e90f2446257fe800d9717bba35490895588d861bbd6aff6c69919a1dd201253b

General

Target

535ded1ac6be8b4229c473b7dd2fd409.exe
Size

2.5MB
MD5

535ded1ac6be8b4229c473b7dd2fd409
SHA1

9aca7d3f67d5689770a929e3acdf5d83984535bd
SHA256

e90f2446257fe800d9717bba35490895588d861bbd6aff6c69919a1dd201253b
SHA512

3dc79a18d806d9b4e7985caaf1013110a37a9b78ad98332455345aa359b6ca5172d7fa1aa591f9c9cdd9e75f84e3bd0db7df6add43fb6e13bb976702c9fc0cf0
SSDEEP

49152:oky796EvMtTx435MtV+Oj29Ls3t/cwCxHHlc2KP1z8o/MO2Uqed3yBI1r6:o7AEvgVOy29Ls3JslVYzjMO26i1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1912	535ded1ac6be8b4229c473b7dd2fd409.tmp
2936	WMF.exe

Loads dropped DLL 5 IoCs

pid	Process
2932	535ded1ac6be8b4229c473b7dd2fd409.exe
1912	535ded1ac6be8b4229c473b7dd2fd409.tmp
1912	535ded1ac6be8b4229c473b7dd2fd409.tmp
1912	535ded1ac6be8b4229c473b7dd2fd409.tmp
1912	535ded1ac6be8b4229c473b7dd2fd409.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2936	WMF.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1912	2932	535ded1ac6be8b4229c473b7dd2fd409.exe	28
PID 2932 wrote to memory of 1912	2932	535ded1ac6be8b4229c473b7dd2fd409.exe	28
PID 2932 wrote to memory of 1912	2932	535ded1ac6be8b4229c473b7dd2fd409.exe	28
PID 2932 wrote to memory of 1912	2932	535ded1ac6be8b4229c473b7dd2fd409.exe	28
PID 2932 wrote to memory of 1912	2932	535ded1ac6be8b4229c473b7dd2fd409.exe	28
PID 2932 wrote to memory of 1912	2932	535ded1ac6be8b4229c473b7dd2fd409.exe	28
PID 2932 wrote to memory of 1912	2932	535ded1ac6be8b4229c473b7dd2fd409.exe	28
PID 1912 wrote to memory of 2936	1912	535ded1ac6be8b4229c473b7dd2fd409.tmp	29
PID 1912 wrote to memory of 2936	1912	535ded1ac6be8b4229c473b7dd2fd409.tmp	29
PID 1912 wrote to memory of 2936	1912	535ded1ac6be8b4229c473b7dd2fd409.tmp	29
PID 1912 wrote to memory of 2936	1912	535ded1ac6be8b4229c473b7dd2fd409.tmp	29

C:\Users\Admin\AppData\Local\Temp\535ded1ac6be8b4229c473b7dd2fd409.exe
"C:\Users\Admin\AppData\Local\Temp\535ded1ac6be8b4229c473b7dd2fd409.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\is-6QMO1.tmp\535ded1ac6be8b4229c473b7dd2fd409.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6QMO1.tmp\535ded1ac6be8b4229c473b7dd2fd409.tmp" /SL5="$500E0,2280122,153088,C:\Users\Admin\AppData\Local\Temp\535ded1ac6be8b4229c473b7dd2fd409.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\is-SDJ55.tmp\WMF.exe
    "C:\Users\Admin\AppData\Local\Temp\is-SDJ55.tmp\WMF.exe" /aid=0 /sub=0 /sid=42 /name="8.rar" /fid= /stats=uhXahdQwjgz0bIbFCS1YJKKBJsZ82zBqiwgVpPkbhdKvtnAToRwReyXmsM6LREsoVbTWb+9INw3LdT9Ouchy/w== /param=0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-SDJ55.tmp\WMF.exe

Filesize
995KB

MD5
f2b8b3d2e6681d0f1b44be0c2282305c

SHA1
c769866afd05248cd30acabdade819213f43fd38

SHA256
7cc2c2285b208d936669228c457117363dd94f7ba9d1ff4a59cb8bd96a89c031

SHA512
25120c7fe7c3ff297d25788de361c5fe2b14d1294b3aaaea656cea5ec020bebbaa1fedb5294a27cf01a157a36a5fbb6b16238cdb0b4fadda4c25489cebffeb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SDJ55.tmp\WMF.exe

Filesize
872KB

MD5
d7b1f5253b684125a1cab0755e7ff604

SHA1
77da1d03161fe0fab1cd8bdcf515c9ac89b957c4

SHA256
9b15deed93287a1837486ffca71914deabfd84d5eedef26e74b5daefcae0132c

SHA512
58499915fd8952930cfc1d36c6aedcf1c4a44b75df123ae20a1e8c38e5976bb9d3c3f4d6a04473edec6170fdd6d6cb10f596fc9fd304502a86f6f780f226372e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SDJ55.tmp\default.xml

Filesize
2KB

MD5
4c219b78a305d3e52c811542154bb224

SHA1
7efe3e383b29c808cfb3ad0fd90d627ea7b2b2bf

SHA256
a0dbdc08f771e32a5ef06f47b436afb270e860578971a974db0c34c0c1366a7c

SHA512
bced9584568b011c0b2013e48d6b9503f77b01c57e2049722326a40363ce42c533e590c4583cf0cf3a5391f3208db8135b5afdc27ae7359af3ded66b11e628b8

Download Submit
\Users\Admin\AppData\Local\Temp\is-6QMO1.tmp\535ded1ac6be8b4229c473b7dd2fd409.tmp

Filesize
1.1MB

MD5
8811a0652c18dbcf68955f99df537eb8

SHA1
70cff6c43c0f873295dc085018639dff02f33012

SHA256
d69f51e65e3944891ec9c392b3d7410d81f8f93e55b9071584bfd1d384862230

SHA512
ed2ff6cfe272a8ae260233a1bb653adc0eaae13388418a9dea692b9924999d89b8677b8669fa24dcb0c606cfca7045bef779e1c58547f3f17d5096cbbe31d60a

Download Submit
\Users\Admin\AppData\Local\Temp\is-SDJ55.tmp\WMF.exe

Filesize
1.3MB

MD5
0a9ced8b6a45f06a362ad06dda6fe00d

SHA1
108e0f2f3dd648453704b887ac3d8d70be4b009a

SHA256
3fd149b1bbbe96e8261ad8f68cb3e26d31f68a3b3660283d31db458479392dc2

SHA512
8834bf9987415eecf959835572d609c6850f0718466a4de2fb96751d2ea165736c8ba7d7c52f26dcfcf7f6207a9d23e926c4c75a699deb39f3b2e1aca7be5561

Download Submit
\Users\Admin\AppData\Local\Temp\is-SDJ55.tmp\WMF.exe

Filesize
1.1MB

MD5
53d39362e8f1213dffab4e85b829b467

SHA1
a2cf265536ccd22b1dc1bd62d86ba162d45a4b09

SHA256
222875f78cc852e95ef4d20a1348d8f891272f08fe75e03a0f042f99bbd6c087

SHA512
60de14273f3497f07c492fee4527a06c8ff6041ea2fd6ca25ca4218ae871383050f5b712e57488d975b344bfbf89a8e19806bf8aea77d24c61087e43c5542deb

Download Submit
\Users\Admin\AppData\Local\Temp\is-SDJ55.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1912-7-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1912-40-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1912-45-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2932-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2932-39-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2936-37-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2936-41-0x0000000000400000-0x00000000007E2000-memory.dmp

Filesize
3.9MB

Download
memory/2936-46-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing