e10530349cf0d2f459aa768f3f0c2b3974201c41faa24854209742e34a70721b

General

Target

4d148a355e035d52da1bb710e60f55fd.exe
Size

2.7MB
MD5

4d148a355e035d52da1bb710e60f55fd
SHA1

cccc50cf6adbe84d967ac2b9088f706d4165daf2
SHA256

e10530349cf0d2f459aa768f3f0c2b3974201c41faa24854209742e34a70721b
SHA512

5d5c1f772144d38c97070f3a821f6492d28a991ad251e052a04e735b2afc3dd42f30f06f24e2ca255fe00517c7e23f6668826ecaec26da6f1d58effd0a1a6059
SSDEEP

49152:oJy796EvMtTx435MtV+O14pWPMPdEAnPc5aIgqINUB+EuWi0+CSqvVBI1r/:d7AEvgVOI4QPc6dIcRso8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2120	4d148a355e035d52da1bb710e60f55fd.tmp
2756	WMF.exe

Loads dropped DLL 5 IoCs

pid	Process
1104	4d148a355e035d52da1bb710e60f55fd.exe
2120	4d148a355e035d52da1bb710e60f55fd.tmp
2120	4d148a355e035d52da1bb710e60f55fd.tmp
2120	4d148a355e035d52da1bb710e60f55fd.tmp
2120	4d148a355e035d52da1bb710e60f55fd.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2756	WMF.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2120	1104	4d148a355e035d52da1bb710e60f55fd.exe	28
PID 1104 wrote to memory of 2120	1104	4d148a355e035d52da1bb710e60f55fd.exe	28
PID 1104 wrote to memory of 2120	1104	4d148a355e035d52da1bb710e60f55fd.exe	28
PID 1104 wrote to memory of 2120	1104	4d148a355e035d52da1bb710e60f55fd.exe	28
PID 1104 wrote to memory of 2120	1104	4d148a355e035d52da1bb710e60f55fd.exe	28
PID 1104 wrote to memory of 2120	1104	4d148a355e035d52da1bb710e60f55fd.exe	28
PID 1104 wrote to memory of 2120	1104	4d148a355e035d52da1bb710e60f55fd.exe	28
PID 2120 wrote to memory of 2756	2120	4d148a355e035d52da1bb710e60f55fd.tmp	29
PID 2120 wrote to memory of 2756	2120	4d148a355e035d52da1bb710e60f55fd.tmp	29
PID 2120 wrote to memory of 2756	2120	4d148a355e035d52da1bb710e60f55fd.tmp	29
PID 2120 wrote to memory of 2756	2120	4d148a355e035d52da1bb710e60f55fd.tmp	29

C:\Users\Admin\AppData\Local\Temp\4d148a355e035d52da1bb710e60f55fd.exe
"C:\Users\Admin\AppData\Local\Temp\4d148a355e035d52da1bb710e60f55fd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\is-22J27.tmp\4d148a355e035d52da1bb710e60f55fd.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-22J27.tmp\4d148a355e035d52da1bb710e60f55fd.tmp" /SL5="$50150,2423269,153088,C:\Users\Admin\AppData\Local\Temp\4d148a355e035d52da1bb710e60f55fd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\is-LP780.tmp\WMF.exe
    "C:\Users\Admin\AppData\Local\Temp\is-LP780.tmp\WMF.exe" /aid=151 /sub=22 /sid=80 /name="berserk.film.torrent_final.zip" /fid= /stats=eZ0r7/y5w0CIiPIZDZ4v/9DwDGe04OJ2TB8pcK03kJPgNcfTd9SDmzOSmrlbczzjao9bLeh1aI6WZc14/aQ0yA== /param=0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-LP780.tmp\WMF.exe

Filesize
445KB

MD5
6b8251aa8212ef42603decd31eb71357

SHA1
3078ee77e58772b6459911699c88173b0403e9c3

SHA256
efc6a99645236cac7e74fa833c9a391cf1c9498652dd94fcbedcd3506b5dd953

SHA512
c8df8b90b312ecff9189a5d6a2ab1a41c065db20bbe066df1affc79c9e283cee4b63946e5e8654ccc5d2d390316e3886e9960e6699cbc90c1daedec7f95186d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LP780.tmp\WMF.exe

Filesize
726KB

MD5
d4bf5ee9301edc431bbc79532258c08a

SHA1
e80b0d170238a2544b20c50a74c00f796a84e162

SHA256
e461703bda4a0267cf14e70e792a85e484d2e0ff618a872e8be6c096db1037ed

SHA512
5f39ac3470127fc74a9268f271e7d99bcb7a4cc364a32e2be09a55654aa099276b05b96174574f3debc8fb36fc6879bd3a4edab802704838e2a479c7af96deab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LP780.tmp\default.xml

Filesize
2KB

MD5
4c219b78a305d3e52c811542154bb224

SHA1
7efe3e383b29c808cfb3ad0fd90d627ea7b2b2bf

SHA256
a0dbdc08f771e32a5ef06f47b436afb270e860578971a974db0c34c0c1366a7c

SHA512
bced9584568b011c0b2013e48d6b9503f77b01c57e2049722326a40363ce42c533e590c4583cf0cf3a5391f3208db8135b5afdc27ae7359af3ded66b11e628b8

Download Submit
\Users\Admin\AppData\Local\Temp\is-22J27.tmp\4d148a355e035d52da1bb710e60f55fd.tmp

Filesize
1.1MB

MD5
8811a0652c18dbcf68955f99df537eb8

SHA1
70cff6c43c0f873295dc085018639dff02f33012

SHA256
d69f51e65e3944891ec9c392b3d7410d81f8f93e55b9071584bfd1d384862230

SHA512
ed2ff6cfe272a8ae260233a1bb653adc0eaae13388418a9dea692b9924999d89b8677b8669fa24dcb0c606cfca7045bef779e1c58547f3f17d5096cbbe31d60a

Download Submit
\Users\Admin\AppData\Local\Temp\is-LP780.tmp\WMF.exe

Filesize
544KB

MD5
143150b496aefddce3565c82630fd4b3

SHA1
76165ed38ee9d07682ea13b39312437435dd9d7f

SHA256
01c30a5ce4660fec79545f8725d7eb5aac61fe208e017eb06945c33dfa6585d1

SHA512
3b9ff9bfdb38f436942fb188c78fe39a7d27ab8f9901b98e81a14b4ba418aa0d50ab9fb6d561541321539aa95171b578c5be7cbfa135fb38aba877e054ab9038

Download Submit
\Users\Admin\AppData\Local\Temp\is-LP780.tmp\WMF.exe

Filesize
710KB

MD5
3d1a6bca42be3143d829f7bfc9568c3b

SHA1
e6d4e8b7c460022cd1c11dea879f09cbabd251d2

SHA256
5413681aaa4a662bbb544c6423f44a99206f9689bdedec06c793b8784316fdec

SHA512
6c4d6950bf895715040c5074aeeb069916e4a4acfa24a6290fb0216305e1f83f9694531bedc6f6e5659add28b9614224b4015bf33295113adca104baa8ffd25c

Download Submit
\Users\Admin\AppData\Local\Temp\is-LP780.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1104-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1104-43-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2120-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2120-44-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2120-49-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2756-41-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2756-45-0x0000000000400000-0x0000000000801000-memory.dmp

Filesize
4.0MB

Download
memory/2756-50-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing