d9633d51f27da2a6e31fab3bce8ea26dd4b3fd5b5e42fbb43c46ad092aa51772

General

Target

bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe
Size

238KB
MD5

4e28b8c8cc2666b35c7a3c2ca03946e1
SHA1

784e1beca241a4cac7ad270e549c28da2f5f7e07
SHA256

bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb
SHA512

5c8a938ef1b11bd3b016bb4f63d8b154b6de6f8947b90f520474257ff3bb583a7a13dbb0f83f90ea101bb5fa88febc18b28bffa3133d3f5b76ec656702834954
SSDEEP

6144:1/mi5BPc1M3xwunB4qELod1EREYuPdX6/V:1JxwunB4qEU3fYzN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2836	pro.exe
828	KK.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe
828	KK.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1964	tasklist.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
828	KK.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2836	pro.exe
2836	pro.exe
2836	pro.exe
2836	pro.exe
2836	pro.exe
2836	pro.exe
2836	pro.exe
2836	pro.exe
828	KK.exe
828	KK.exe
828	KK.exe
828	KK.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
828	KK.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2836	2392	bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe	28
PID 2392 wrote to memory of 2836	2392	bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe	28
PID 2392 wrote to memory of 2836	2392	bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe	28
PID 2392 wrote to memory of 2836	2392	bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe	28
PID 2836 wrote to memory of 2792	2836	pro.exe	33
PID 2836 wrote to memory of 2792	2836	pro.exe	33
PID 2836 wrote to memory of 2792	2836	pro.exe	33
PID 2836 wrote to memory of 2792	2836	pro.exe	33
PID 2792 wrote to memory of 1964	2792	cmd.exe	35
PID 2792 wrote to memory of 1964	2792	cmd.exe	35
PID 2792 wrote to memory of 1964	2792	cmd.exe	35
PID 2792 wrote to memory of 1964	2792	cmd.exe	35
PID 2792 wrote to memory of 2008	2792	cmd.exe	36
PID 2792 wrote to memory of 2008	2792	cmd.exe	36
PID 2792 wrote to memory of 2008	2792	cmd.exe	36
PID 2792 wrote to memory of 2008	2792	cmd.exe	36
PID 780 wrote to memory of 828	780	cmd.exe	39
PID 780 wrote to memory of 828	780	cmd.exe	39
PID 780 wrote to memory of 828	780	cmd.exe	39
PID 780 wrote to memory of 828	780	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe
"C:\Users\Admin\AppData\Local\Temp\bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Public\pro.exe
  "C:\Users\Public\pro.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist | findstr /i 360tray.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i 360tray.exe
      4⤵
      PID:2008

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Public\KK.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Public\KK.exe
  C:\Users\Public\KK.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\KK.exe

Filesize
1.1MB

MD5
50c6b88e240b0ee97b5b6f5c00b6a081

SHA1
4bf7332e5dc487eb5cd859ddcb3650231389c922

SHA256
dc5a3ad83d9fd74901a3b129d62d8d97a1eef4842f4dff1d05e5039c79e101a0

SHA512
0eae33e7ca55c97e613b656f23f9f68fbe67d82070721bf86716df72aa557fcadc72adebbcfb5456cec81fbcc37b959a9042d8681f391927c5258023ab1c7740

Download Submit
\Users\Public\pro.exe

Filesize
238KB

MD5
4e28b8c8cc2666b35c7a3c2ca03946e1

SHA1
784e1beca241a4cac7ad270e549c28da2f5f7e07

SHA256
bd8646691e2eb4e3467861fc765cfc3a45925243afac513944a922a1100d80bb

SHA512
5c8a938ef1b11bd3b016bb4f63d8b154b6de6f8947b90f520474257ff3bb583a7a13dbb0f83f90ea101bb5fa88febc18b28bffa3133d3f5b76ec656702834954

Download Submit
\Windows\Temp\E_N60005\krnln.fnr

Filesize
1.2MB

MD5
f0e18dab16cc67f81ec762abb9a63585

SHA1
22f44703a214033d9f267ae4983963112cd93fad

SHA256
b1eb520ff83d6403e04fb8ddb253e76c10b800af49629d8974d44b330d377da6

SHA512
d68f3296f76c0db285cf627078cac898e9ddf31266e45dc4aad55c2e91c21eca99cbee1337d7dc98a6308d79fb986391930dbc1f93ead48a9a9e16a356d4165c

Download Submit
memory/828-30-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/828-37-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2392-0-0x0000000010000000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download
memory/2392-1-0x0000000003210000-0x000000000339F000-memory.dmp

Filesize
1.6MB

Download
memory/2392-11-0x0000000010000000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download
memory/2392-14-0x0000000010000000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download
memory/2836-15-0x0000000010000000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download
memory/2836-21-0x0000000010000000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download
memory/2836-23-0x0000000010000000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing