818423488df142105c26bff84928dcbd96e031edf39af9da48fc2280b8424853

General

Target

2645078d68dc4aa85d0ac483a0796142.exe
Size

974KB
MD5

2645078d68dc4aa85d0ac483a0796142
SHA1

ae603e0af7fc260030d8b84f7a8ac67e511e3ad5
SHA256

818423488df142105c26bff84928dcbd96e031edf39af9da48fc2280b8424853
SHA512

b4d6db7b22b6c8396790293cad72d0ca9b3ff1dadc15397ee617366018d59998f5bfb943f1505d8046c02a492acec936e9edbf995fccb63777401b2e10e5ebd7
SSDEEP

24576:Kk1r06F0IXC1CbBcBsQIJD6gYG41Vcyh4G7ObTvBoT:nXyucmQoZ41VOHNy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2436	24765125.exe

Loads dropped DLL 5 IoCs

pid	Process
2460	cmd.exe
2460	cmd.exe
2436	24765125.exe
2436	24765125.exe
2436	24765125.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\24765125 = "C:\\ProgramData\\24765125\\24765125.exe"	2645078d68dc4aa85d0ac483a0796142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\24765125 = "C:\\PROGRA~3\\24765125\\24765125.exe"	24765125.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2436	24765125.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2436	24765125.exe
2436	24765125.exe
2436	24765125.exe
2436	24765125.exe
2436	24765125.exe
2436	24765125.exe
2436	24765125.exe
2436	24765125.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2436	24765125.exe
2436	24765125.exe
2436	24765125.exe
2436	24765125.exe
2436	24765125.exe
2436	24765125.exe
2436	24765125.exe
2436	24765125.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2508	1640	2645078d68dc4aa85d0ac483a0796142.exe	17
PID 1640 wrote to memory of 2508	1640	2645078d68dc4aa85d0ac483a0796142.exe	17
PID 1640 wrote to memory of 2508	1640	2645078d68dc4aa85d0ac483a0796142.exe	17
PID 1640 wrote to memory of 2508	1640	2645078d68dc4aa85d0ac483a0796142.exe	17
PID 2508 wrote to memory of 2460	2508	cmd.exe	16
PID 2508 wrote to memory of 2460	2508	cmd.exe	16
PID 2508 wrote to memory of 2460	2508	cmd.exe	16
PID 2508 wrote to memory of 2460	2508	cmd.exe	16
PID 2460 wrote to memory of 2436	2460	cmd.exe	25
PID 2460 wrote to memory of 2436	2460	cmd.exe	25
PID 2460 wrote to memory of 2436	2460	cmd.exe	25
PID 2460 wrote to memory of 2436	2460	cmd.exe	25

C:\Users\Admin\AppData\Local\Temp\2645078d68dc4aa85d0ac483a0796142.exe
"C:\Users\Admin\AppData\Local\Temp\2645078d68dc4aa85d0ac483a0796142.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\24765125\24765125.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2508

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start C:\PROGRA~3\24765125\24765125.exe /i
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460
- C:\PROGRA~3\24765125\24765125.exe
  C:\PROGRA~3\24765125\24765125.exe /i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\24765125\24765125.exe

Filesize
78KB

MD5
02f24d95c4b45c304e0dc9582c95b255

SHA1
4a74b3f1029a8cb40554847cd60cb72b7ac53689

SHA256
43a846c023e1eff08e232cddcaff303e01c1fab747a7eaa910a791818652dbf9

SHA512
6ce11d9d8c4019bcfbfaedd33b62e4ac70119f80d545916c20d779e833a58c35920d81886097864efe4b3483c4b23b41077d6f433a70d9dc1d1f0acc28f1dbe9

Download Submit
C:\PROGRA~3\24765125\24765125.exe

Filesize
33KB

MD5
a228ef8640c8b52d9decee9735c1f541

SHA1
6a3dcf37cab017086db28ee28b78ed108da4e278

SHA256
e763abd038a879aec83aef2d24df37685aa04253022a5f1e8dd15fdacde5a953

SHA512
8f12dc922497ac0105ce6b4084fd54f152d28beeee724d932412ec15d67db48b1fb82ef840ec420691b309bac80f2f5333eda661bfe9812e82e52e4d13ecbfcf

Download Submit
C:\ProgramData\24765125\24765125.bat

Filesize
230B

MD5
e317ff6ece33e832896a54850cb0c4bc

SHA1
8e2bb269ca11eaed9122fc67659341658b08a8f5

SHA256
d6e6b25b6a067ad5e913175a6d01439dcb8180eed0b4e46560432c41baa207be

SHA512
0666b71e31063c83434dc455f71c3a550b427db3a011d1cc79825b1e6067e100781f9f24c3402f9348d6f94ff056cb700cbe950d48ac6b93e2a7da12fd577be2

Download Submit
\PROGRA~3\24765125\24765125.exe

Filesize
39KB

MD5
1cd9a07cf656ec36afb0dcc055f0b1e7

SHA1
5c47dbdebe3541aee93c89fc377f32dec3fd4dfc

SHA256
9415f07e98419150019d0c6d7f179554002471596ec2b7d83cc9e6177bc4a6fb

SHA512
2cd67725ee29d982001205b7bc6a48149eb94003847a5e486df997f48651cd5d04a37f44e5cbd3c3ad48944f78888c2a3468805ca6c8bce58415adf63e565fff

Download Submit
\PROGRA~3\24765125\24765125.exe

Filesize
130KB

MD5
916b730265bcc35be332f7b83c150bf4

SHA1
362bcdb591306c9634e62f745e2e5b79f1c895d6

SHA256
3bd8ba707aa2e4c6641844b5bb4dd858561a026873de36d02cea02f8e0949fc0

SHA512
61d27b5e9b222a589592c21a045268060fd2318ee787a242c08abc543c9b4777b6375c8a09be4d4e9f6a63745d8ad7eee5628692af110806fa6810b1628a4ec8

Download Submit
\PROGRA~3\24765125\24765125.exe

Filesize
78KB

MD5
8b4fd483e1bf4a80499628891cc0e21c

SHA1
74d24caaed06c2b44f131b391c20c753b70e5448

SHA256
a1858e3fc8819e4497f2fa1a41a8751a5db6cac4afdec805fb876dee0e7ea884

SHA512
83e4e2d1a039838d1ac6823bb2e8fc162dc096126c5be24c79b48342b77877569ffce941de79c233cf4ae9f345d241849d7b01b6223c36332ce80ca30698cd41

Download Submit
\PROGRA~3\24765125\24765125.exe

Filesize
79KB

MD5
a5097715b527c8f327d91e37eaeb97c9

SHA1
8f20c21b3828d9b581bafbfb68884377e5f473a9

SHA256
fd0417305b24ab0a6ec92dce69d0cbea827d5324d8a49e3f42f786e3f83e2707

SHA512
5b629ebde5083e832037d42ce405076a2264235974a07ef5595bab2fec46ca038e42cc27676d683b7dbc65a9cb9a8cad0807bdb4fa1e5de11b156e11682f3a5a

Download Submit
\PROGRA~3\24765125\24765125.exe

Filesize
118KB

MD5
26d462adeee84802712f46e3ba7c1e6c

SHA1
f64be1cafcc83132fbaa37c6c01af17842632b89

SHA256
ddc6dec7b0b908ebc5ce03d06794f116b9bffe29ea9a5d468060633e7d531e4e

SHA512
7fee0294cf8fe8ca014412a4ee8997e27a7bfb7dc1ba32bdf297846dad94be515c009e090cffc82a91a5aa8b9a89dcc29c7750f62afb8ff8cff3c9730e656784

Download Submit
memory/1640-2-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1640-1-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/1640-14-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/1640-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1640-3-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2436-25-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-37-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-21-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-24-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2436-26-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2436-28-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-27-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-33-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-35-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2436-34-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-36-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-23-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2436-39-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-38-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2436-40-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-42-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-43-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-44-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-45-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-46-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-47-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download
memory/2436-52-0x0000000000400000-0x00000000005E8004-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads