9b9610abf6af9e44e4f5ee5879c183f22d87216f6e6499566de737dd2ea87cb7

General

Target

1febacfbfcec17c8e5fa3d71299a5b40.exe
Size

13KB
MD5

1febacfbfcec17c8e5fa3d71299a5b40
SHA1

92728782034808a5b9ab680af3b42a62fed3dd9f
SHA256

9b9610abf6af9e44e4f5ee5879c183f22d87216f6e6499566de737dd2ea87cb7
SHA512

a70f9cefcd3b916fb197706a6f75272a0c8a6cd7eff68c09af9fdcb6a893cd43018ccb2dc93cb5b34ede4de1f0c7e22b466ac18be6353a09034e3737342c881e
SSDEEP

384:mQk/VhW3gh0QS8aKWhwAIDt5Cf30R1Ms0L:buW3g2rbhwAIRAfERr0L

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2924	Man.exe
2740	Man.exe

Loads dropped DLL 2 IoCs

pid	Process
456	1febacfbfcec17c8e5fa3d71299a5b40.exe
456	1febacfbfcec17c8e5fa3d71299a5b40.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	Man.exe
File opened (read-only)	\??\E:	Man.exe
File opened (read-only)	\??\G:	Man.exe
File opened (read-only)	\??\J:	Man.exe
File opened (read-only)	\??\K:	Man.exe
File opened (read-only)	\??\H:	Man.exe
File opened (read-only)	\??\I:	Man.exe
File opened (read-only)	\??\J:	Man.exe
File opened (read-only)	\??\E:	Man.exe
File opened (read-only)	\??\G:	Man.exe
File opened (read-only)	\??\I:	Man.exe
File opened (read-only)	\??\K:	Man.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Man.exe	1febacfbfcec17c8e5fa3d71299a5b40.exe
File created	C:\Windows\SysWOW64\note1.ini	1febacfbfcec17c8e5fa3d71299a5b40.exe
File created	C:\Windows\SysWOW64\Man.exe	Man.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2832	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
456	1febacfbfcec17c8e5fa3d71299a5b40.exe
2924	Man.exe
2924	Man.exe
2924	Man.exe
2924	Man.exe
2740	Man.exe
2924	Man.exe
2924	Man.exe
2740	Man.exe
2740	Man.exe
2740	Man.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2924	Man.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
456	1febacfbfcec17c8e5fa3d71299a5b40.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 2924	456	1febacfbfcec17c8e5fa3d71299a5b40.exe	28
PID 456 wrote to memory of 2924	456	1febacfbfcec17c8e5fa3d71299a5b40.exe	28
PID 456 wrote to memory of 2924	456	1febacfbfcec17c8e5fa3d71299a5b40.exe	28
PID 456 wrote to memory of 2924	456	1febacfbfcec17c8e5fa3d71299a5b40.exe	28
PID 2924 wrote to memory of 2872	2924	Man.exe	29
PID 2924 wrote to memory of 2872	2924	Man.exe	29
PID 2924 wrote to memory of 2872	2924	Man.exe	29
PID 2924 wrote to memory of 2872	2924	Man.exe	29
PID 456 wrote to memory of 2884	456	1febacfbfcec17c8e5fa3d71299a5b40.exe	33
PID 456 wrote to memory of 2884	456	1febacfbfcec17c8e5fa3d71299a5b40.exe	33
PID 456 wrote to memory of 2884	456	1febacfbfcec17c8e5fa3d71299a5b40.exe	33
PID 456 wrote to memory of 2884	456	1febacfbfcec17c8e5fa3d71299a5b40.exe	33
PID 2884 wrote to memory of 2832	2884	cmd.exe	31
PID 2884 wrote to memory of 2832	2884	cmd.exe	31
PID 2884 wrote to memory of 2832	2884	cmd.exe	31
PID 2884 wrote to memory of 2832	2884	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\1febacfbfcec17c8e5fa3d71299a5b40.exe
"C:\Users\Admin\AppData\Local\Temp\1febacfbfcec17c8e5fa3d71299a5b40.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\SysWOW64\Man.exe
  C:\Windows\system32\Man.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\Man.exe > nul
    3⤵
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo ping 127.1 -n 3 >nul 2>nul >c:\2.bat&echo del C:\Windows\system32\1febacfbfcec17c8e5fa3d71299a5b40.exe>>c:\2.bat&echo del c:\2.bat>>c:\2.bat&c:\2.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884

C:\Windows\SysWOW64\Man.exe
C:\Windows\SysWOW64\Man.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Windows\SysWOW64\PING.EXE
ping 127.1 -n 3
1⤵
- Runs ping.exe
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2.bat

Filesize
94B

MD5
16fb09e6107760cdee4d8b1d69b3fd2a

SHA1
8c01e2cc4a2bd68d454d137d6f0c4ead97e80333

SHA256
467c239e2f0a3d1a911b8567acbde634707916d571c137e240f12f3709fa874b

SHA512
9c6a89b52792cf64a5e6d2fbd09d050b7811a63df50631911e270dec726368e813fa3259e0220893e14b3e129943960fbf3fbaf0b1ae9148b240c11de3a595b5

Download Submit
\Windows\SysWOW64\Man.exe

Filesize
6KB

MD5
4053bd9a82c13984fda6b82c45a207ab

SHA1
e2cdfbaeef7ab4293fa90d25647a5097882d7f59

SHA256
f92fa53cf3e48932c80c6ee29974be80af521ce31ae3e90d10b7fe58c36809a6

SHA512
93e57a79f3228172792d23f2af201859ad066dd16a274b0da51836add94d477b7f87f4cc586e1e9257543e1f4ecdb5b858344f637aee1be0231f2141d4d13caf

Download Submit
memory/456-14-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing