eb01b6df8e806ed281634df13878069cda1f2fb700f3595719a247e19b01b069

General

Target

4bb20eea8ad652d0a7dbc586cc036166.exe
Size

914KB
MD5

4bb20eea8ad652d0a7dbc586cc036166
SHA1

863491c988880079055c3e32a45dcd4730e2695d
SHA256

eb01b6df8e806ed281634df13878069cda1f2fb700f3595719a247e19b01b069
SHA512

2e0539938ebf4fa041b0e274e6711700146f6e0694b21b975408e528f6df36c133d1120ae82436f84ab783deffe1b773db75ad5ff6d1af79a1e9e8cb2f087af1
SSDEEP

24576:3cNaDN4fLYRS83wLBX+R3/4M/9cloVhLTl:3waifYCJ+OI5Xv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1932	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	5315918745.exe

Loads dropped DLL 4 IoCs

pid	Process
1932	cmd.exe
1932	cmd.exe
2772	5315918745.exe
2772	5315918745.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\4bb20eea8ad652d0a7dbc586cc036166 = "\"C:\\Users\\Admin\\AppData\\Local\\5315918745.exe\" 0 20 "	4bb20eea8ad652d0a7dbc586cc036166.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\5315918745 = "\"C:\\Users\\Admin\\AppData\\Local\\5315918745.exe\" 0 41 "	5315918745.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2708	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2772	5315918745.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2772	5315918745.exe
2772	5315918745.exe
2772	5315918745.exe
2772	5315918745.exe
2772	5315918745.exe
2772	5315918745.exe
2772	5315918745.exe
2772	5315918745.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2772	5315918745.exe
2772	5315918745.exe
2772	5315918745.exe
2772	5315918745.exe
2772	5315918745.exe
2772	5315918745.exe
2772	5315918745.exe
2772	5315918745.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 1932	1180	4bb20eea8ad652d0a7dbc586cc036166.exe	28
PID 1180 wrote to memory of 1932	1180	4bb20eea8ad652d0a7dbc586cc036166.exe	28
PID 1180 wrote to memory of 1932	1180	4bb20eea8ad652d0a7dbc586cc036166.exe	28
PID 1180 wrote to memory of 1932	1180	4bb20eea8ad652d0a7dbc586cc036166.exe	28
PID 1932 wrote to memory of 2708	1932	cmd.exe	30
PID 1932 wrote to memory of 2708	1932	cmd.exe	30
PID 1932 wrote to memory of 2708	1932	cmd.exe	30
PID 1932 wrote to memory of 2708	1932	cmd.exe	30
PID 1932 wrote to memory of 2772	1932	cmd.exe	31
PID 1932 wrote to memory of 2772	1932	cmd.exe	31
PID 1932 wrote to memory of 2772	1932	cmd.exe	31
PID 1932 wrote to memory of 2772	1932	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\4bb20eea8ad652d0a7dbc586cc036166.exe
"C:\Users\Admin\AppData\Local\Temp\4bb20eea8ad652d0a7dbc586cc036166.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\467898.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 4bb20eea8ad652d0a7dbc586cc036166 /f
    3⤵
    - Modifies registry key
    PID:2708
- - C:\Users\Admin\AppData\Local\5315918745.exe
    C:\Users\Admin\AppData\Local\531591~1.EXE -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\467898.bat

Filesize
424B

MD5
6660904842096ef150959ef515643c49

SHA1
d5313164f62f0abd320258e785b51dcecba3fbf6

SHA256
00cd66b459cea2a2a05334df2c04ddf3659d59a81bd4f45e95f9f9557e555f6d

SHA512
dd58b11c4b79d7eb0fc6bcada3439428018a38b92628674cd42543d7602641a8e26fb65b2ea2f8883537b65bd56ce264cbdf8e5329fd8aca658beaec086daea6

Download Submit
\Users\Admin\AppData\Local\5315918745.exe

Filesize
914KB

MD5
4bb20eea8ad652d0a7dbc586cc036166

SHA1
863491c988880079055c3e32a45dcd4730e2695d

SHA256
eb01b6df8e806ed281634df13878069cda1f2fb700f3595719a247e19b01b069

SHA512
2e0539938ebf4fa041b0e274e6711700146f6e0694b21b975408e528f6df36c133d1120ae82436f84ab783deffe1b773db75ad5ff6d1af79a1e9e8cb2f087af1

Download Submit
memory/1180-1-0x0000000000400000-0x0000000000831617-memory.dmp

Filesize
4.2MB

Download
memory/1180-2-0x00000000008C0000-0x0000000000AC0000-memory.dmp

Filesize
2.0MB

Download
memory/1180-3-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1180-4-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1180-14-0x0000000000400000-0x0000000000831617-memory.dmp

Filesize
4.2MB

Download
memory/2772-21-0x0000000000950000-0x0000000000B50000-memory.dmp

Filesize
2.0MB

Download
memory/2772-22-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2772-24-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads