f7eb566c8dba25f863d1ed6362f340c414d9fbc13e65cdc409cdec2fbe999c72

General

Target

13c7e7540119ceab13ffb761a203c95c.exe
Size

43KB
MD5

13c7e7540119ceab13ffb761a203c95c
SHA1

3fa8617fadcde28421c97477367e605fddaeadbe
SHA256

f7eb566c8dba25f863d1ed6362f340c414d9fbc13e65cdc409cdec2fbe999c72
SHA512

fabaf66fd5833a4f76fa89e6d995bcb4d85f0e9c1ec0dbea22d85619e60f058f80c1d0375e31b25e613d6ea16d3da7bbff1e15d24078c8ca32c8a8a5e52baea7
SSDEEP

768:Oiexq+QTQe7u3SAjofZ6im+1YAs8C2oMJHH52BrpPVVf5FLNGPw6e:Jexq+QTQpCAMAihiAssJ5+tLRFEw

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.exe	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2208	tpt-0xFFFFFF.tmp.exe
2680	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	tpt-0xFFFFFF.tmp.exe
2208	tpt-0xFFFFFF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2208	1700	13c7e7540119ceab13ffb761a203c95c.exe	19
PID 1700 wrote to memory of 2208	1700	13c7e7540119ceab13ffb761a203c95c.exe	19
PID 1700 wrote to memory of 2208	1700	13c7e7540119ceab13ffb761a203c95c.exe	19
PID 1700 wrote to memory of 2208	1700	13c7e7540119ceab13ffb761a203c95c.exe	19
PID 2208 wrote to memory of 2388	2208	tpt-0xFFFFFF.tmp.exe	18
PID 2208 wrote to memory of 2388	2208	tpt-0xFFFFFF.tmp.exe	18
PID 2208 wrote to memory of 2388	2208	tpt-0xFFFFFF.tmp.exe	18
PID 2208 wrote to memory of 2388	2208	tpt-0xFFFFFF.tmp.exe	18
PID 2208 wrote to memory of 2964	2208	tpt-0xFFFFFF.tmp.exe	32
PID 2208 wrote to memory of 2964	2208	tpt-0xFFFFFF.tmp.exe	32
PID 2208 wrote to memory of 2964	2208	tpt-0xFFFFFF.tmp.exe	32
PID 2208 wrote to memory of 2964	2208	tpt-0xFFFFFF.tmp.exe	32
PID 2208 wrote to memory of 2680	2208	tpt-0xFFFFFF.tmp.exe	35
PID 2208 wrote to memory of 2680	2208	tpt-0xFFFFFF.tmp.exe	35
PID 2208 wrote to memory of 2680	2208	tpt-0xFFFFFF.tmp.exe	35
PID 2208 wrote to memory of 2680	2208	tpt-0xFFFFFF.tmp.exe	35
PID 2680 wrote to memory of 2976	2680	services.exe	34
PID 2680 wrote to memory of 2976	2680	services.exe	34
PID 2680 wrote to memory of 2976	2680	services.exe	34
PID 2680 wrote to memory of 2976	2680	services.exe	34

C:\Users\Admin\AppData\Local\Temp\13c7e7540119ceab13ffb761a203c95c.exe
"C:\Users\Admin\AppData\Local\Temp\13c7e7540119ceab13ffb761a203c95c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\tpt-0xFFFFFF.tmp.exe
  C:\tpt-0xFFFFFF.tmp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\tpt-0xFFFFFF.tmp.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.exe"
    3⤵
    - Drops startup file
    PID:2964
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\tpt-0xFFFFFF.tmp.exe" "C:\temp1579.tmp"
1⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.exe" "C:\temp1089.tmp"
1⤵
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.exe

Filesize
3KB

MD5
213c5c01614c25458baf6f0354a833df

SHA1
f883813bfa20f95b33652875f7c57a2a28b423b6

SHA256
3f6c806696ff5cd255af34fb4d71d851a583e3a22351f3467e985005aaa5a432

SHA512
0582aa9d69da3f3679d28ae4c17d01e3cbc6d52541e8677c2a86a3fc266e4aa6379c0e435a1ac5fe4f5a3c09837e9576fe7b2d2b7f9fc907e80158f056c2f473

Download Submit
C:\tpt-0xFFFFFF.tmp.exe

Filesize
26KB

MD5
ae902d533a5d0a77c02255e1f42e383a

SHA1
8928280620a36dc663163bc928250c086d5dd73e

SHA256
fd8b88eb2389e8e5e25d25ac069b7773c50b623518d588762552f2a9a142a962

SHA512
5e85007ed4cb045c89a58dd4f4b0176077061703335e762355bd056f0d18a1a97da37e05a327b95c05fcd82e6ebdb82637adf2b185a1ccab17cb46a0ee3f248c

Download Submit
memory/1700-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2208-19-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-27-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-30-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-25-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-26-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-23-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-28-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-29-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-24-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-31-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-32-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-33-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-34-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-35-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2680-36-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing