f91f8abfb1586925a6096ffd1a862550211a55d286cd0394d4ab984a529e4c58

General

Target

2a191009fb7b2665ee2f1f78a6f38211.exe
Size

2.5MB
MD5

2a191009fb7b2665ee2f1f78a6f38211
SHA1

a15fd55d33a4484cde777089a50dd6a73938c540
SHA256

f91f8abfb1586925a6096ffd1a862550211a55d286cd0394d4ab984a529e4c58
SHA512

15daf728e0dcc43b24ed35de35c2d5682df7b1664c48a7a8f41ff6aba4d7f60608123477a0a7daef702dc1ded937066c93c3c8e4f6e25d54c98fd90d54a6285f
SSDEEP

49152:oky796EvMtTx435MtV+Oj29Ls3t/cwCxHHlc2KP1z8o/MO2Uqed3yBI1rp:o7AEvgVOy29Ls3JslVYzjMO26ie

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2424	2a191009fb7b2665ee2f1f78a6f38211.tmp
2336	WMF.exe

Loads dropped DLL 5 IoCs

pid	Process
2508	2a191009fb7b2665ee2f1f78a6f38211.exe
2424	2a191009fb7b2665ee2f1f78a6f38211.tmp
2424	2a191009fb7b2665ee2f1f78a6f38211.tmp
2424	2a191009fb7b2665ee2f1f78a6f38211.tmp
2424	2a191009fb7b2665ee2f1f78a6f38211.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2336	WMF.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2424	2508	2a191009fb7b2665ee2f1f78a6f38211.exe	17
PID 2508 wrote to memory of 2424	2508	2a191009fb7b2665ee2f1f78a6f38211.exe	17
PID 2508 wrote to memory of 2424	2508	2a191009fb7b2665ee2f1f78a6f38211.exe	17
PID 2508 wrote to memory of 2424	2508	2a191009fb7b2665ee2f1f78a6f38211.exe	17
PID 2508 wrote to memory of 2424	2508	2a191009fb7b2665ee2f1f78a6f38211.exe	17
PID 2508 wrote to memory of 2424	2508	2a191009fb7b2665ee2f1f78a6f38211.exe	17
PID 2508 wrote to memory of 2424	2508	2a191009fb7b2665ee2f1f78a6f38211.exe	17
PID 2424 wrote to memory of 2336	2424	2a191009fb7b2665ee2f1f78a6f38211.tmp	16
PID 2424 wrote to memory of 2336	2424	2a191009fb7b2665ee2f1f78a6f38211.tmp	16
PID 2424 wrote to memory of 2336	2424	2a191009fb7b2665ee2f1f78a6f38211.tmp	16
PID 2424 wrote to memory of 2336	2424	2a191009fb7b2665ee2f1f78a6f38211.tmp	16

C:\Users\Admin\AppData\Local\Temp\is-KBR0D.tmp\WMF.exe
"C:\Users\Admin\AppData\Local\Temp\is-KBR0D.tmp\WMF.exe" /aid=0 /sub=0 /sid=42 /name="4.rar" /fid= /stats=cS71pQPkuOys9C/drFU6n3IGsFZjWHRvzkHz3c2b3dwwR8mVZjZgLS2XN8hbXBHVQJx8wSdATUdUxi47zhaKew== /param=0
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2336

C:\Users\Admin\AppData\Local\Temp\is-RHR5G.tmp\2a191009fb7b2665ee2f1f78a6f38211.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RHR5G.tmp\2a191009fb7b2665ee2f1f78a6f38211.tmp" /SL5="$3009A,2280122,153088,C:\Users\Admin\AppData\Local\Temp\2a191009fb7b2665ee2f1f78a6f38211.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Local\Temp\2a191009fb7b2665ee2f1f78a6f38211.exe
"C:\Users\Admin\AppData\Local\Temp\2a191009fb7b2665ee2f1f78a6f38211.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-RHR5G.tmp\2a191009fb7b2665ee2f1f78a6f38211.tmp

Filesize
92KB

MD5
1969e47c426b8837edbdbbf0549ee6a4

SHA1
12bde3c18052d50f179771bfdfb15d1f2361b0d5

SHA256
d5a7882c1d8623c628c931145b43364457e574b637b72052a28af92f217fd35b

SHA512
25f70473dde14d049653cc0413d0df9111527711845fdaaa338359b637b685fc2c1009ed07eff058d7ec2fe1361b04f17bfd5868cae69f220b8d8e2e8333182b

Download Submit
\Users\Admin\AppData\Local\Temp\is-KBR0D.tmp\WMF.exe

Filesize
92KB

MD5
4cb044d57bddd0b705aa5b7830fd5b5a

SHA1
ddce53d16b07aae98dbf8569b4d995af98cc0bad

SHA256
e487de6d91828f8d2e9b36a27326c37041931bb87c8e5a9f5819e47d7ea7bdde

SHA512
813f811f758980e8b6b25b2366e5fbf355767250ea78c7d878f11539ef2499af2fe983183ec4648ffd4461b335a5767b3b39fd251bee8cb08d461fd3455404b0

Download Submit
\Users\Admin\AppData\Local\Temp\is-KBR0D.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RHR5G.tmp\2a191009fb7b2665ee2f1f78a6f38211.tmp

Filesize
96KB

MD5
0891fb7e8219987c7fefbf7b230ddf09

SHA1
4a8624e7a6a90a973c78892e36a82980ce855bf3

SHA256
4e12a0daede8c5917d94c57e6648888c85d8547a68f30b30319b33e68e857ef4

SHA512
e76770dd899bcfa8c5d76a9397f6c1dd1463e53744886e5f50870678de6a1506e5a25ec82e3388487b0136fc472e97c01a5a0afeab19a4c61810696707f6ec2f

Download Submit
memory/2336-38-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2336-42-0x0000000000400000-0x00000000007E2000-memory.dmp

Filesize
3.9MB

Download
memory/2336-46-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2424-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2424-41-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2508-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2508-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2508-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing