f01cf298000932a1866efc07845e348454d31e082513d58bac4023895976c7cf

General

Target

571128a44326144850262cb5e04dcb45.exe
Size

1.2MB
MD5

571128a44326144850262cb5e04dcb45
SHA1

03d037a9ed7fd22b002563b76b65919fd40c50f4
SHA256

f01cf298000932a1866efc07845e348454d31e082513d58bac4023895976c7cf
SHA512

387c0633fb01d8de0b790ff302aef7bef25b95f929104b34cb928cf31b0750051f1af5b9dd60fdfb7b8e8a6dbaa81e2e1f80d65b34351e4dd36d8300b07ffef7
SSDEEP

24576:XI2Qm/0o3OEFw3w7wh2KRsmKq83vMg/X:XI2Qm9e73BHRcnMA

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2736	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2140	29119583.exe

Loads dropped DLL 4 IoCs

pid	Process
2736	cmd.exe
2736	cmd.exe
2140	29119583.exe
2140	29119583.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\571128a44326144850262cb5e04dcb45 = "\"C:\\Users\\Admin\\AppData\\Local\\29119583.exe\" 0 38 "	571128a44326144850262cb5e04dcb45.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\29119583 = "\"C:\\Users\\Admin\\AppData\\Local\\29119583.exe\" 0 36 "	29119583.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2812	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2140	29119583.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2140	29119583.exe
2140	29119583.exe
2140	29119583.exe
2140	29119583.exe
2140	29119583.exe
2140	29119583.exe
2140	29119583.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2140	29119583.exe
2140	29119583.exe
2140	29119583.exe
2140	29119583.exe
2140	29119583.exe
2140	29119583.exe
2140	29119583.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2736	1512	571128a44326144850262cb5e04dcb45.exe	29
PID 1512 wrote to memory of 2736	1512	571128a44326144850262cb5e04dcb45.exe	29
PID 1512 wrote to memory of 2736	1512	571128a44326144850262cb5e04dcb45.exe	29
PID 1512 wrote to memory of 2736	1512	571128a44326144850262cb5e04dcb45.exe	29
PID 2736 wrote to memory of 2812	2736	cmd.exe	30
PID 2736 wrote to memory of 2812	2736	cmd.exe	30
PID 2736 wrote to memory of 2812	2736	cmd.exe	30
PID 2736 wrote to memory of 2812	2736	cmd.exe	30
PID 2736 wrote to memory of 2140	2736	cmd.exe	31
PID 2736 wrote to memory of 2140	2736	cmd.exe	31
PID 2736 wrote to memory of 2140	2736	cmd.exe	31
PID 2736 wrote to memory of 2140	2736	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\571128a44326144850262cb5e04dcb45.exe
"C:\Users\Admin\AppData\Local\Temp\571128a44326144850262cb5e04dcb45.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\379030.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 571128a44326144850262cb5e04dcb45 /f
    3⤵
    - Modifies registry key
    PID:2812
- - C:\Users\Admin\AppData\Local\29119583.exe
    C:\Users\Admin\AppData\Local\29119583.exe -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\29119583.exe

Filesize
327KB

MD5
632aa4a3b95e225d1e683a4e80294baf

SHA1
a65c6498388469c7f059efb8cc8eb4a1e91ed07a

SHA256
ee1d3948858b9d52c21dd1087f73aada7854a7ffda8e3ccd2b78472524cea48e

SHA512
0751d9a3ac738811d7704d0f60536258fcf0ab347c36b85bd545e9c546ffe6e6af96b475ed98468833afbbd462429774d44b284e395600319807757cf8be9e7b

Download Submit
C:\Users\Admin\AppData\Local\29119583.exe

Filesize
153KB

MD5
8bc57e570c35fad9b7459486e067fa48

SHA1
b8d508ba6e4079bbdf9177c04665ed513c8e2cf2

SHA256
49737a02d5a98964e21e625da6af1227133d9b5cbe2792884df22b0ec25b98df

SHA512
900e6f2c0e745c8ae0150dff89cdaf35bb0fd49694ea50fe3af7b354c492c1ef194c94e10de6fb5e9c21872bf88538eaff91e3fcc2b999c0a40a1b2bd8b3f1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\379030.bat

Filesize
424B

MD5
a36ba85760b9f191c9017b29aae44850

SHA1
0db132bbbf1cc9e1013803539f1ab3e4de433363

SHA256
abacc8ffd416c4a35e0683f0d6a27b2b60642d7ee17eafbd1c1570bc366765ba

SHA512
3a9e3755417b6c35ea958efe4477ae26040a831f2cf2a278bd3e05038f9fe2c2e4fc65c9f8539e311c0aebe533bcfb20cbba5c4f5028ea7494808db340cde128

Download Submit
\Users\Admin\AppData\Local\29119583.exe

Filesize
272KB

MD5
3d6682c74c08817465a66b0e7668b992

SHA1
680931bd7436c2470d8181ef3eb53665dcb1d84c

SHA256
7736ba5861c95d40ec6b8ec771b95c4694ccd61d8b579724a9ccd4c1c0187bc6

SHA512
e60d60a30542e579bdea276d405f82333afa5ccf2d0312e330c29b63ad5d162c391b1e220f55039009fcc6230f85f70890083c62d115a5b22de255ac0bcc6473

Download Submit
\Users\Admin\AppData\Local\29119583.exe

Filesize
173KB

MD5
5525af7978cc150cdca3d5d9f5a0df15

SHA1
6e3f718a64a816bbc641c56559d503a5171ec4da

SHA256
908be00b1db163b205f4f9248a404b7203dda70139fe0592aa3e9bd8c6cf054d

SHA512
24bab58c8c364c31d61dc9679e593514baa88ba02c9dc249edaead175d8f8d22d824286c699d7c3a872f41e590bdcf2ea7fa78af6891a0b74431cf5cf60fd495

Download Submit
\Users\Admin\AppData\Local\29119583.exe

Filesize
932KB

MD5
30ec3396c191757b66d9266645fa086f

SHA1
f85741fa6441f848f7043a15e5ea5a3ca4feb11c

SHA256
5990336d7edda6dec8bc868795ef44b4163b1d32514d0721c6ed3d86d56f35c6

SHA512
1244864fcead0d76e1362f7c01882d3947426a72d82737d7129a4e77e6a433df6c919abbd2b74043de9c79c4f6e3bf4eb9b18d74a82755fdefc30c6eb8fe6901

Download Submit
\Users\Admin\AppData\Local\29119583.exe

Filesize
1.2MB

MD5
571128a44326144850262cb5e04dcb45

SHA1
03d037a9ed7fd22b002563b76b65919fd40c50f4

SHA256
f01cf298000932a1866efc07845e348454d31e082513d58bac4023895976c7cf

SHA512
387c0633fb01d8de0b790ff302aef7bef25b95f929104b34cb928cf31b0750051f1af5b9dd60fdfb7b8e8a6dbaa81e2e1f80d65b34351e4dd36d8300b07ffef7

Download Submit
memory/1512-3-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/1512-16-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/1512-7-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/1512-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1512-6-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/1512-2-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/1512-1-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/1512-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2140-23-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/2140-32-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/2140-27-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2140-24-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/2140-28-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/2140-22-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/2140-31-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/2140-25-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/2140-33-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2140-34-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/2140-35-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/2140-37-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/2140-38-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/2140-39-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/2140-40-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download
memory/2140-41-0x0000000001000000-0x0000000001436000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads