142af1a00826064d2b3eb0146c216dc2342aea4717149882e4d3666dd3c46d9a7657e4e1973f6112a3ff704d0c0a613a74ea42af0ffdbb3beb80f67cc26a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFS1796.tmp

Filesize
304KB

MD5
8bd27cc8bb87176f4a21cb27a741b28a

SHA1
d660d064d720744e4c8a3ba34308d6919117c6fd

SHA256
c21438ac0ed8d524f57124bdd394c06509f2595363c38580b92e8fe1ef81203a

SHA512
e8d374264deb5d953de9ebea3e6763199e5c0d10c1f58e58dd2b44e9b41866714042f4d38e0ca0d4b2f02e743ee90f4faead40382cef78e25947109e528d3316

Download Submit
\Program Files (x86)\Invocation\temple.EXE

Filesize
93KB

MD5
3a18618cd45a3cd128e5b9ead7a95e82

SHA1
5f8ce2031b714527a88428a4f712b20935a77715

SHA256
a7231712ed39b233c6c8b4c89038ccdd9e3164eb4e2867528793e50646d7eeda

SHA512
6f2b7cf66810904a11dee1a0a9493eae62590d82001c61a1a8292658827aa0d346836242754b4bc93ef260386cd1b09773ebeb888aa63e930d12f246f5d24400

Download Submit
\Users\Admin\AppData\Local\Temp\SFS1777.tmp

Filesize
470KB

MD5
ac6be11731a193ecf66ef13ec0810cad

SHA1
a7252bc84d0de7c28ba408030268f70acc32df79

SHA256
1eb63539a76d7e8bdb994c10f81d1ccbf2122c638aed1cf03a2b760a8e3feb55

SHA512
d2594da8ea452bb8107a6550894497e4cf3e47751610c39200470c71e93ec2600605a8788272de6e988770821400bd3e666a0a6d665cda0848602f54411c078b

Download Submit
\Users\Admin\AppData\Local\Temp\SFS1796.tmp

Filesize
381KB

MD5
29b98b170a75652257ea9bacd13de70a

SHA1
cc838ca111b0e43999b6e54ab4b4ff68c450b1f0

SHA256
79525d0ef65bb6453a2cc20c2bc83931af0dec9e3f1411842874d72c72055dd3

SHA512
b4a213b7b6e89b24fd660017641b42260f78e1ce070919313246b520ff92bcbc597f2c62a9bba619aa423ab3c84ebfd2ee271aaf5cb2f3838b1b27bbebd61c9f

Download Submit
\Users\Admin\AppData\Local\Temp\SFS1796.tmp

Filesize
71KB

MD5
bbaa39a7e5ddf9da25f1148f89a47c67

SHA1
9120facd0090add1f4525224e3a04d24ab81b4f6

SHA256
cb0a0a7b1ff1d492884739870be42caaad47b87b0c51a397efe27a6293751990

SHA512
fae603e5bde613571aa084082d7f8dba39ccffbd016c3da11403ea18f0e77428e465c5f77b22ed3febd31143c54affa61f93f83685a10a05f3875c77399699f8

Download Submit
memory/2844-35-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing