9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40

General

Target

9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
Size

3.8MB
MD5

ccbdd3a8a4f98168a18af59cb23b730f
SHA1

45053d4273e4f402e66037baa1346f4764450450
SHA256

9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40
SHA512

76ac61f3ed0134f46b99ad3bbd93939cd5b56da7ab5e973a3f21e6b3eea6c3b4fd45a28b7a1ae676cbb5a0ba32d42cf8531f74e950c14047de6a714c1385c34f
SSDEEP

98304:Sg56c9Ag8GvhGx4WcNXDgHsnB+3A9exe1mkni:557WgP+4TNzzY3A9e6mUi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
116	7z.exe

Loads dropped DLL 1 IoCs

pid	Process
116	7z.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\j:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\q:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\r:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\v:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\p:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\u:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\k:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\n:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\o:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\w:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\x:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\b:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\g:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\h:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\l:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\s:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\f:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\e:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\i:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\m:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\z:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\d:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\E:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\t:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened (read-only)	\??\y:	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\CIMV2	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\AVCIKYMG\root\cimv2	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4064	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4064	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 116	4064	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe	28
PID 4064 wrote to memory of 116	4064	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe	28
PID 4064 wrote to memory of 116	4064	9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe	28

C:\Users\Admin\AppData\Local\Temp\9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe
"C:\Users\Admin\AppData\Local\Temp\9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe"
1⤵
- Enumerates connected drives
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\xh_yevvifj\7z.exe
  C:\Users\Admin\AppData\Local\Temp\xh_yevvifj.\7z.exe x "C:\Users\Admin\AppData\Local\Temp\9e851bbbbaa7d7ea2d3c7c18f38fc5c600c8b2d6829d49d9c4f17b86bd355b40.exe" -y -o"C:\Users\Admin\AppData\Local\Temp\xh_yevvifj."
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xh_yevvifj\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_yevvifj\7z.dll

Filesize
381KB

MD5
cd3cde46ea122377c1cabbd26209893b

SHA1
1a1a43efae07e02246188aa78acaf6b8268352c0

SHA256
2c5c1f7e0a3754858e1a3760a3794025f32c78b249a7a9bc5b21e4631d031e39

SHA512
f3f386313947ddae878676468a938c931f7d35f9cb2455d32d3a6a3b5403a46384f36c020f82006248ef8656ab19bf272c7d3741d9232b7c04c7968414ea8ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_yevvifj\7z.exe

Filesize
168KB

MD5
ff7a6f30a05959c05ca54d47bebb28b8

SHA1
9c4530f824314ba36c42f94810b408c74ab8b0e8

SHA256
29717709356c1c1c28339d80c97f202ab00d2d42b7e16296e5e7456056b7bb84

SHA512
bf2a8c86ed9d467ba400bd7b89a86e8a38f0b62be5625a834d8776443a6f670666db017d6927b6f0c17bed9b7065fd04e7b28af5eceeb4a21b47d7a31007e7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_yevvifj\images\1_Mode1_3.jpg

Filesize
23KB

MD5
8088423b4258d2fd19da275db2d26007

SHA1
2c938c9b707835d9e04e3e56ce7d128e01b0e04f

SHA256
2c48d3d3394e262433e28204badc3ef0d8e319320ad2352c2363be41056b9bd3

SHA512
0410be745ba8f4db775d9894a23e2745d4081b8b49e6f638757533a2f611a370430d7bfadd078c2ce89b50257627d6c41178e38076819b6a90a3453c205893d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_yevvifj\images\Min_1.jpg

Filesize
594B

MD5
705cefcd90e95ab5db12e9c26bc15bf2

SHA1
1bcad5cd141b4cac8257c5afe8de038b5b5b4272

SHA256
39e5f28be2efdf027b07e6e9dd35e32d7794fc239dc3a7571e7b8caed4997bf8

SHA512
49a375165bfc02469ea272628947dce58de1eca1945692d07ead13344de47c2d1b830a1efec90494c4713e03a00b4975efd687951bfdd04f30fb70ad6d150ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_yevvifj\images\bg.jpg

Filesize
32KB

MD5
16264de8792d0f674ea0e81574bd0c1e

SHA1
eb3394a05292881e9e1d544aa3e66168b809eb65

SHA256
16f39d0e75df77b08ce2a8d5bb104ac3e7d9edd9fc8b88ac188d6c001a5c7c22

SHA512
25492ed0712ac31e06aa6fdc60bda466fddc852b20b3dd1f2e2ce2f348da47ab9a75ea1e2d02ef6fc20db4a92a9951e7c5c293a41672ef660d7e8e480a042d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh_yevvifj\images\help1.jpg

Filesize
9KB

MD5
8ba72623b8aac1b3a0786a5ec38dd352

SHA1
ac87db4c0bb35c0be95f523d565557b6bf0ca6b4

SHA256
f4a008532daa46ac2b78a0e300efc89c447f7bcd05a1e2929803a7310549852e

SHA512
cba1a816eb76b883f64db0c99933a672d7f318ad514a22bbd1589a6880bb5f908d1fe99e15ab71faea4d6920f6d253f5614034b1872cc4e3554d8e7b29951f1d

Download Submit
memory/4064-79-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/4064-500-0x0000000003F00000-0x0000000004300000-memory.dmp

Filesize
4.0MB

Download
memory/4064-503-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/4064-504-0x0000000008E80000-0x0000000008EEF000-memory.dmp

Filesize
444KB

Download
memory/4064-502-0x0000000008670000-0x0000000008671000-memory.dmp

Filesize
4KB

Download
memory/4064-501-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/4064-505-0x00000000085C0000-0x00000000085C1000-memory.dmp

Filesize
4KB

Download
memory/4064-859-0x0000000003F00000-0x0000000004300000-memory.dmp

Filesize
4.0MB

Download
memory/4064-860-0x0000000008E80000-0x0000000008EEF000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing