8ee72c4a1981f5515f8d7284b55d21196b0ad040ca7dbde7c3f2d3569849974b

General

Target

0c3905fdf1ac38aefadd9297cec103ae.exe
Size

2.6MB
MD5

0c3905fdf1ac38aefadd9297cec103ae
SHA1

ce89a6d7925cffe965fb8e6315a039589532162c
SHA256

8ee72c4a1981f5515f8d7284b55d21196b0ad040ca7dbde7c3f2d3569849974b
SHA512

84139f27009bdef836fd883d9c66d41092527863f9ef494314a5f09b6f79c2865659d71a51d9dced5644d110b2f04178b5928c8887bfabe2ebcfda236f900782
SSDEEP

49152:oDy796EvMtTx435MtV+On5vMNbcwO6m2zGKYraTh+ZTOdFrxviiBI1ro:f7AEvgVOA5WbcoHzGlr8h+5q4id

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2372	0c3905fdf1ac38aefadd9297cec103ae.tmp
2544	WMF.exe

Loads dropped DLL 5 IoCs

pid	Process
2232	0c3905fdf1ac38aefadd9297cec103ae.exe
2372	0c3905fdf1ac38aefadd9297cec103ae.tmp
2372	0c3905fdf1ac38aefadd9297cec103ae.tmp
2372	0c3905fdf1ac38aefadd9297cec103ae.tmp
2372	0c3905fdf1ac38aefadd9297cec103ae.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2544	WMF.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2372	2232	0c3905fdf1ac38aefadd9297cec103ae.exe	28
PID 2232 wrote to memory of 2372	2232	0c3905fdf1ac38aefadd9297cec103ae.exe	28
PID 2232 wrote to memory of 2372	2232	0c3905fdf1ac38aefadd9297cec103ae.exe	28
PID 2232 wrote to memory of 2372	2232	0c3905fdf1ac38aefadd9297cec103ae.exe	28
PID 2232 wrote to memory of 2372	2232	0c3905fdf1ac38aefadd9297cec103ae.exe	28
PID 2232 wrote to memory of 2372	2232	0c3905fdf1ac38aefadd9297cec103ae.exe	28
PID 2232 wrote to memory of 2372	2232	0c3905fdf1ac38aefadd9297cec103ae.exe	28
PID 2372 wrote to memory of 2544	2372	0c3905fdf1ac38aefadd9297cec103ae.tmp	29
PID 2372 wrote to memory of 2544	2372	0c3905fdf1ac38aefadd9297cec103ae.tmp	29
PID 2372 wrote to memory of 2544	2372	0c3905fdf1ac38aefadd9297cec103ae.tmp	29
PID 2372 wrote to memory of 2544	2372	0c3905fdf1ac38aefadd9297cec103ae.tmp	29

C:\Users\Admin\AppData\Local\Temp\0c3905fdf1ac38aefadd9297cec103ae.exe
"C:\Users\Admin\AppData\Local\Temp\0c3905fdf1ac38aefadd9297cec103ae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\is-TJJ0J.tmp\0c3905fdf1ac38aefadd9297cec103ae.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TJJ0J.tmp\0c3905fdf1ac38aefadd9297cec103ae.tmp" /SL5="$4014C,2357949,153088,C:\Users\Admin\AppData\Local\Temp\0c3905fdf1ac38aefadd9297cec103ae.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\is-HOLBA.tmp\WMF.exe
    "C:\Users\Admin\AppData\Local\Temp\is-HOLBA.tmp\WMF.exe" /aid=143 /sub=203 /sid=47 /name="Xilisoft-iphone-video-converter-6_keymaker.rar" /fid= /stats=Xjch5psonlXUTDjbav1LJqCBu4f4yAQnXP6mSB1HojFRt6wCbdjPbxq6mUlssHHzhN/c5mCAk1F/i85tDwP8vQ== /param=0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-HOLBA.tmp\WMF.exe

Filesize
92KB

MD5
8174589b8f731914d631cbf61fa4a829

SHA1
5082140c68d95e01f14bbb69d886ac37e8f53c14

SHA256
4e6b8e3705cf9f0d586cd5cdc8c16756e47ec7af65b2f40e000cff45fb97c576

SHA512
59ad94fe4f7f88e5c4f62fe1a2d81c2f3510ec5ce2198ca0bbb73f4ecee566f114d045200ad5de2e04c25574890f83a32cea23d91455f8b5df143580f3573671

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HOLBA.tmp\default.xml

Filesize
2KB

MD5
4c219b78a305d3e52c811542154bb224

SHA1
7efe3e383b29c808cfb3ad0fd90d627ea7b2b2bf

SHA256
a0dbdc08f771e32a5ef06f47b436afb270e860578971a974db0c34c0c1366a7c

SHA512
bced9584568b011c0b2013e48d6b9503f77b01c57e2049722326a40363ce42c533e590c4583cf0cf3a5391f3208db8135b5afdc27ae7359af3ded66b11e628b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TJJ0J.tmp\0c3905fdf1ac38aefadd9297cec103ae.tmp

Filesize
894KB

MD5
88a1064b33ea3c0fb5bcf8d4c1a22d7a

SHA1
f0167c5f50417784838f4f0024cc499cf782a3dc

SHA256
193be7574edf5cc85f529d9e02fdcc4b0dc79f3c72e19eaae320ffdc5e5b1c79

SHA512
1fa3bf627888466191f7e89daa02b8eb3ca4b7e8113192b3c47d7a983010064e48e2b2ae08a991b6ce6ea93018e16b499e78f7f4fef721e0337b39715b888732

Download Submit
\Users\Admin\AppData\Local\Temp\is-HOLBA.tmp\WMF.exe

Filesize
1.1MB

MD5
db9f9152542ba64310fa9280269e81ff

SHA1
583ea84af48c84d06291bcb429a57b720d0c8072

SHA256
3e91d743b762f4d1f5feb11242f1b536fb5591ab235238f1422af527ec4d7259

SHA512
4de0e5d7f5451d210eeac6e3f18e84d43229901d92befd30df2a5e831ce47b9e7fb7afdfdad56bd886e7efe5d55d832c8f806b8c97d3af7ff14c91244550e380

Download Submit
\Users\Admin\AppData\Local\Temp\is-HOLBA.tmp\WMF.exe

Filesize
382KB

MD5
010829ebbc9733de54f7d96401a8313c

SHA1
95f7455e7efec601cd0cd4a867ba17082f0d16c6

SHA256
d6fefad79c38996e4a2b3305b9d8fee428e55f966cd14fefd4c8a2fe2d97c375

SHA512
3fa693f57c98115739b1db98fd11c81fc7009f7f2a0117ac3180d7e5ac1400b39de513e1d882e4416e43af8605273f1d82ccea08b5f711e15676291edc0d1d9d

Download Submit
\Users\Admin\AppData\Local\Temp\is-HOLBA.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-TJJ0J.tmp\0c3905fdf1ac38aefadd9297cec103ae.tmp

Filesize
1.1MB

MD5
8811a0652c18dbcf68955f99df537eb8

SHA1
70cff6c43c0f873295dc085018639dff02f33012

SHA256
d69f51e65e3944891ec9c392b3d7410d81f8f93e55b9071584bfd1d384862230

SHA512
ed2ff6cfe272a8ae260233a1bb653adc0eaae13388418a9dea692b9924999d89b8677b8669fa24dcb0c606cfca7045bef779e1c58547f3f17d5096cbbe31d60a

Download Submit
memory/2232-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2232-41-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2372-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2372-42-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2544-43-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/2544-39-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2544-46-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/2544-47-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing