3f1c77455eaeca5f2aab998c7a37333ed1fb3d119aa139fd8bd4d5d4496f5d3f

General

Target

2750d960aced3b1066ca7548c71a0c08.exe
Size

134KB
MD5

2750d960aced3b1066ca7548c71a0c08
SHA1

e5bb656b51670f05c2d9bb48b3c85596747fb263
SHA256

3f1c77455eaeca5f2aab998c7a37333ed1fb3d119aa139fd8bd4d5d4496f5d3f
SHA512

9edc89c61dc68aab142b1b3e1c17098f060ce47b0fbe889135b34ca3f3913ea35a0e7fdfb4015dad05cd96199a6f8f3f6ee36c1541b4f4e2533fc8473132f0e3
SSDEEP

3072:XnOn7t7XpdpCCTg/sxFgJMeq8KQChgFjqwydb9FmaYPRzhJ:XKpdcCrTv8K5GFOwydb9FGhJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2692	downloadmr.exe

Loads dropped DLL 3 IoCs

pid	Process
2940	2750d960aced3b1066ca7548c71a0c08.exe
2940	2750d960aced3b1066ca7548c71a0c08.exe
2940	2750d960aced3b1066ca7548c71a0c08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2692	2940	2750d960aced3b1066ca7548c71a0c08.exe	19
PID 2940 wrote to memory of 2692	2940	2750d960aced3b1066ca7548c71a0c08.exe	19
PID 2940 wrote to memory of 2692	2940	2750d960aced3b1066ca7548c71a0c08.exe	19
PID 2940 wrote to memory of 2692	2940	2750d960aced3b1066ca7548c71a0c08.exe	19

C:\Users\Admin\AppData\Local\Temp\2750d960aced3b1066ca7548c71a0c08.exe
"C:\Users\Admin\AppData\Local\Temp\2750d960aced3b1066ca7548c71a0c08.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\nstA8CF.tmp\downloadmr.exe
  C:\Users\Admin\AppData\Local\Temp\nstA8CF.tmp\downloadmr.exe /e2273001 /u4dc9054e-38b0-4614-bdd5-20605bc06f26
  2⤵
  - Executes dropped EXE
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabDA89.tmp

Filesize
13KB

MD5
87e589406efef31505d4856ed5665fda

SHA1
ccbeb184f9d920b9b889e9bafe83da1c2f260e33

SHA256
79d0429e5bd953c530f52be5e30a73e809c83ae59b5754468493e8809f1435bf

SHA512
e5750d99de6adb48b38bc080aee73960b59a49097aef41f09567d8ceef256a78828c99f85d461d0ca3697c6b1799c5c5eff69e9cbf6320f61510e697cb609170

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar23FA.tmp

Filesize
125KB

MD5
689c1f4b38b3489566b3b010b1ac4f09

SHA1
0a39fc54239d25c377a4d34bcbc1de16bcce0146

SHA256
4906ff5bfd8654eec1068ba523c19036a6c655c95e17dd3e3cb57621b4bf9eef

SHA512
3401e2a44dbce16111531d64093ab5bfb6c45cbebd60610aeac8550a427f341809511254d514d03efff52fc9d8f43b6daaade3d740882c2d3946f8a95ac85106

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA8CF.tmp\System.dll

Filesize
1KB

MD5
8143e59c2b92661b705733d2ac1abe10

SHA1
d9ac6750f186ad7025ce4e03082fc6b3116a3294

SHA256
298d293a33588c53853c11884f93bf103d0716cdb7fcfbb4f1efaaa8b9aeb5b3

SHA512
1eb9f318db0e5b409d61a8eb7a80016ac912bb7639b04b5ece8d10bedcf3881e52d27ee47769e37ba332e82bad3c826b633067557133b8fa7bce7dd4c436ad77

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA8CF.tmp\downloadmr.exe

Filesize
7KB

MD5
7b9680512594958962542096960fdbe1

SHA1
48bab587ef90f49a9e224ce943b9d09ab895e031

SHA256
fb0119ae511855992c9bef20e6cc11f498d811b63823004ba091ae92509e9e53

SHA512
6559a3c61c80e11fc1ef220d07d8be3a01267d3bf6e02e4a464e9029327fb0eacfd382202631552119ef39207491f4f689b9ab57527e9d8f3e2c610df6fed884

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA8CF.tmp\downloadmr.exe

Filesize
6KB

MD5
886e7e684ac48e240ea89395b28d6331

SHA1
c3b7bda0312c8ca22aa541ef9e0f65d62ceb35ae

SHA256
b457aa6a95c3a93aa79cb1e19a30275004068cec5fe82356f9585ee051804840

SHA512
040daf4feb587a6f3d5f3577f354ab3d9626bd61b51463172529e68ac79b79a6ca37bbd9a4c0d5d11e10d2402794d8a32d904ecf00f6aec11550d97bf429de73

Download Submit
\Users\Admin\AppData\Local\Temp\nstA8CF.tmp\System.dll

Filesize
4KB

MD5
436977dabb2f3bb43f045645b7cad01b

SHA1
fa68c80bd77a614ecbdf016fefbcdc34188cce2e

SHA256
b02c0e0d8385e0e661f40fd7c4c38418a23fdc9c04057432ffa3ef72160280e3

SHA512
8eac59d2f51c9d99719ae66e677d715cfcb00b2d61bd751c2a4486f47317b927c276858af0e1b833b8ea00f5d7bef41793aa5530ec558d8212f8b3963a5ded6c

Download Submit
\Users\Admin\AppData\Local\Temp\nstA8CF.tmp\System.dll

Filesize
17KB

MD5
a161951b0f3c28e2328c2ecf2488b3d8

SHA1
b071ba2ff959c7ed4b751e463c38fbbe36c129f2

SHA256
ea3bbcb58b46baa0b228b056b20463edd302940586689413635dd98b278431b0

SHA512
43e271068d367804c75c5760e2e4cf03c8a2f1aaf1e455a4da49b4cb9b2d042f780205a2c2ef5b079c137f062830b67c989ffa504bf25bbf9591316e80225173

Download Submit
memory/2692-51-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/2692-16-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/2692-36-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/2692-17-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/2692-50-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/2692-15-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/2692-54-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/2692-57-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/2692-58-0x0000000007390000-0x0000000007490000-memory.dmp

Filesize
1024KB

Download
memory/2692-61-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/2940-26-0x000000006E3C0000-0x000000006E3CD000-memory.dmp

Filesize
52KB

Download
memory/2940-25-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2940-65-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing