db5281548b372ec5caaa911c1dc32a29234d19e3ab5761895a0d4e1dc85c3e2f

General

Target

0a91fc538517d83a23eaea041420dda5.exe
Size

3.4MB
MD5

0a91fc538517d83a23eaea041420dda5
SHA1

b93fafe10bd5d1b6d634676e5d0a441fc321d2e6
SHA256

db5281548b372ec5caaa911c1dc32a29234d19e3ab5761895a0d4e1dc85c3e2f
SHA512

79d4dfad493f27876bbfa11df000b8cb2544fa5e690cf225ed4154e849bfc24d8b44d3d203386825337a66a57b51dc87c8e725c6402e368cb1c2655dd144b2d1
SSDEEP

49152:QHQ+BBWZXrdqsSb+uSlYtZMM+UakLC5miuhoGntPfB8zF8QzwsXzC0YduCua8YHR:eQQqiI2hafAntuiQs90/ab5

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4MzmfuUEKJ7DESD7.exe	0a91fc538517d83a23eaea041420dda5.exe

Executes dropped EXE 2 IoCs

pid	Process
2904	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe

Loads dropped DLL 3 IoCs

pid	Process
2024	0a91fc538517d83a23eaea041420dda5.exe
2024	0a91fc538517d83a23eaea041420dda5.exe
2904	4MzmfuUEKJ7DESD7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2944	2564	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2748	4MzmfuUEKJ7DESD7.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe
2564	cmd.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2024	2040	0a91fc538517d83a23eaea041420dda5.exe	24
PID 2040 wrote to memory of 2024	2040	0a91fc538517d83a23eaea041420dda5.exe	24
PID 2040 wrote to memory of 2024	2040	0a91fc538517d83a23eaea041420dda5.exe	24
PID 2040 wrote to memory of 2024	2040	0a91fc538517d83a23eaea041420dda5.exe	24
PID 2024 wrote to memory of 2904	2024	0a91fc538517d83a23eaea041420dda5.exe	31
PID 2024 wrote to memory of 2904	2024	0a91fc538517d83a23eaea041420dda5.exe	31
PID 2024 wrote to memory of 2904	2024	0a91fc538517d83a23eaea041420dda5.exe	31
PID 2024 wrote to memory of 2904	2024	0a91fc538517d83a23eaea041420dda5.exe	31
PID 2904 wrote to memory of 2748	2904	4MzmfuUEKJ7DESD7.exe	30
PID 2904 wrote to memory of 2748	2904	4MzmfuUEKJ7DESD7.exe	30
PID 2904 wrote to memory of 2748	2904	4MzmfuUEKJ7DESD7.exe	30
PID 2904 wrote to memory of 2748	2904	4MzmfuUEKJ7DESD7.exe	30
PID 2748 wrote to memory of 2564	2748	4MzmfuUEKJ7DESD7.exe	32
PID 2748 wrote to memory of 2564	2748	4MzmfuUEKJ7DESD7.exe	32
PID 2748 wrote to memory of 2564	2748	4MzmfuUEKJ7DESD7.exe	32
PID 2748 wrote to memory of 2564	2748	4MzmfuUEKJ7DESD7.exe	32
PID 2748 wrote to memory of 2564	2748	4MzmfuUEKJ7DESD7.exe	32
PID 2748 wrote to memory of 2564	2748	4MzmfuUEKJ7DESD7.exe	32
PID 2564 wrote to memory of 2944	2564	cmd.exe	34
PID 2564 wrote to memory of 2944	2564	cmd.exe	34
PID 2564 wrote to memory of 2944	2564	cmd.exe	34
PID 2564 wrote to memory of 2944	2564	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\0a91fc538517d83a23eaea041420dda5.exe
"C:\Users\Admin\AppData\Local\Temp\0a91fc538517d83a23eaea041420dda5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\0a91fc538517d83a23eaea041420dda5.exe
  "C:\Users\Admin\AppData\Local\Temp\0a91fc538517d83a23eaea041420dda5.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4MzmfuUEKJ7DESD7.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4MzmfuUEKJ7DESD7.exe" "C:\Users\Admin\AppData\Local\Temp\0a91fc538517d83a23eaea041420dda5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2904

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4MzmfuUEKJ7DESD7.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4MzmfuUEKJ7DESD7.exe" "C:\Users\Admin\AppData\Local\Temp\0a91fc538517d83a23eaea041420dda5.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 288
    3⤵
    - Program crash
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4MzmfuUEKJ7DESD7.exe

Filesize
191KB

MD5
17032e29dc1a140d7a9aa004e32bf8ae

SHA1
5d9fccb52e6a3af658b85d3c03e30322d92edbb4

SHA256
1b1791f3a968f5629b4ed8b97c9350b7d39d30d36d7d9835db3b1db0bdce5e0b

SHA512
d9fc25daebd65a21396734e4ef207bd3a6c410088368044a25b702a7c3fb3e41794a574182504883ef9abe3d26530667041ab271c35bb3336c2487afddfad8c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4MzmfuUEKJ7DESD7.exe

Filesize
77KB

MD5
a85e246d851bd37704670ddcb60b8f97

SHA1
fa5ddf19342d36527dbd5efffe71cbef40fc87e1

SHA256
8ae3fb4f57a293666f229d977b170035fed5ceebf9a4b0d0342e230249150ae7

SHA512
e81a0ed0fa786af497364e1d9cf81fd63b3d64473be41647e50a12887347e79e723c793f8e527ea87a814e462cf85e2f2be83b0ae9f396a599485ee5e5df0ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4MzmfuUEKJ7DESD7.exe

Filesize
71KB

MD5
716ce192d11849b2f19936799de3ad65

SHA1
18cfeaeb04efeb8a8424f98390045eed4283ae59

SHA256
c5b3b59d22dc08919a7ea9fbc3dd59725c4cea0303f20df6294ba53b0e6da5b0

SHA512
8a24f3bf97bf566e3ba05433b40cd047825073b9411b4fb5319efd883300796e76fe1c08bde019a96cfe5dfe170131a6119adfe16d014ef9443d4fe23750eb49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4MzmfuUEKJ7DESD7.exe

Filesize
45KB

MD5
1025f24672c0e1a6a2e38e0223572e72

SHA1
bef820a8d06fd21f60d3d10019245a29ea1d6121

SHA256
1b2073a450e6e8ba8a18ba03fd437fa8e724bf02dd68674e99de56a91ea5b2ff

SHA512
ba36739d6aa494c045dd4ec4cea9f602342918e4d4e00455a9898991b3b8a5a9bbc50395df621dde4f0a8e61b80bcfc4a1984b4a45081ca71a1b28c040978aa9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4MzmfuUEKJ7DESD7.exe

Filesize
260KB

MD5
7c2738035f884d092562bb498021df43

SHA1
20719f7b86e053048e857086fba4161055279f80

SHA256
a70d8754d986ae4e66f242669fa65398ffb9a59a1f52eb960f2fb516df705ce1

SHA512
6aaa26c109b15183b6dc642da08fb2f60b4d4885b6f1573534774c992d8215510922c0f87b797477a61caaef29d967f6b3072b484972975ad9a5dc73c997a813

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4MzmfuUEKJ7DESD7.exe

Filesize
71KB

MD5
058518bf1ce90608c8c7f31439b90e27

SHA1
9211fa6e8bd6989ad340d40ab0aefc28a62a576e

SHA256
53576c408c8eff0bfc629af1a1063afb8a6db0e915c5010873651e92d5b7bd20

SHA512
0c249cab7cd4ebc98b95468e3bc8a4e01a6a4a1d4e34da408c78a56d001872571ff504513dedf18562db90c3bf1280fee92a23ea35862bcac4e0f16626323f5f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4MzmfuUEKJ7DESD7.exe

Filesize
75KB

MD5
d87593ce069c99745a198f9688b50d82

SHA1
68fbb7448e554cae98ad11a8ca4dda0b16d97a4b

SHA256
b1599ff86fa8574a141d516a58db0b7a561445d2c578ef1f7b29da8a81bd78c9

SHA512
cca3cdc49c2fecc58f152b7fa0f7e116b775ab6428a51d7c3c6da94c6ccfc627b49c38d19c1b0a79929022b45554bf0396d5c692276709487c045668e0aaca85

Download Submit
memory/2024-18-0x00000000023C0000-0x000000000245E000-memory.dmp

Filesize
632KB

Download
memory/2024-22-0x0000000005040000-0x000000000543E000-memory.dmp

Filesize
4.0MB

Download
memory/2024-5-0x00000000023C0000-0x000000000245E000-memory.dmp

Filesize
632KB

Download
memory/2024-4-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2024-1-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2040-2-0x0000000002160000-0x000000000255E000-memory.dmp

Filesize
4.0MB

Download
memory/2040-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2040-24-0x0000000002160000-0x000000000255E000-memory.dmp

Filesize
4.0MB

Download
memory/2564-94-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/2564-91-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2564-95-0x0000000076FD0000-0x0000000077150000-memory.dmp

Filesize
1.5MB

Download
memory/2564-96-0x0000000002E30000-0x0000000002ECE000-memory.dmp

Filesize
632KB

Download
memory/2564-93-0x0000000002E30000-0x0000000002ECE000-memory.dmp

Filesize
632KB

Download
memory/2564-31-0x00000000006E0000-0x0000000001332000-memory.dmp

Filesize
12.3MB

Download
memory/2564-35-0x00000000002B0000-0x0000000000349000-memory.dmp

Filesize
612KB

Download
memory/2564-90-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/2564-40-0x0000000002E30000-0x0000000002ECE000-memory.dmp

Filesize
632KB

Download
memory/2564-39-0x0000000076FD0000-0x0000000077150000-memory.dmp

Filesize
1.5MB

Download
memory/2564-92-0x0000000002E30000-0x0000000002ECE000-memory.dmp

Filesize
632KB

Download
memory/2564-33-0x00000000002B0000-0x0000000000349000-memory.dmp

Filesize
612KB

Download
memory/2564-97-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2748-28-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/2748-36-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2748-37-0x0000000000800000-0x000000000089E000-memory.dmp

Filesize
632KB

Download
memory/2748-29-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2748-30-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/2748-27-0x0000000000800000-0x000000000089E000-memory.dmp

Filesize
632KB

Download
memory/2904-23-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2904-25-0x00000000020B0000-0x00000000024AE000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing