79e9b5dceccec273446db7930a29243dba1e3b2a2da8bfa965f444daee444bdd

General

Target

3f0ac30243cda7a1e685422fa8562876.exe
Size

50KB
MD5

3f0ac30243cda7a1e685422fa8562876
SHA1

820b4794d5a896b17ff6cee43b372378ab9ca33e
SHA256

79e9b5dceccec273446db7930a29243dba1e3b2a2da8bfa965f444daee444bdd
SHA512

45d5d3e9337691e4cae9c24ec396aec890959c77b00b7c8ccd252ee81d4ca62ff23bbadf0bb56da8ebdcaed77acdcf58223d04eb6c9c9373e474ad4a92125423
SSDEEP

768:5cVJYDePPUXb5CKvBmAbDCLOhRjMss59QLfN2ssvVEyewqHBCohL3quOlsCT:KqDQPUXb5zBmAKLImmZ1s+yewq0tlLT

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\winRarExt64.dat	3f0ac30243cda7a1e685422fa8562876.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\3f0ac30243cda7a1e685422fa8562876.exe
"C:\Users\Admin\AppData\Local\Temp\3f0ac30243cda7a1e685422fa8562876.exe"
1⤵
- Drops file in Program Files directory
PID:2600
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://jump3.35638.com:27889/report3.ashx?m=E2-26-93-87-CB-8A&mid=21663&tid=1&d=2fe2363f543942169dd4b477161e3c3b&uid=13729&t=
  2⤵
  PID:3948
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3948 CREDAT:17410 /prefetch:2
    3⤵
    PID:4716
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.38522.com/bhy.html?popup
  2⤵
  PID:536
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:17410 /prefetch:2
    3⤵
    PID:1920
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.58816.com/
  2⤵
  PID:3496
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3496 CREDAT:17410 /prefetch:2
    3⤵
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3F0AC3~1.EXE > nul
  2⤵
  PID:5008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
  2⤵
  PID:3112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  PID:1252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  PID:4016

C:\Users\Admin\AppData\Local\Temp\ins5004.tmp
C:\Users\Admin\AppData\Local\Temp\ins5004.tmp inlink-verycm.tmp
1⤵
PID:1472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\ins5004.tmp > nul
  2⤵
  PID:1164

C:\Windows\SysWOW64\expand.exe
expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
1⤵
PID:1512

C:\Windows\SysWOW64\expand.exe
expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
1⤵
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{81524DFB-AA79-11EE-A0B6-E2269387CB8A}.dat

Filesize
5KB

MD5
a2991997ce55b6561ed401e0dc4a4dc6

SHA1
6e0862b255b6e142a23a2505326aa10e20783dc0

SHA256
a429621ab8b033f1ef4cc8c3056a932a041e95d19d6af739a723ce7ce12089ec

SHA512
22d3a6d02342407a12b785d9fdcb4e6a8a5d85c81080fc998c6c9f39cf6ca513ee3e180a9c91effc249792d1672ed54d72c97295ee7c966822662f2b89afc397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{815974E6-AA79-11EE-A0B6-E2269387CB8A}.dat

Filesize
5KB

MD5
ab4075f1ffff100334b2c77c6549140c

SHA1
4099c42c073bd8f6f4fc0113476ce4a486184973

SHA256
157f768caf3e29dc22c293672f192b22ac9f76f6a91da874fcd6bae78932e722

SHA512
ba02ea8c695051f35d816d48f95f5ea60a88026d56ea3248904950b988bc514be2e90392ff261ee0c6c382dbfc2669d5a8d5f67a6646bfb3b5a542c44cfa9e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{815BD766-AA79-11EE-A0B6-E2269387CB8A}.dat

Filesize
4KB

MD5
5e50875cd20a2a35ab2e160e548169d4

SHA1
b1f5be81fde1fb1005874ccfc67eb87728dbe394

SHA256
55f542a4e3acb6615a01b7419e399dea83b2a73cdc68c1c0cf3d2d776744bab6

SHA512
a629b48d4dd96e0fe7fe3a1fb4f0f9c51ddcba3eda813f076547645bc825d44e0528e0343c9d7891453ecd5a97d62835c305a60f4827da58533c197f2b4e89d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlink-verycm.tmp

Filesize
787B

MD5
b3f64ef34df4e66d7555ca857f86ca82

SHA1
243ea301795726eb1940757b0a948ef417b0c01c

SHA256
2c5861dd96d30519a5b3bb22b1ac2b4d7ffaae196de1b47501b86a7c17a8977c

SHA512
5fe666498ee7e1385e5d3a65ab9840790359972e8bd0515a25e6d8f194ef8cc550e1e0e02eeeec1b83188cae7f628247fd21fd99e233a17dc2c18399a124cce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ins5004.tmp

Filesize
1.3MB

MD5
a5b3d1e318fdd6f833a374266a423f93

SHA1
39bb15ad184d3087702eee3b5fdaaa4446d07816

SHA256
c383dcd7a9b43f2991b24a20084a6e6fc7a6d9ceb6fe28bc32a4bb5170356aca

SHA512
c034546690fb378551652e4ad3a254016657a16ac4a83b1731e3742f3196db8d723838b9787b16d3f98a02f583851587c9de0e90c1039ca8e705dc694b5e7869

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
63B

MD5
0793df1f09ce45d8d6fe936102f78579

SHA1
5af26109fa3e88be26400cbc5ddd215be5d98388

SHA256
4a86b16771535a446c9f5251ebb887f2244a54cf6f0a75d5232fc95cb64204de

SHA512
103eed049365819c0860c7898504fda560e868e20cad9ec350e1d68c467d1f74325fecfcce599a01ce1f664d40e214583f44fd06a36b907be045c2303c7be160

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat

Filesize
94B

MD5
d5fc3a9ec15a6302543438928c29e284

SHA1
fd4199e543f683a8830a88f8ac0d0f001952b506

SHA256
b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

SHA512
4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
memory/1472-58-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/1472-54-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2600-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing