5c80e80a7464376aaa807119a5509f18363f17aac6c9b4cd2e2465a920b92aab

General

Target

4370c14bf2e70c1999ea1e819a8a624e.exe
Size

134KB
MD5

4370c14bf2e70c1999ea1e819a8a624e
SHA1

a602af5ba6dedc0c761ac0453265190e014bb5e7
SHA256

5c80e80a7464376aaa807119a5509f18363f17aac6c9b4cd2e2465a920b92aab
SHA512

10b58f5e954c954ba63622c4b290b071b4294093c4b7aa94f40fce99fc7dc5500edbabe648bb45eb280f59ffcb0948a285d3c72646521c659134c209ffbd077e
SSDEEP

3072:/nOn7t7XpdpCCTg/sxFgJMeq8KRoCtvyc9ke10fWo+jQK/zQ84XdF9GcubgC:/KpdcCrTv8KXNbJ1tRN/zh4bHCgC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2392	downloadmr.exe

Loads dropped DLL 3 IoCs

pid	Process
1732	4370c14bf2e70c1999ea1e819a8a624e.exe
1732	4370c14bf2e70c1999ea1e819a8a624e.exe
1732	4370c14bf2e70c1999ea1e819a8a624e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2392	1732	4370c14bf2e70c1999ea1e819a8a624e.exe	17
PID 1732 wrote to memory of 2392	1732	4370c14bf2e70c1999ea1e819a8a624e.exe	17
PID 1732 wrote to memory of 2392	1732	4370c14bf2e70c1999ea1e819a8a624e.exe	17
PID 1732 wrote to memory of 2392	1732	4370c14bf2e70c1999ea1e819a8a624e.exe	17

C:\Users\Admin\AppData\Local\Temp\4370c14bf2e70c1999ea1e819a8a624e.exe
"C:\Users\Admin\AppData\Local\Temp\4370c14bf2e70c1999ea1e819a8a624e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\nsy143E.tmp\downloadmr.exe
  C:\Users\Admin\AppData\Local\Temp\nsy143E.tmp\downloadmr.exe /e1003 /u4d48823a-b8b4-4f4d-b72e-794a5bc06ebe
  2⤵
  - Executes dropped EXE
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab1595.tmp

Filesize
9KB

MD5
b6596d28bbcad4a4f6c82b3311f355be

SHA1
44724f630e8e9bf974a56fb7d3b12f69e68b0b1d

SHA256
20b4cf389d835bda82c4e8de4ed86bace2d094a71fd8a3a5c95d7af12544155d

SHA512
a1642040120aeedc2f1908c253a25aa5d4c4d1b8b509bded4a9ca76c75981bb7824c3cf8e949c8f369740585c220e8e5422913e7d89a5b3b92cb44ea46be23ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar15B7.tmp

Filesize
16KB

MD5
6ad46c6eae0998036228aa21872a218e

SHA1
b28aa42007374a6bf5c53d98776952db5b81d7ea

SHA256
0f0cb68f0ce9b6de2ba1b2f3ebba165b9e1565e251af21a56c72b0d074440e30

SHA512
678eb193cdfe9850ddd8ccea54387373ea63258fcb98a56d377538a724a895c13884518d7b919c1dd9cc9a651a5e0f19eb22b1329353f3e59e84fca23b3aabb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy143E.tmp\System.dll

Filesize
9KB

MD5
bd83d9fa34d77abd5f9213a0a7d23ffe

SHA1
9033cd12072b821e17f174cc6a9d85ecd0a6c2f2

SHA256
fb33cca24665faa56127ccf040c84440bec4e8d634494689c2e962504d8275f7

SHA512
825065e359e139e8ecfe9f53dc826d68a44f2b990ea8d775ad0cdeb7cd329c7fdc4b11dcb4f2b961026843325595326fe1c42fe098ef1680b2194e785c834254

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy143E.tmp\downloadmr.exe

Filesize
20KB

MD5
9517e327a9ec829ca9fbd933caa2f1d6

SHA1
70ab715505b2f8788eea8177ab2f1c26252385f2

SHA256
1dce5301a80746a4d5427ff14332457f4278267c23c232e491ff25d0a4d305eb

SHA512
71ae8eff18eca902f9463bd635ec8a4e598ef613c7f35b0dfceff5563905703ba322c73fcf5a0807f4941327e73ad082627902a6e4f2f54654010f4df581918d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy143E.tmp\System.dll

Filesize
3KB

MD5
8e306e2e514d670e23872ccecdb09245

SHA1
321dcc9bb60c9420310ea08498cd8e587516523d

SHA256
fd22410a46402978041d94b7fa0d7a77219a3161d6e3086232a882c4244a5277

SHA512
b15f7a4b14a37d6a0950226fdb3d73692c05316a38b5320eb9e814fc274513530993a8f3987e4ba473253534b2b869b03b67ed794875f6cf29fe167af6ce82f6

Download Submit
\Users\Admin\AppData\Local\Temp\nsy143E.tmp\System.dll

Filesize
1KB

MD5
8143e59c2b92661b705733d2ac1abe10

SHA1
d9ac6750f186ad7025ce4e03082fc6b3116a3294

SHA256
298d293a33588c53853c11884f93bf103d0716cdb7fcfbb4f1efaaa8b9aeb5b3

SHA512
1eb9f318db0e5b409d61a8eb7a80016ac912bb7639b04b5ece8d10bedcf3881e52d27ee47769e37ba332e82bad3c826b633067557133b8fa7bce7dd4c436ad77

Download Submit
\Users\Admin\AppData\Local\Temp\nsy143E.tmp\downloadmr.exe

Filesize
27KB

MD5
b0b7f2e6986ef5452640fe3bc6369fb6

SHA1
37bd01a763fb6dd5d3f0b8808920084891a1dece

SHA256
edf1ce1d721fb5ec48c651660cbcae66fbcfaf88cfca98c7690dce423a2a24c0

SHA512
74c6ab5647a7416bc451f1c46cbf920bc34682780a34062e0171e081a54167dc57b36b6384f088471cc277bdc9e2b8d57e20c5d26bcfcb9a388b558d1853a464

Download Submit
memory/1732-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1732-90-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1732-64-0x000000006E3C0000-0x000000006E3CD000-memory.dmp

Filesize
52KB

Download
memory/2392-15-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-24-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-81-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/2392-80-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/2392-83-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/2392-85-0x0000000007090000-0x0000000007190000-memory.dmp

Filesize
1024KB

Download
memory/2392-84-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/2392-82-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-86-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-23-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing