2d44b8d2c8e1ecc441c1f29b4075b4a74e71945e5a54c12e2ce3817a09be46eb

General

Target

448a33771b5323ec203cff3dcbb49a84.exe
Size

440KB
MD5

448a33771b5323ec203cff3dcbb49a84
SHA1

80e7b63426144c2df542f1f95caafda2ca53234a
SHA256

2d44b8d2c8e1ecc441c1f29b4075b4a74e71945e5a54c12e2ce3817a09be46eb
SHA512

415b308ad7fd77467689e933cd5dba0b06b722c8b8daa02e9bac1e6d8d6a8fea290cacabaee3efa7de6548eccf3f83c0824c3a590f4438041ce656d86a27d69a
SSDEEP

6144:nJVfR7onE5R3w/Y5/tWkkVFvWLrymUj0sonzNYz6KGWnSRKxzBwkQ:nbBonaLc7+y+Sh7nJFN

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1740	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2896	rlhfllssil.exe

Loads dropped DLL 3 IoCs

pid	Process
1740	cmd.exe
1740	cmd.exe
2896	rlhfllssil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2796	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2824	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1740	2380	448a33771b5323ec203cff3dcbb49a84.exe	18
PID 2380 wrote to memory of 1740	2380	448a33771b5323ec203cff3dcbb49a84.exe	18
PID 2380 wrote to memory of 1740	2380	448a33771b5323ec203cff3dcbb49a84.exe	18
PID 2380 wrote to memory of 1740	2380	448a33771b5323ec203cff3dcbb49a84.exe	18
PID 1740 wrote to memory of 2796	1740	cmd.exe	30
PID 1740 wrote to memory of 2796	1740	cmd.exe	30
PID 1740 wrote to memory of 2796	1740	cmd.exe	30
PID 1740 wrote to memory of 2796	1740	cmd.exe	30
PID 1740 wrote to memory of 2824	1740	cmd.exe	32
PID 1740 wrote to memory of 2824	1740	cmd.exe	32
PID 1740 wrote to memory of 2824	1740	cmd.exe	32
PID 1740 wrote to memory of 2824	1740	cmd.exe	32
PID 1740 wrote to memory of 2896	1740	cmd.exe	33
PID 1740 wrote to memory of 2896	1740	cmd.exe	33
PID 1740 wrote to memory of 2896	1740	cmd.exe	33
PID 1740 wrote to memory of 2896	1740	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\448a33771b5323ec203cff3dcbb49a84.exe
"C:\Users\Admin\AppData\Local\Temp\448a33771b5323ec203cff3dcbb49a84.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2380 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\448a33771b5323ec203cff3dcbb49a84.exe" & start C:\Users\Admin\AppData\Local\RLHFLL~1.EXE -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 2380
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:2824
- - C:\Users\Admin\AppData\Local\rlhfllssil.exe
    C:\Users\Admin\AppData\Local\RLHFLL~1.EXE -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\rlhfllssil.exe

Filesize
339KB

MD5
bad4613881de5404bbf1fdcca0c7e7cf

SHA1
e4808a0cd0d88753bac6c6b6253cbe1365435be6

SHA256
0319cc0cc7b7b82d902ac3267847bb42319f4a79ad726d467fba7fa80bc37b5e

SHA512
ca742c87cc420bee999d0d481aa4419ff21541196fd3d770e0a8fd951dd0eeb9de82d120f2e0a7028b90b0e03d2c7ec0a356f846416b328b836db8b8963d190a

Download Submit
C:\Users\Admin\AppData\Local\rlhfllssil.exe

Filesize
202KB

MD5
8720ec4787cda86fccbde0d7a82a5091

SHA1
d9a3c02937264c7b80f560e93bef0763ec16ae50

SHA256
25c7769ef0c566e5a5f5ac8c8a6bfcac5aa79871915898af32aa73ecf169bbb0

SHA512
17fc5a5fcd78b9511132b6cf2b7bdc4dcb6fce0e99cf2a31f50c35c240c2a66c9a67a7ff1052ef599f6e9cf47570a3ae388656612818d685ef63dc7a0eef80f4

Download Submit
\Users\Admin\AppData\Local\rlhfllssil.exe

Filesize
360KB

MD5
22257632b236f1ddba1bb0d22dd002a5

SHA1
4d562c39d2b3bd2bf6404c15a7719bf2a23ca417

SHA256
bfb0dd0f62833549b49aee923c4b7d26979f28446dcab290733b4882b96ccf19

SHA512
73a110bd08867e38f93803d0b8e4aa6ee77245783cfc2f01f5472397b0761f8c48983faf3368edae9647ed8995fa5bdc10531a377b956b42df05e8c2038214e8

Download Submit
\Users\Admin\AppData\Local\rlhfllssil.exe

Filesize
216KB

MD5
00aa12c1cb29d4f7d9f855f62a35f775

SHA1
c200ccc5132cb5b830827409a932c1ad5d891c91

SHA256
ca53c550b21dda46b9925816f3bda8a9094682b5093ef1be5cdaae3a91af3cc6

SHA512
20b05bdc32cbe9a6fa84e8ac33b3f60f2ecc18b80fe364f792fd28e59c2db50a326cfc6c514aaf339177b63646cfab89441845744ec0fb2ef19c58b13ef4bb6a

Download Submit
\Users\Admin\AppData\Local\rlhfllssil.exe

Filesize
302KB

MD5
492437df50b9ed39f87890626303be6d

SHA1
b15678a6f074120dee86a48e01dc8d8d44458bbf

SHA256
0d3065625fbddfd23cbbbe15b803c09189152df9cc4fdc93aea12d65f71bd4c9

SHA512
5fcd40ed28efcc6f9983a102c1efc1a436714cf861bda355457c4d4c32c0ba706e0670adba3ee2129dff8ab010a2fbe50236d35a897e3bed34a4036c77681f85

Download Submit
memory/2380-1-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2380-2-0x00000000002F0000-0x00000000002F2000-memory.dmp

Filesize
8KB

Download
memory/2380-0-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2380-4-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2896-10-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2896-9-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2896-12-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing