e846cae9784a3c49b62105bceb2c6bbae7be4341f730ceb5605702271b037cf2

General

Target

3db19899363af81978e1f897ab567ac8.exe
Size

2.5MB
MD5

3db19899363af81978e1f897ab567ac8
SHA1

86036545c2a248532a3c70754fa531c82b65875d
SHA256

e846cae9784a3c49b62105bceb2c6bbae7be4341f730ceb5605702271b037cf2
SHA512

6f6b2fc76ad36c3b06a28b00264c80275b38927417413477624115ec6a4da855398b305836f04b47f6b3403c451f046df030691339a5601e9791fcd1d02a8a7e
SSDEEP

49152:oky796EvMtTx435MtV+Oj29Ls3t/cwCxHHlc2KP1z8o/MO2Uqed3yBI1rM:o7AEvgVOy29Ls3JslVYzjMO26il

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3064	3db19899363af81978e1f897ab567ac8.tmp
2840	WMF.exe

Loads dropped DLL 5 IoCs

pid	Process
2464	3db19899363af81978e1f897ab567ac8.exe
3064	3db19899363af81978e1f897ab567ac8.tmp
3064	3db19899363af81978e1f897ab567ac8.tmp
3064	3db19899363af81978e1f897ab567ac8.tmp
3064	3db19899363af81978e1f897ab567ac8.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2840	WMF.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 3064	2464	3db19899363af81978e1f897ab567ac8.exe	27
PID 2464 wrote to memory of 3064	2464	3db19899363af81978e1f897ab567ac8.exe	27
PID 2464 wrote to memory of 3064	2464	3db19899363af81978e1f897ab567ac8.exe	27
PID 2464 wrote to memory of 3064	2464	3db19899363af81978e1f897ab567ac8.exe	27
PID 2464 wrote to memory of 3064	2464	3db19899363af81978e1f897ab567ac8.exe	27
PID 2464 wrote to memory of 3064	2464	3db19899363af81978e1f897ab567ac8.exe	27
PID 2464 wrote to memory of 3064	2464	3db19899363af81978e1f897ab567ac8.exe	27
PID 3064 wrote to memory of 2840	3064	3db19899363af81978e1f897ab567ac8.tmp	28
PID 3064 wrote to memory of 2840	3064	3db19899363af81978e1f897ab567ac8.tmp	28
PID 3064 wrote to memory of 2840	3064	3db19899363af81978e1f897ab567ac8.tmp	28
PID 3064 wrote to memory of 2840	3064	3db19899363af81978e1f897ab567ac8.tmp	28

C:\Users\Admin\AppData\Local\Temp\3db19899363af81978e1f897ab567ac8.exe
"C:\Users\Admin\AppData\Local\Temp\3db19899363af81978e1f897ab567ac8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\is-30P1U.tmp\3db19899363af81978e1f897ab567ac8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-30P1U.tmp\3db19899363af81978e1f897ab567ac8.tmp" /SL5="$40164,2280122,153088,C:\Users\Admin\AppData\Local\Temp\3db19899363af81978e1f897ab567ac8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\is-LERJK.tmp\WMF.exe
    "C:\Users\Admin\AppData\Local\Temp\is-LERJK.tmp\WMF.exe" /aid=0 /sub=0 /sid=42 /name="crysis_2.rar" /fid= /stats=AReQ4iWsktD0UBRZXNhssOlbsZhQuk8Z971JHLOgulDVn83bn6dO334Ixt3BBwA537YacWzfPb4WgREJIFs8iw== /param=0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-LERJK.tmp\WMF.exe

Filesize
384KB

MD5
5920db4723b64a4b6570e1c43103454f

SHA1
6cd8b5b2f7be7b55ef5acf508f13c9f3f0d2ff8c

SHA256
bbb24375c86b204017fab29ecea2ea29d2809928fdbac407a3a77ea04e7162a6

SHA512
faceeedd2697365d4d9081adcca7161749553636ac6cce2dfa3d5efc4bfcbeedd9159b9533332cd3b839d0a6b7d8850ceeb088e31251b2c85414026f9553004a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LERJK.tmp\WMF.exe

Filesize
239KB

MD5
f9eae937754da8a63247d92cb079f11e

SHA1
f2db4e3861c5ca2126677b4a75779e1cac455f7f

SHA256
b2d7ba09e04c5c99e97f8bc39fbfa909f000dcd0b85b83647c1a4b3a6465d120

SHA512
f9a0851079217ecc4dfda30be2c21e3f9424cbf6c6881da2d438ca51d79f93f6ffcb20c74d1ee134122c56c3fde5a308d2f025effbe960f7598809008ea4ae2f

Download Submit
\Users\Admin\AppData\Local\Temp\is-30P1U.tmp\3db19899363af81978e1f897ab567ac8.tmp

Filesize
1.1MB

MD5
8811a0652c18dbcf68955f99df537eb8

SHA1
70cff6c43c0f873295dc085018639dff02f33012

SHA256
d69f51e65e3944891ec9c392b3d7410d81f8f93e55b9071584bfd1d384862230

SHA512
ed2ff6cfe272a8ae260233a1bb653adc0eaae13388418a9dea692b9924999d89b8677b8669fa24dcb0c606cfca7045bef779e1c58547f3f17d5096cbbe31d60a

Download Submit
\Users\Admin\AppData\Local\Temp\is-LERJK.tmp\WMF.exe

Filesize
1024KB

MD5
c1b2bf92bd9ef0b5fc3e51f57acc3326

SHA1
d5463aceb9b7f94e69d3c5daa7bfc347e78babea

SHA256
9b4316d5c503c17a33ccfe0c33ad8894e3f9303693df1901efb2f39568fa8729

SHA512
51e667650204934c7b46efaf2e6824cfb1494551f76171480aa8d245e88c78b6a6714245f7d5b9eef8c3892b8f7df9cce89b74a5966a1a080e7578202463801f

Download Submit
\Users\Admin\AppData\Local\Temp\is-LERJK.tmp\WMF.exe

Filesize
617KB

MD5
fc1fd32a7ab2f50c9e5fc9b0a36344a0

SHA1
c602c541a1d69418b3b7bd8ed77c8d4a00c4b548

SHA256
f936b9723eb7fef5d37f07931ba50e9401f26fdfdf6d43ab7d6b71984aa249e8

SHA512
20d8aac5d06823aa7903f696562b8b73c069984b6f69a4f633c6ec458205a55244bab9741f6edb94f65bd193c973c30510fad94cb44dd3c44c8609ccf630c908

Download Submit
\Users\Admin\AppData\Local\Temp\is-LERJK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2464-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2464-39-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2840-41-0x0000000000400000-0x00000000007E2000-memory.dmp

Filesize
3.9MB

Download
memory/2840-37-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2840-46-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3064-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3064-45-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3064-40-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing