9342ba1e24e8145068d984a75c57d4a5f05e43779c81825ead8cf680851a95ce

General

Target

3ec4e365ac77930827c8092d581b2643.exe
Size

1.0MB
MD5

3ec4e365ac77930827c8092d581b2643
SHA1

7fdc7bd28658590b1fa314502f56eab4944be1a0
SHA256

9342ba1e24e8145068d984a75c57d4a5f05e43779c81825ead8cf680851a95ce
SHA512

62d347cd8c09cd67636ccc6a94a9ed17fead70e3676ba5c07baf3e45432a0f94fd91ffd4786f3dd1fc4d4000956721fa2f6024ac3b66426b7158506c1a68e09b
SSDEEP

24576:+f0gDVDkBf8IhgC01JwJHpOoRV9don1Qg:GDkkJwbOiBo

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3028	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	56798035.exe

Loads dropped DLL 4 IoCs

pid	Process
2652	cmd.exe
2652	cmd.exe
2676	56798035.exe
2676	56798035.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\56798035 = "C:\\PROGRA~3\\56798035\\56798035.exe"	56798035.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\56798035 = "C:\\ProgramData\\56798035\\56798035.exe"	3ec4e365ac77930827c8092d581b2643.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2184	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	56798035.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2676	56798035.exe
2676	56798035.exe
2676	56798035.exe
2676	56798035.exe
2676	56798035.exe
2676	56798035.exe
2676	56798035.exe
2676	56798035.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2676	56798035.exe
2676	56798035.exe
2676	56798035.exe
2676	56798035.exe
2676	56798035.exe
2676	56798035.exe
2676	56798035.exe
2676	56798035.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 3028	2220	3ec4e365ac77930827c8092d581b2643.exe	28
PID 2220 wrote to memory of 3028	2220	3ec4e365ac77930827c8092d581b2643.exe	28
PID 2220 wrote to memory of 3028	2220	3ec4e365ac77930827c8092d581b2643.exe	28
PID 2220 wrote to memory of 3028	2220	3ec4e365ac77930827c8092d581b2643.exe	28
PID 3028 wrote to memory of 2184	3028	cmd.exe	30
PID 3028 wrote to memory of 2184	3028	cmd.exe	30
PID 3028 wrote to memory of 2184	3028	cmd.exe	30
PID 3028 wrote to memory of 2184	3028	cmd.exe	30
PID 3028 wrote to memory of 2652	3028	cmd.exe	31
PID 3028 wrote to memory of 2652	3028	cmd.exe	31
PID 3028 wrote to memory of 2652	3028	cmd.exe	31
PID 3028 wrote to memory of 2652	3028	cmd.exe	31
PID 2652 wrote to memory of 2676	2652	cmd.exe	33
PID 2652 wrote to memory of 2676	2652	cmd.exe	33
PID 2652 wrote to memory of 2676	2652	cmd.exe	33
PID 2652 wrote to memory of 2676	2652	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\3ec4e365ac77930827c8092d581b2643.exe
"C:\Users\Admin\AppData\Local\Temp\3ec4e365ac77930827c8092d581b2643.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\56798035\56798035.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 3ec4e365ac77930827c8092d581b2643.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\56798035\56798035.exe /install
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\PROGRA~3\56798035\56798035.exe
      C:\PROGRA~3\56798035\56798035.exe /install
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\56798035\56798035.exe

Filesize
640KB

MD5
dceb23f00085d12b08db70c104e19b29

SHA1
f2769e1debdafcf805aef7a2266c602f6610e969

SHA256
3bae046351c0e2f31d259d20e7765453beb6bec2d79b48b993f6fd419e6f01d7

SHA512
3b7e3236ffa8a6d4b2ced06b433ddd265a0b4ba8e81c1d498c5555b64bd5a4e0585072fb89d91aa1c916ab2502301ef6bd50f425866f31c07c599534ad1eb361

Download Submit
C:\ProgramData\56798035\56798035.bat

Filesize
290B

MD5
d832c3109f30ca079c669ec434081e83

SHA1
9598580e1f059f68baae4e53284a157934bed8b1

SHA256
2abc3e2cd971437f0ef981c4b4cd1db610acc7632c92edb8753639769bf1517d

SHA512
4753fff526b212636fe2cb542fff7854d1e67bd63f8fbec32204ad98f1cb87d946685ddb9cf60e5a4481158e0142bcc39fde22f8d6d0c59a04992109a33ef79a

Download Submit
\PROGRA~3\56798035\56798035.exe

Filesize
630KB

MD5
37856d14dfecfae6b2d6ddde71e77c5e

SHA1
59730843c577356748a729989cb740f4eb02bc7d

SHA256
1333f99271e79e56ff81bc8238dc0c5a46ad54640d51a793b1ebac3e3ac6f249

SHA512
8a9c03023af0eafdebaa67ff9574cf7b123ceaa3f52c5f76eab42deffad8adfcccdef0fe1c48c7d2bd79c8668718c776cc48fdd74293e37bc48e70e7d797debe

Download Submit
\PROGRA~3\56798035\56798035.exe

Filesize
1.0MB

MD5
3ec4e365ac77930827c8092d581b2643

SHA1
7fdc7bd28658590b1fa314502f56eab4944be1a0

SHA256
9342ba1e24e8145068d984a75c57d4a5f05e43779c81825ead8cf680851a95ce

SHA512
62d347cd8c09cd67636ccc6a94a9ed17fead70e3676ba5c07baf3e45432a0f94fd91ffd4786f3dd1fc4d4000956721fa2f6024ac3b66426b7158506c1a68e09b

Download Submit
memory/2220-1-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2220-2-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2220-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2220-3-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2220-15-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-24-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2676-35-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/2676-29-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-26-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-25-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2676-28-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-23-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/2676-22-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-34-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-27-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-36-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2676-37-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-38-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-39-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-40-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-42-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-43-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-44-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-45-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2676-46-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads