81753ba6374b2022a36f9a62c6b1df6fdc80f75e80dfff06dee05470714a2034

General

Target

0e898c8c40c28140a206e4864840de47.exe
Size

156KB
MD5

0e898c8c40c28140a206e4864840de47
SHA1

8c1d1a821a09247f3c161adc91fb203196aa4108
SHA256

81753ba6374b2022a36f9a62c6b1df6fdc80f75e80dfff06dee05470714a2034
SHA512

9522d389e706c05bd582d3729f614bafea21202ac0b674aef2e336a60b06abab89962706b543862c7595586bf96a5c9c49c4249324d48e25af6c57e37d85efef
SSDEEP

3072:jGgb/llkYABH5Gb2cBl6JW+WvmZ4KzLDdHPFuDa9ZV1F8ZqEJzmZt:jDboYABkbZoJW+W+6KnDdH9u2d1F8Mo0

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "%SystemRoot%\\system32\\0e898c8c40c28140a206e4864840de47.dll"	rundll32.exe

Deletes itself 1 IoCs

pid	Process
2764	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
2708	rundll32.exe
2708	rundll32.exe
2708	rundll32.exe
2708	rundll32.exe
2584	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xinstall.log	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\xinstall.log	svchost.exe
File opened for modification	C:\Windows\SysWOW64\0e898c8c40c28140a206e4864840de47.dll	0e898c8c40c28140a206e4864840de47.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2708	rundll32.exe
2584	svchost.exe
2584	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 3044	1800	0e898c8c40c28140a206e4864840de47.exe	28
PID 1800 wrote to memory of 3044	1800	0e898c8c40c28140a206e4864840de47.exe	28
PID 1800 wrote to memory of 3044	1800	0e898c8c40c28140a206e4864840de47.exe	28
PID 1800 wrote to memory of 3044	1800	0e898c8c40c28140a206e4864840de47.exe	28
PID 1800 wrote to memory of 3044	1800	0e898c8c40c28140a206e4864840de47.exe	28
PID 1800 wrote to memory of 3044	1800	0e898c8c40c28140a206e4864840de47.exe	28
PID 1800 wrote to memory of 3044	1800	0e898c8c40c28140a206e4864840de47.exe	28
PID 1800 wrote to memory of 2764	1800	0e898c8c40c28140a206e4864840de47.exe	30
PID 1800 wrote to memory of 2764	1800	0e898c8c40c28140a206e4864840de47.exe	30
PID 1800 wrote to memory of 2764	1800	0e898c8c40c28140a206e4864840de47.exe	30
PID 1800 wrote to memory of 2764	1800	0e898c8c40c28140a206e4864840de47.exe	30
PID 2764 wrote to memory of 2676	2764	cmd.exe	33
PID 2764 wrote to memory of 2676	2764	cmd.exe	33
PID 2764 wrote to memory of 2676	2764	cmd.exe	33
PID 2764 wrote to memory of 2676	2764	cmd.exe	33
PID 3044 wrote to memory of 2708	3044	cmd.exe	32
PID 3044 wrote to memory of 2708	3044	cmd.exe	32
PID 3044 wrote to memory of 2708	3044	cmd.exe	32
PID 3044 wrote to memory of 2708	3044	cmd.exe	32
PID 3044 wrote to memory of 2708	3044	cmd.exe	32
PID 3044 wrote to memory of 2708	3044	cmd.exe	32
PID 3044 wrote to memory of 2708	3044	cmd.exe	32

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2676	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0e898c8c40c28140a206e4864840de47.exe
"C:\Users\Admin\AppData\Local\Temp\0e898c8c40c28140a206e4864840de47.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\259398056_install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 C:\Windows\system32\0e898c8c40c28140a206e4864840de47.dll,InstallSA Irmon Microsoft IR Monitor Services
    3⤵
    - Sets DLL path for service in the registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\259398197_selfdel.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h "C:\Users\Admin\AppData\Local\Temp\0e898c8c40c28140a206e4864840de47.exe"
    3⤵
    - Views/modifies file attributes
    PID:2676

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259398056_install.bat

Filesize
126B

MD5
0a03ee682aecaec6ae50c6e5ea332a03

SHA1
1c6a3c013ca4a08d595e0b5d5b84476141ede0c1

SHA256
3b293a7111211ae4a34a08b7bf71ef1e7065f995726951e80dcfda7e21d610c8

SHA512
d8c63f6ff687f20f3b6d5faaab5b16d14cc66d027b5bfd4b26ff825d613c981704949738a9894ab665412e891f1014eb6809240f052ddd16f1f36d666b8b2890

Download Submit
C:\Users\Admin\AppData\Local\Temp\259398197_selfdel.bat

Filesize
304B

MD5
dde5f2474e4deb6804e0451933f1a7fa

SHA1
10add5e4333270b70718dc557eb6bbcc7b85fa47

SHA256
e4d3a689884f4d58fc9d20a3170f79f4cffc7609aca574d7c1bcfffa40ab46be

SHA512
e177316a07e2f64d78f2e71c7acee04ffe8a6df32c91b2f0d1fe184fc5297573baf9bb67f94374853b6cde7faffe62c7536b41155e738795e5dd8566115b3272

Download Submit
C:\Windows\SysWOW64\0e898c8c40c28140a206e4864840de47.dll

Filesize
128KB

MD5
4fe5af91cc77138ba6fd85d1cc16764d

SHA1
1c342a2eeb82d9d87642bd8f1bcfc1e7fb658ecb

SHA256
314180ea723588c4cd777c80d4dcf863abc9c085f695c06cbbd23998283bde41

SHA512
30443683c355eba001e24703e385e778843726d29480008e14c20958d77b4de7976ae23e491b0a927e90b9607a332e1bd5e786e60f9d2e31f1bf4d9b347dc9ae

Download Submit
C:\Windows\SysWOW64\xinstall.log

Filesize
210B

MD5
488c7fd383f4e7a943ca4862189e7bd4

SHA1
b573b070d38618e2d25c60afc36101fabffac09a

SHA256
9335a464cd7415d5cad08f7a1954da23645569861d2d330f21e7d23e948b4a7f

SHA512
9de3f6fd243ccaafc760ed8cd88adb100283fa657bc14f5fba4cedb7b7e9d9624ff2fc30c4cee9c3280b9bba8cce8467ceffd3fbd8b25db2d0c5732bb50bd834

Download Submit
\Windows\SysWOW64\0e898c8c40c28140a206e4864840de47.dll

Filesize
64KB

MD5
9f22ea7e644186da905894567703b808

SHA1
0581e5233ade4d0de2985d0c82da252839bef38f

SHA256
cb1f3c7df7a68cbe58d684242be8b0ebb9473834f90e9936debbde04696cc363

SHA512
0d52c34a3d02c2bcf4ff4da2c15e73d52a4b6a1fc2ca07492080402c9cd1e8e9801a7eb104f6c58fbf146a340564b08b3a64b3b60d2f1a60ba0b647e398a0b01

Download Submit
\Windows\SysWOW64\0e898c8c40c28140a206e4864840de47.dll

Filesize
42KB

MD5
8622a648226e1d0829b15830ffccaf97

SHA1
a51044405eaf2b853387feaf2e2c5b5179af671a

SHA256
3ea33963d7c97d3bf7ba13393953562dc2d2b65fc1ad25185fa075c7bcd262d1

SHA512
a07af453877ecf3d236e93f650833024168d6773d70b849be7c33f95bce04764a5fa2c4e9d4e1c477447ce15a5f616e9bd88cd95c6a2357e0f09f4d6f1d68ab9

Download Submit
\Windows\SysWOW64\0e898c8c40c28140a206e4864840de47.dll

Filesize
19KB

MD5
e3ae0cb0df01e7e30952339e4009ce38

SHA1
6c22ca099cd7cacb0bf3572be06e6e6fdce18276

SHA256
6528cbb6bf51d9bfee0911b9d41ac1f0aaf9c8605dff8fe0399170fa2e6fa2d7

SHA512
588c84c99f70e5031b10d5f782d61485fc7516b930946c859814b93fa1c296d459e302b159849c74e6f4c8a2cff4856595c684157b3f6e3d6e3025b1dec7e0bb

Download Submit
\Windows\SysWOW64\0e898c8c40c28140a206e4864840de47.dll

Filesize
146KB

MD5
2eab769d4b859e7bff25401ea0758e6f

SHA1
f6c1258a7cae2ea7506c064ab81ecebd397d0062

SHA256
e9dcedadb33cca6fe48a3ba21fd9f17c25d32b44e76c1bee24525d6046616a13

SHA512
78faf2183b3cc64f85ef50f9dc375a5c8ad061d0674cb65f076b985d1721f78d79f52cabbdf6dab3d6be9b08e2f381c1bbfe84ca7063b49f16c5eab09355428b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads