75f112eb3ae0172206662d1c162afee8b40a62778f20ba42428e95c1de2f7288

General

Target

3f67b266efd7009ca4f612cd4bc6cddd.exe
Size

36KB
MD5

3f67b266efd7009ca4f612cd4bc6cddd
SHA1

142c734fe0d97fa1d5d8fef86ad1558915870d0b
SHA256

75f112eb3ae0172206662d1c162afee8b40a62778f20ba42428e95c1de2f7288
SHA512

95fac4cd573248bacc1bd09514729ed3f7a8c57e84cf2ad09ad36205651d4e4e12a98dbdc7ca1e74c20dab14d3fc7bd28cbc018f60a7ee2346cf32639df5a0aa
SSDEEP

768:5rlSw0hgIj8xP+Ucci6forHtRpxcabUrdwVcME4++L7Z:5rs6FNKciioJJcabQdUE4++nZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1728	BINR.exe
2704	ssvchost.exe
2972	msvchost.exe

Loads dropped DLL 12 IoCs

pid	Process
1612	3f67b266efd7009ca4f612cd4bc6cddd.exe
1612	3f67b266efd7009ca4f612cd4bc6cddd.exe
1728	BINR.exe
1728	BINR.exe
1728	BINR.exe
2704	ssvchost.exe
2704	ssvchost.exe
1184	WerFault.exe
1184	WerFault.exe
1184	WerFault.exe
1184	WerFault.exe
1184	WerFault.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regm64.dll	BINR.exe
File created	C:\Windows\SysWOW64\msvchost.exe	BINR.exe
File opened for modification	C:\Windows\SysWOW64\msvchost.exe	BINR.exe
File created	C:\Windows\SysWOW64\ssvchost.exe	BINR.exe
File opened for modification	C:\Windows\SysWOW64\rmnl.dll	msvchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1184	2972	WerFault.exe	33

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2676	DllHost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1728	BINR.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1728	1612	3f67b266efd7009ca4f612cd4bc6cddd.exe	31
PID 1612 wrote to memory of 1728	1612	3f67b266efd7009ca4f612cd4bc6cddd.exe	31
PID 1612 wrote to memory of 1728	1612	3f67b266efd7009ca4f612cd4bc6cddd.exe	31
PID 1612 wrote to memory of 1728	1612	3f67b266efd7009ca4f612cd4bc6cddd.exe	31
PID 1728 wrote to memory of 2704	1728	BINR.exe	32
PID 1728 wrote to memory of 2704	1728	BINR.exe	32
PID 1728 wrote to memory of 2704	1728	BINR.exe	32
PID 1728 wrote to memory of 2704	1728	BINR.exe	32
PID 2704 wrote to memory of 2972	2704	ssvchost.exe	33
PID 2704 wrote to memory of 2972	2704	ssvchost.exe	33
PID 2704 wrote to memory of 2972	2704	ssvchost.exe	33
PID 2704 wrote to memory of 2972	2704	ssvchost.exe	33
PID 2972 wrote to memory of 1184	2972	msvchost.exe	34
PID 2972 wrote to memory of 1184	2972	msvchost.exe	34
PID 2972 wrote to memory of 1184	2972	msvchost.exe	34
PID 2972 wrote to memory of 1184	2972	msvchost.exe	34

C:\Users\Admin\AppData\Local\Temp\3f67b266efd7009ca4f612cd4bc6cddd.exe
"C:\Users\Admin\AppData\Local\Temp\3f67b266efd7009ca4f612cd4bc6cddd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\BINR.exe
  C:\Users\Admin\AppData\Local\Temp\BINR.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\ssvchost.exe
    "C:\Windows\system32\ssvchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\msvchost.exe
      "C:\Windows\system32\msvchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 196
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1184

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BPA.JPG

Filesize
20KB

MD5
589d23607984760a03ff02e5c6333f0d

SHA1
d445c99e0d9eb4e1c48a19147f54ef2ae22f6260

SHA256
00e459d66b745fdf120e51a3804d9a156934dadd00bc3c8fa19b17e8b8a9bf99

SHA512
38389a24bb4d34e3692edf0b47558cdf17bda7084c4d1091369bdd0afa3339f5f3544d328c16adf2985fec9118b675eee67de36af7a8f9057ababaefed5211ba

Download Submit
\Users\Admin\AppData\Local\Temp\BINR.exe

Filesize
12KB

MD5
947e647325c221bf812d29d45d8e4361

SHA1
31f0bfe1407fc1d1caa3f1f3423b1f6397c1106b

SHA256
e12b8818d0c13b3aadcf86d3b3890a37c7d55b1de7a781cbc62516f32b6c2ccf

SHA512
7f816188fff02ce7eefb22efad4222799a6866b96caacc94b822daf10eed7702e49cdc37f8cd203847cdb0987d2a77a2201c13f40ae2942957f7f8f36a3decc7

Download Submit
\Windows\SysWOW64\regm64.dll

Filesize
12KB

MD5
618ba27f0502751f408b211f61747827

SHA1
c78868c7b629d2e5d4f447099c9726379b6d421d

SHA256
5c5b2b741b4a7a152f9750e36c61fab1f65ef41955013db8aa487a2ab29b6eb6

SHA512
de6454a04c43c4d0d7f6604b9c0e61eea5fa88b9c15253817b7823b9e3446778331d25ca005625b69bf1f1cf01abe6b89dcdb752d6e179cb59be31f0439fe99d

Download Submit
memory/1612-1-0x0000000002A10000-0x0000000002A12000-memory.dmp

Filesize
8KB

Download
memory/1612-28-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2676-2-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/2676-6-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2676-44-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2704-33-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2972-42-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing