10f84706893f0ec21e07a943b2d397e0f1e9ab8ff45855c2facfdc8f90647a4c

General

Target

155eddde9edd18e1673f95febf4e9db8.exe
Size

165KB
MD5

155eddde9edd18e1673f95febf4e9db8
SHA1

020a3bce09e03b061de37ffd2187a81e3553b547
SHA256

10f84706893f0ec21e07a943b2d397e0f1e9ab8ff45855c2facfdc8f90647a4c
SHA512

b3a150c107157928a31593237b807f21758c404af543c0e3d4eeba4ea7537d579504409a0494a50f7b39a49a885383448482a0e45b32db282d013ac8f8179424
SSDEEP

3072:a4HCWau/PlYeuL7ZLFh6Ca6cbL9l2hzB3fJCC6j8+Er6ez4:hiI/PlY37ZLF4Ca6WABqBOvs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	ins8155.exe

Loads dropped DLL 4 IoCs

pid	Process
1768	155eddde9edd18e1673f95febf4e9db8.exe
1768	155eddde9edd18e1673f95febf4e9db8.exe
1768	155eddde9edd18e1673f95febf4e9db8.exe
1768	155eddde9edd18e1673f95febf4e9db8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2740	ins8155.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	ins8155.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2740	ins8155.exe
2740	ins8155.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2740	1768	155eddde9edd18e1673f95febf4e9db8.exe	28
PID 1768 wrote to memory of 2740	1768	155eddde9edd18e1673f95febf4e9db8.exe	28
PID 1768 wrote to memory of 2740	1768	155eddde9edd18e1673f95febf4e9db8.exe	28
PID 1768 wrote to memory of 2740	1768	155eddde9edd18e1673f95febf4e9db8.exe	28
PID 1768 wrote to memory of 2740	1768	155eddde9edd18e1673f95febf4e9db8.exe	28
PID 1768 wrote to memory of 2740	1768	155eddde9edd18e1673f95febf4e9db8.exe	28
PID 1768 wrote to memory of 2740	1768	155eddde9edd18e1673f95febf4e9db8.exe	28

C:\Users\Admin\AppData\Local\Temp\155eddde9edd18e1673f95febf4e9db8.exe
"C:\Users\Admin\AppData\Local\Temp\155eddde9edd18e1673f95febf4e9db8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\ins8155\ins8155.exe
  "C:\Users\Admin\AppData\Local\Temp\ins8155\ins8155.exe" ins.exe /t102bead80207efe2c1ad8b6414f0f5 /e10803481 /u24fcfd1d-162d-11e3-bc49-80c16e6f498c
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ins8155\ins8155.exe

Filesize
42KB

MD5
f1c85ea6779e4220c0cbeef4827308a4

SHA1
fbca387a3f7d28c9f4396a6ee255436a728bea88

SHA256
10542579a1ded1a3a9584e997fa6e06ecc5fcecf0f36d2469576c7b7a3c19b01

SHA512
9e5bfa9b6a639c9e7d8b876ede9e7925e8f3516a2f2218af6e8103a0070e027ed67520f4c88b0641cecb7961135ca1c1ad5f7a219be4912e7b5a0ad9934254fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ins8155\ins8155.exe

Filesize
52KB

MD5
4f5f848ff827e2d6b72bf46b3e061c25

SHA1
fb668e9ba6bfd359fa44712957e59666af1a567a

SHA256
8bd73cd941d4d3f2610a28b81d6c114a741926a212222eb3aeb5d6227b958c7e

SHA512
32489adf3341cfdea1f206e85435b9c344e59dffdba93f2916dfd68779049306b799b972dbb3417f84b0db9f8031c34c7a566cf87f2629e648b1c4bce75b39ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ins8155\ins8155.exe

Filesize
54KB

MD5
e06d83aa969f2db0adbeeeeb7597d425

SHA1
fee36283e52364c9820f4f5b229e9e9d77b31825

SHA256
ed843c112c88605e29c9e0d3573b3a4086a5d6fa23832eebb004f0b281939301

SHA512
36a77fc5c312bd3451de8ffd150ce2852afd2b526ab9484b39f0430c504b53738d7cdf723b54462ca49b575a903386a018b6c2c5b0e11e515a092517171ef97a

Download Submit
\Users\Admin\AppData\Local\Temp\ins8155\ins8155.exe

Filesize
78KB

MD5
889c17f951b37971d6987173bfcb38ac

SHA1
2b5e495d263813627d0a7d8109f902fd7907d9f2

SHA256
7cfed11b6cfc5faa3be7976923bd953f9c169919388b316de220aeff37266648

SHA512
d7cb1a6d0c4804fd4a21e7c70b689275a8ef28bfcd7917d5eba9b0e56b8fadadbca370883469877e648df42ab8ab5d89ac1619d7695abb43a77ddedbeb899824

Download Submit
\Users\Admin\AppData\Local\Temp\ins8155\ins8155.exe

Filesize
18KB

MD5
4871fa3e60cff1e5a9ea056e83efd590

SHA1
afb8443f91df78f5fb655852a88d6ab04c273e9e

SHA256
a766dda78c82292ca576bd553fb2f147d4047c75a50b81048b3c41e5ea2ff14b

SHA512
827fff44e79d5d920dd803f38f6ce18469660496af25994c34b9af1d5a41373fd0598c3b16de1399458e4a2881e6cfccd7b80ce2b724eff2fc23d62ae70cdf30

Download Submit
\Users\Admin\AppData\Local\Temp\ins8155\ins8155.exe

Filesize
23KB

MD5
3f52d70078b6da1d37e748255f7f368c

SHA1
c79ca87041acb10e62c7a71a9bd32decbe6204a7

SHA256
ff0e5ab4e93261cb32665d6fe0f600ea28025571c6f32ccfaddb04e8d2999285

SHA512
6f0a1f62e9317611e422523928c39df1671334a742822c2219e6bce3d813efe66f3cc5a05511374cbf5af280c3ab6fa3d5a49a6aa44e7fb11c4d73d0abf61b40

Download Submit
\Users\Admin\AppData\Local\Temp\ins8155\ins8155.exe

Filesize
33KB

MD5
213685486725a464fcefe6a2f41d3072

SHA1
8d880d8d60c1284048c88f094cb73195613279e6

SHA256
f9144dedb3d5077a39a7e14901693e2fcf59f6804c11d7db88a7e8fe99896700

SHA512
7df8601d93094dd61cf68fa5c41a7628cdffa82e29fbcb6729e71c1b1cc44d62caf4aa22215574d6ed941981efb68d13537f21d5f2a602613714545dedfb982e

Download Submit
memory/1768-22-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1768-3-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/1768-30-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1768-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1768-24-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2740-19-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2740-20-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2740-21-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2740-23-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2740-18-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2740-26-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2740-27-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2740-28-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2740-29-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2740-17-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing