11b8aff08a7a2a068552588ae95d5ce5a0098b15ee8e6ebe1f7a67c39039d503

General

Target

178bd077ba36310258769a44b8e51cec.exe
Size

3.4MB
MD5

178bd077ba36310258769a44b8e51cec
SHA1

78df149b6809fb2ad54e0dc7a0d07c56ef1a1b85
SHA256

11b8aff08a7a2a068552588ae95d5ce5a0098b15ee8e6ebe1f7a67c39039d503
SHA512

4ca791216b8168e81be1dc4c2725d2aaf309c37d7823152c0b61849bdb9a679cecf6560cc466f13bb5e9e1f1d69914d22c03555caa49e39cd96759691f7c75fb
SSDEEP

98304:46qR6vphuQIieoqn7+YYwejJZWGodCtqUEJr+Gs35AIV:0R6xhuQ/eDxYwQJptqdyv35

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRGs0nJilvOF.exe	178bd077ba36310258769a44b8e51cec.exe

Executes dropped EXE 2 IoCs

pid	Process
2588	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe

Loads dropped DLL 3 IoCs

pid	Process
2828	178bd077ba36310258769a44b8e51cec.exe
2828	178bd077ba36310258769a44b8e51cec.exe
2588	hRGs0nJilvOF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
564	1956	WerFault.exe	33

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
2712	hRGs0nJilvOF.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe
1956	cmd.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2828	2836	178bd077ba36310258769a44b8e51cec.exe	29
PID 2836 wrote to memory of 2828	2836	178bd077ba36310258769a44b8e51cec.exe	29
PID 2836 wrote to memory of 2828	2836	178bd077ba36310258769a44b8e51cec.exe	29
PID 2836 wrote to memory of 2828	2836	178bd077ba36310258769a44b8e51cec.exe	29
PID 2828 wrote to memory of 2588	2828	178bd077ba36310258769a44b8e51cec.exe	31
PID 2828 wrote to memory of 2588	2828	178bd077ba36310258769a44b8e51cec.exe	31
PID 2828 wrote to memory of 2588	2828	178bd077ba36310258769a44b8e51cec.exe	31
PID 2828 wrote to memory of 2588	2828	178bd077ba36310258769a44b8e51cec.exe	31
PID 2588 wrote to memory of 2712	2588	hRGs0nJilvOF.exe	32
PID 2588 wrote to memory of 2712	2588	hRGs0nJilvOF.exe	32
PID 2588 wrote to memory of 2712	2588	hRGs0nJilvOF.exe	32
PID 2588 wrote to memory of 2712	2588	hRGs0nJilvOF.exe	32
PID 2712 wrote to memory of 1956	2712	hRGs0nJilvOF.exe	33
PID 2712 wrote to memory of 1956	2712	hRGs0nJilvOF.exe	33
PID 2712 wrote to memory of 1956	2712	hRGs0nJilvOF.exe	33
PID 2712 wrote to memory of 1956	2712	hRGs0nJilvOF.exe	33
PID 2712 wrote to memory of 1956	2712	hRGs0nJilvOF.exe	33
PID 2712 wrote to memory of 1956	2712	hRGs0nJilvOF.exe	33
PID 1956 wrote to memory of 564	1956	cmd.exe	35
PID 1956 wrote to memory of 564	1956	cmd.exe	35
PID 1956 wrote to memory of 564	1956	cmd.exe	35
PID 1956 wrote to memory of 564	1956	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\178bd077ba36310258769a44b8e51cec.exe
"C:\Users\Admin\AppData\Local\Temp\178bd077ba36310258769a44b8e51cec.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\178bd077ba36310258769a44b8e51cec.exe
  "C:\Users\Admin\AppData\Local\Temp\178bd077ba36310258769a44b8e51cec.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRGs0nJilvOF.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRGs0nJilvOF.exe" "C:\Users\Admin\AppData\Local\Temp\178bd077ba36310258769a44b8e51cec.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRGs0nJilvOF.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRGs0nJilvOF.exe" "C:\Users\Admin\AppData\Local\Temp\178bd077ba36310258769a44b8e51cec.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 284
        6⤵
        Program crash
        
        PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRGs0nJilvOF.exe

Filesize
985KB

MD5
7fef05f001bc561d2d9fd2ac1d7fcba0

SHA1
cad7411f1186e0df3ad2ddc15ff572e844a32741

SHA256
fd332e1b1ff5b3e38d3be589122363584f491580a8a1f2ddbeec3116a6683564

SHA512
0c684b5b45e806fb3c7c2372a6b4854a444ff321269f38fc420001f366f5486546fce1b5352ab88c5586958c111fcddd9311c03ff7e3f746cc5332c108b3c776

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRGs0nJilvOF.exe

Filesize
1.3MB

MD5
615863b9c7f844417df29fc65f78594f

SHA1
158fda011b2b99bed41f73bb81ae5cdc9db80b91

SHA256
dfe85de8a00147503b9200b97fb8919fdd1c2f44774d3b42eec4a10c92b9b7dc

SHA512
90a66b4a2dc39642575c7654df1a8d3dad744f52165be0d4c15c498435c3939f88dd347c968acdfddcbf49b56922294bc3a9fe0892fc507405e372543a20568f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRGs0nJilvOF.exe

Filesize
1.7MB

MD5
d85e3c411bd24f9162939da781f60054

SHA1
99d1084430e727b392a94a7e8a747533d0d71a80

SHA256
74fecc19c93272f032fb641fd8f60f095d90239bed802c1695555a4e5c62750f

SHA512
fc8c10e46816b22dbfced04361379e21313cd09e324415bed7a132b956ed5eba5024534052d657dadbdecc32dc6a2f3cf95764a72f1b822d41c93830efc8461f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRGs0nJilvOF.exe

Filesize
830KB

MD5
de51bbf0cff034eb6dd4b88629949bbd

SHA1
536a4c0ad8e7eef1be3d82e1ac5a45ae9ad60f6c

SHA256
3d9ebe6894a5cf0da537449c2c8d2d011305389f68cbde95ec421d69dbfed63c

SHA512
1b7fb34c69f4b982746ec60348a6ea2093475a00431b7cb588e204b4c939845ac6cfd051d1b65edaeae8322af9dfa6fa5c424fc2a9404fd1cb0c784ef8b75dd3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRGs0nJilvOF.exe

Filesize
1.8MB

MD5
fb20976dd9260dd5be42818c7c81f950

SHA1
7b0de6cc2ad054dd42744ea73570e005f059c963

SHA256
d98f2615f71ca2b7bc14632e801a6d3b39943696f0132b56b32ad2363e51b0d8

SHA512
42e3f9275c302cdbd40a1b0fef500f59c271b04a51f3a5c8bb2279e9608780f4b6dba6266b121af708d721a32186d108a93b5ff02fad2b5c650e1ce51fc40d87

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRGs0nJilvOF.exe

Filesize
1.7MB

MD5
fbcee2e1fdb7984f056ad60e36cb6bb4

SHA1
ebcc0c23c626ad0185f34ca6e06691faf99ac70b

SHA256
ebdd3723bdfa527a48c7bc1633a7b8649d2802de229dec4850bf29f4ef1b2aa8

SHA512
62f2c4c3797f90cf1022463d61a884a54c9e36600e1e917b8366a62dcc410b1224dee065fb6267f1a84bcae7d2f4a11f8c607491375e34ae166c2adb7c55c7e2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRGs0nJilvOF.exe

Filesize
1.2MB

MD5
4af2638567ad4b1f8c5fef4e8beda1e6

SHA1
811ab9c0805c30d9f5b16eb8b524b5918fcedce8

SHA256
e5d19947c7b1807f92ce2c802a1366640d53456471934cadf1905f5fe31ff026

SHA512
bd2ebe04353212c8ee468e5b6272506562174c0b8039b271bbf9e66e48a41dd84be5796fee37e33b11aa3d1db43575623f9d023aa990b044118ee613e949b98d

Download Submit
memory/1956-34-0x0000000002CC0000-0x0000000002D5E000-memory.dmp

Filesize
632KB

Download
memory/1956-85-0x0000000077DB0000-0x0000000077DB1000-memory.dmp

Filesize
4KB

Download
memory/1956-91-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1956-90-0x0000000077D90000-0x0000000077F10000-memory.dmp

Filesize
1.5MB

Download
memory/1956-89-0x0000000002CC0000-0x0000000002D5E000-memory.dmp

Filesize
632KB

Download
memory/1956-88-0x0000000002CC0000-0x0000000002D5E000-memory.dmp

Filesize
632KB

Download
memory/1956-87-0x0000000077DB0000-0x0000000077DB1000-memory.dmp

Filesize
4KB

Download
memory/1956-86-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1956-33-0x0000000077D90000-0x0000000077F10000-memory.dmp

Filesize
1.5MB

Download
memory/1956-31-0x0000000000370000-0x0000000000409000-memory.dmp

Filesize
612KB

Download
memory/1956-30-0x0000000000370000-0x0000000000409000-memory.dmp

Filesize
612KB

Download
memory/1956-28-0x0000000000520000-0x0000000001172000-memory.dmp

Filesize
12.3MB

Download
memory/2588-16-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2712-38-0x0000000002380000-0x000000000241E000-memory.dmp

Filesize
632KB

Download
memory/2712-22-0x0000000077DB0000-0x0000000077DB1000-memory.dmp

Filesize
4KB

Download
memory/2712-23-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2712-21-0x0000000002380000-0x000000000241E000-memory.dmp

Filesize
632KB

Download
memory/2712-25-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2712-24-0x0000000077DB0000-0x0000000077DB1000-memory.dmp

Filesize
4KB

Download
memory/2828-7-0x0000000005040000-0x000000000543E000-memory.dmp

Filesize
4.0MB

Download
memory/2828-18-0x0000000000800000-0x000000000089E000-memory.dmp

Filesize
632KB

Download
memory/2828-17-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2828-15-0x0000000005040000-0x000000000543E000-memory.dmp

Filesize
4.0MB

Download
memory/2828-2-0x0000000000800000-0x000000000089E000-memory.dmp

Filesize
632KB

Download
memory/2836-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2836-1-0x00000000020E0000-0x00000000024DE000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing