99ad497f9ad951007f3fbed95d7c75d501a89d2cc1741c07e1afdbd2738d95ef

General

Target

0b7cbd7f64875109ac079cfae581ca0b.exe
Size

1.6MB
MD5

0b7cbd7f64875109ac079cfae581ca0b
SHA1

ced48c53fba2db3dd288ebea0d7e35b835694c95
SHA256

99ad497f9ad951007f3fbed95d7c75d501a89d2cc1741c07e1afdbd2738d95ef
SHA512

b197fde08f2ccd320529c81c06637ab3284a02092ad300b543c6235563a681c963a6ed43283da98941b7a63a96e7c2b0aee56bbc4abdef040be52e7d9277ad68
SSDEEP

49152:L23drIn+jLHpwOtgWCjT3i2xPsO/nc//////3:C3drI+jLHiOtgWATZxJ/nc//////3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2264	sumwillmobilesearch.exe
3664	sumwillmobilesearch.tmp

Loads dropped DLL 20 IoCs

pid	Process
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe
852	0b7cbd7f64875109ac079cfae581ca0b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2264	852	0b7cbd7f64875109ac079cfae581ca0b.exe	93
PID 852 wrote to memory of 2264	852	0b7cbd7f64875109ac079cfae581ca0b.exe	93
PID 852 wrote to memory of 2264	852	0b7cbd7f64875109ac079cfae581ca0b.exe	93
PID 2264 wrote to memory of 3664	2264	sumwillmobilesearch.exe	97
PID 2264 wrote to memory of 3664	2264	sumwillmobilesearch.exe	97
PID 2264 wrote to memory of 3664	2264	sumwillmobilesearch.exe	97

C:\Users\Admin\AppData\Local\Temp\0b7cbd7f64875109ac079cfae581ca0b.exe
"C:\Users\Admin\AppData\Local\Temp\0b7cbd7f64875109ac079cfae581ca0b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\sumwillmobilesearch.exe
  C:\Users\Admin\AppData\Local\Temp\sumwillmobilesearch.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\is-T6I69.tmp\sumwillmobilesearch.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-T6I69.tmp\sumwillmobilesearch.tmp" /SL5="$6021A,1323320,52224,C:\Users\Admin\AppData\Local\Temp\sumwillmobilesearch.exe"
    3⤵
    - Executes dropped EXE
    PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-T6I69.tmp\sumwillmobilesearch.tmp

Filesize
291KB

MD5
1d8b64d9cd8653c53750af9f949c05f3

SHA1
b56139d54518408ca04dee18b0ecd618a8a1b876

SHA256
12c2e70e7f801abe996418a24bc1f13f40eecb725fa94ef61449c8aefeefd9ec

SHA512
73499dda6dffc652b62a7e1a81db552091cdfd20d3bb0cc1d686abda06d19937714782461cba8bcb3c61541dfa64c07831d13221e125f32b8b6bbc56b078694e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T6I69.tmp\sumwillmobilesearch.tmp

Filesize
132KB

MD5
aeb68f4addc98aba17ae377ddc9d12fa

SHA1
f569587a9f77e827ae05de8b455006b987467ea6

SHA256
7970b241c795985593623eb64907c7d52bc5a8151c3dae17ad6408d2a5bcb5eb

SHA512
0dafa478a5269100b7f93545e1d5282a83e69b6007ed186ba0ae48ead2b637ae7e0d8b3f2a48012bd6a1a843d8c7d1b4a8a03c63f7bca5e0e6ab9364e85c2e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgDFCD.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgDFCD.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sumwillmobilesearch.exe

Filesize
371KB

MD5
01ba192043157d9a0d434a8d34b60bff

SHA1
5dba0796bca51d39477df9c9227ffcda12c6d695

SHA256
210fb5aab2a8fe60ed53005b787b70b0541078cd345ade0320a180963736e298

SHA512
7f9d53f119f8394079fcbd6958af192b79bc400f20517849c6fc4d56257ed7dea253f478040a45c492bbeb0c8d72096b77363d173525db1e904b6888ac50e940

Download Submit
C:\Users\Admin\AppData\Local\Temp\sumwillmobilesearch.exe

Filesize
157KB

MD5
db3cba27de66ed746600cdd78f0e8d1e

SHA1
fd7872994013428bfa6504d42670f92121ccbc19

SHA256
8d2827027b2339fd3c1f66ea819910f2e0afd7f843dd418459790440a31e24f0

SHA512
8810c8f7014fbaef61a7eb9cdf26e8f2a9f6424b38e6ec7351f0a6f0116da9397d6648c49c29b17e3817a594ae3ad669c02363cc3906b2f4698b429cd15a722b

Download Submit
memory/2264-90-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2264-92-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2264-103-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3664-100-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3664-104-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3664-107-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing