46ca793a3a37e0ca9268c7f6b0e31b35db89792f6a95e6ea0f40b0de819687ba

General

Target

aad173f35bd54cd134a556a868dfc314.exe
Size

151KB
MD5

aad173f35bd54cd134a556a868dfc314
SHA1

06b1b11ad53ff1f5e88ff782f42ada6f89df13a5
SHA256

46ca793a3a37e0ca9268c7f6b0e31b35db89792f6a95e6ea0f40b0de819687ba
SHA512

28d25e0fe717a3bb5d89a7f5f04b486c374206ba9679ae236f6105204d037bb19c94d15102d06e82617b9dd38ab0830fe966e8fd6a9a3c83a8686d0fdcdf614d
SSDEEP

3072:zxJ4be9MbCNEVyPjH7IE2KawoZixHJSYxQzhFXsT:9IbAEVyPDhcep12q

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	aad173f35bd54cd134a556a868dfc314.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	aad173f35bd54cd134a556a868dfc314.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\Q:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\L:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\E:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\Y:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\W:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\N:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\M:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\J:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\X:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\O:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\R:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\P:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\K:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\I:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\H:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\G:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\U:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\S:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\Z:	aad173f35bd54cd134a556a868dfc314.exe
File opened (read-only)	\??\T:	aad173f35bd54cd134a556a868dfc314.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	aad173f35bd54cd134a556a868dfc314.exe
File opened for modification	F:\autorun.inf	aad173f35bd54cd134a556a868dfc314.exe
File opened for modification	C:\autorun.inf	aad173f35bd54cd134a556a868dfc314.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\MSACCESS.EXE	aad173f35bd54cd134a556a868dfc314.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\MSPUB.EXE	aad173f35bd54cd134a556a868dfc314.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\OIS.EXE	aad173f35bd54cd134a556a868dfc314.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\ONENOTE.EXE	aad173f35bd54cd134a556a868dfc314.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE	aad173f35bd54cd134a556a868dfc314.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE	aad173f35bd54cd134a556a868dfc314.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\INFOPATH.EXE	aad173f35bd54cd134a556a868dfc314.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2216	aad173f35bd54cd134a556a868dfc314.exe

C:\Users\Admin\AppData\Local\Temp\aad173f35bd54cd134a556a868dfc314.exe
"C:\Users\Admin\AppData\Local\Temp\aad173f35bd54cd134a556a868dfc314.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\zPharaoh.exe

Filesize
32KB

MD5
d86356e88f3f34fc4978afc743b6cd3b

SHA1
0a03231bc6010b54ef38c401eca2391438b11147

SHA256
ccc5d8e2eb63c1c1b7b56450c81c91c467bf617f0eb050882c091a94299d5b19

SHA512
ab652a90322c9e597dd555b30516b1570f7b0070137ab32dcffbcc977ff87c51e4806dae7cbc257a18f8ff7fae30aad6f8c55b3ef6c738444e43f0006e30922c

Download Submit
memory/2216-34-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2216-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads