dba13d4cecd44dfcd69331701d6fdab3cca66c09e9c061dcf7f65eb881e8c6fa

General

Target

3db636a478c20b1ab0e904da4d0c68b9.exe
Size

220KB
MD5

3db636a478c20b1ab0e904da4d0c68b9
SHA1

1a41f0eed7ebf12b7343a462a4fab16596ac8034
SHA256

dba13d4cecd44dfcd69331701d6fdab3cca66c09e9c061dcf7f65eb881e8c6fa
SHA512

7f9bb01138f4433bad509368ef2e378475699dd03161d34bbd84ebc890dce1f0e23bfb56b03461e0464d0bb5abaabd226d9e358f571e0a84609e3b467daaa87a
SSDEEP

3072:ttCnFCqR8Ss361HRcaZ72fWXIxZXDXrj2kiCay8Rqrica9/aR2OJ+ndsX7v4qXx/:Ocq0361HRcf3VAjv3cCalDt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3064	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3036	fzhqrulv.exe

Loads dropped DLL 4 IoCs

pid	Process
3064	cmd.exe
3064	cmd.exe
3036	fzhqrulv.exe
3036	fzhqrulv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2172	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2680	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3036	fzhqrulv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3036	fzhqrulv.exe
3036	fzhqrulv.exe
3036	fzhqrulv.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3036	fzhqrulv.exe
3036	fzhqrulv.exe
3036	fzhqrulv.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3064	880	3db636a478c20b1ab0e904da4d0c68b9.exe	21
PID 880 wrote to memory of 3064	880	3db636a478c20b1ab0e904da4d0c68b9.exe	21
PID 880 wrote to memory of 3064	880	3db636a478c20b1ab0e904da4d0c68b9.exe	21
PID 880 wrote to memory of 3064	880	3db636a478c20b1ab0e904da4d0c68b9.exe	21
PID 3064 wrote to memory of 2172	3064	cmd.exe	17
PID 3064 wrote to memory of 2172	3064	cmd.exe	17
PID 3064 wrote to memory of 2172	3064	cmd.exe	17
PID 3064 wrote to memory of 2172	3064	cmd.exe	17
PID 3064 wrote to memory of 2680	3064	cmd.exe	18
PID 3064 wrote to memory of 2680	3064	cmd.exe	18
PID 3064 wrote to memory of 2680	3064	cmd.exe	18
PID 3064 wrote to memory of 2680	3064	cmd.exe	18
PID 3064 wrote to memory of 3036	3064	cmd.exe	33
PID 3064 wrote to memory of 3036	3064	cmd.exe	33
PID 3064 wrote to memory of 3036	3064	cmd.exe	33
PID 3064 wrote to memory of 3036	3064	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\3db636a478c20b1ab0e904da4d0c68b9.exe
"C:\Users\Admin\AppData\Local\Temp\3db636a478c20b1ab0e904da4d0c68b9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 880 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3db636a478c20b1ab0e904da4d0c68b9.exe" & start C:\Users\Admin\AppData\Local\fzhqrulv.exe -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\fzhqrulv.exe
    C:\Users\Admin\AppData\Local\fzhqrulv.exe -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3036

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 880
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
1⤵
- Runs ping.exe
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/880-2-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/880-5-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/880-6-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/880-4-0x0000000000310000-0x0000000000312000-memory.dmp

Filesize
8KB

Download
memory/880-3-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/880-0-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/3036-18-0x0000000000C00000-0x0000000000CDB000-memory.dmp

Filesize
876KB

Download
memory/3036-11-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/3036-17-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3036-16-0x0000000000450000-0x0000000000452000-memory.dmp

Filesize
8KB

Download
memory/3036-15-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/3036-14-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/3036-12-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/3036-21-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/3036-22-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/3036-24-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/3036-23-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/3036-25-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/3036-27-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3036-26-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/3036-28-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/3036-30-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/3036-31-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/3036-32-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/3036-33-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download
memory/3036-34-0x0000000001000000-0x00000000010DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing