01bd6f2f20c8465117f3938b1e4d1b4d70496ced89318941645ba684eefc212e

General

Target

3f6d72ea1d5ea8e6caddb3591ed3d5f4.exe
Size

268KB
MD5

3f6d72ea1d5ea8e6caddb3591ed3d5f4
SHA1

121085526309da296162fa41757ca981359d6dec
SHA256

01bd6f2f20c8465117f3938b1e4d1b4d70496ced89318941645ba684eefc212e
SHA512

5915353f5f6045ad5979d348c6e070d053a5bb24c3a2c8f037b522872c88fd19552a529e0cd764b6f5617415166ef2de542600c291056b4ab1e31b9417d40870
SSDEEP

6144:7HD/PNK2Thhg+zyUIGqf1cukUuAVF0isM1g0:7HrPNKNtxGgtXdsM1g

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1540	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2660	woryjvmole.exe

Loads dropped DLL 4 IoCs

pid	Process
1540	cmd.exe
1540	cmd.exe
2660	woryjvmole.exe
2660	woryjvmole.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2548	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2796	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2660	woryjvmole.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2660	woryjvmole.exe
2660	woryjvmole.exe
2660	woryjvmole.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2660	woryjvmole.exe
2660	woryjvmole.exe
2660	woryjvmole.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1540	2028	3f6d72ea1d5ea8e6caddb3591ed3d5f4.exe	30
PID 2028 wrote to memory of 1540	2028	3f6d72ea1d5ea8e6caddb3591ed3d5f4.exe	30
PID 2028 wrote to memory of 1540	2028	3f6d72ea1d5ea8e6caddb3591ed3d5f4.exe	30
PID 2028 wrote to memory of 1540	2028	3f6d72ea1d5ea8e6caddb3591ed3d5f4.exe	30
PID 1540 wrote to memory of 2548	1540	cmd.exe	31
PID 1540 wrote to memory of 2548	1540	cmd.exe	31
PID 1540 wrote to memory of 2548	1540	cmd.exe	31
PID 1540 wrote to memory of 2548	1540	cmd.exe	31
PID 1540 wrote to memory of 2796	1540	cmd.exe	34
PID 1540 wrote to memory of 2796	1540	cmd.exe	34
PID 1540 wrote to memory of 2796	1540	cmd.exe	34
PID 1540 wrote to memory of 2796	1540	cmd.exe	34
PID 1540 wrote to memory of 2660	1540	cmd.exe	35
PID 1540 wrote to memory of 2660	1540	cmd.exe	35
PID 1540 wrote to memory of 2660	1540	cmd.exe	35
PID 1540 wrote to memory of 2660	1540	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\3f6d72ea1d5ea8e6caddb3591ed3d5f4.exe
"C:\Users\Admin\AppData\Local\Temp\3f6d72ea1d5ea8e6caddb3591ed3d5f4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2028 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3f6d72ea1d5ea8e6caddb3591ed3d5f4.exe" & start C:\Users\Admin\AppData\Local\WORYJV~1.EXE -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 2028
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:2796
- - C:\Users\Admin\AppData\Local\woryjvmole.exe
    C:\Users\Admin\AppData\Local\WORYJV~1.EXE -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\woryjvmole.exe

Filesize
268KB

MD5
3f6d72ea1d5ea8e6caddb3591ed3d5f4

SHA1
121085526309da296162fa41757ca981359d6dec

SHA256
01bd6f2f20c8465117f3938b1e4d1b4d70496ced89318941645ba684eefc212e

SHA512
5915353f5f6045ad5979d348c6e070d053a5bb24c3a2c8f037b522872c88fd19552a529e0cd764b6f5617415166ef2de542600c291056b4ab1e31b9417d40870

Download Submit
memory/2028-0-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2028-1-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2028-2-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2028-4-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2660-13-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2660-19-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2660-12-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2660-9-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2660-14-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2660-17-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2660-18-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2660-10-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2660-21-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2660-22-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2660-23-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2660-24-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2660-25-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2660-26-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download

Analysis

Sharing