a0ded183c858c68f20aea5f65346b007fa2cc2867d54d3974a69983ff63d92f1

General

Target

583672a0eb2ad545927384a74172b077.exe
Size

2.5MB
MD5

583672a0eb2ad545927384a74172b077
SHA1

7ee8fd0d2f82c2abab4d7e5e8c1508e0dd4e5f0d
SHA256

a0ded183c858c68f20aea5f65346b007fa2cc2867d54d3974a69983ff63d92f1
SHA512

4175666c0bc161404b319181dcd1abcc8626febb56141d2adadff322c55e8b1d1ba36d80e08c2bcab9668076a597744e72970dd5400eeceb9002d306e88e19c7
SSDEEP

49152:oky796EvMtTx435MtV+Oj29Ls3t/cwCxHHlc2KP1z8o/MO2Uqed3yBI1r3:o7AEvgVOy29Ls3JslVYzjMO26i4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2728	583672a0eb2ad545927384a74172b077.tmp
2604	WMF.exe

Loads dropped DLL 5 IoCs

pid	Process
2344	583672a0eb2ad545927384a74172b077.exe
2728	583672a0eb2ad545927384a74172b077.tmp
2728	583672a0eb2ad545927384a74172b077.tmp
2728	583672a0eb2ad545927384a74172b077.tmp
2728	583672a0eb2ad545927384a74172b077.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2604	WMF.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2728	2344	583672a0eb2ad545927384a74172b077.exe	28
PID 2344 wrote to memory of 2728	2344	583672a0eb2ad545927384a74172b077.exe	28
PID 2344 wrote to memory of 2728	2344	583672a0eb2ad545927384a74172b077.exe	28
PID 2344 wrote to memory of 2728	2344	583672a0eb2ad545927384a74172b077.exe	28
PID 2344 wrote to memory of 2728	2344	583672a0eb2ad545927384a74172b077.exe	28
PID 2344 wrote to memory of 2728	2344	583672a0eb2ad545927384a74172b077.exe	28
PID 2344 wrote to memory of 2728	2344	583672a0eb2ad545927384a74172b077.exe	28
PID 2728 wrote to memory of 2604	2728	583672a0eb2ad545927384a74172b077.tmp	29
PID 2728 wrote to memory of 2604	2728	583672a0eb2ad545927384a74172b077.tmp	29
PID 2728 wrote to memory of 2604	2728	583672a0eb2ad545927384a74172b077.tmp	29
PID 2728 wrote to memory of 2604	2728	583672a0eb2ad545927384a74172b077.tmp	29

C:\Users\Admin\AppData\Local\Temp\583672a0eb2ad545927384a74172b077.exe
"C:\Users\Admin\AppData\Local\Temp\583672a0eb2ad545927384a74172b077.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\is-BK94G.tmp\583672a0eb2ad545927384a74172b077.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BK94G.tmp\583672a0eb2ad545927384a74172b077.tmp" /SL5="$80022,2280122,153088,C:\Users\Admin\AppData\Local\Temp\583672a0eb2ad545927384a74172b077.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\is-HD5DB.tmp\WMF.exe
    "C:\Users\Admin\AppData\Local\Temp\is-HD5DB.tmp\WMF.exe" /aid=0 /sub=0 /sid=42 /name="Crysis*" /fid= /stats=iw06avU1WybnpD3IXpRBaNbk6ZI4JlyIALgIswDvUNErfqvoWrbIh1SyTZgbxHF9/RkmH4CTprkO/nBo1xkSnw== /param=0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-BK94G.tmp\583672a0eb2ad545927384a74172b077.tmp

Filesize
976KB

MD5
a04be4adddb408cfbdd1acc34b753e36

SHA1
43cc913df23f787b70f8f8e270138df280a8cf1a

SHA256
a81cc47f2961aaed71cb9221a23d4dbec72eda417ac57634ff2b408bda8e93cd

SHA512
54ebe2dcd4f00b71963daebfc94eded86533be09f44229eed6e75c5a4c4f164b07e1bffab2e3aca7a2d6d38ebc222b301c51276146bca2fa43ce932ec833bfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HD5DB.tmp\WMF.exe

Filesize
795KB

MD5
6738ad3a11168a2e85ecf3f141f1b448

SHA1
39ed948ef0e6332f460bd9cf8ac39a97ad8ec6d3

SHA256
378e7884b437872131323499463f4843a1776b00b68d1ac798bb9669032aa252

SHA512
998fb12a641179d21fdec3c9b5c4611c7006356654ef5db239df8a50ce0bfc884771d7d0054381d39f13a1eee005f4018b04a9d569f42f40ffdd5c1cb0f8f6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HD5DB.tmp\WMF.exe

Filesize
849KB

MD5
76303be4b0296d45001d15820fed41aa

SHA1
03bb878145d1956b551b63d62d1e148ec0ceeba6

SHA256
320730e7305668ab59715525e885fade1a4938672e1694b9fd12fdfb4e2e10a6

SHA512
2b06cab26d414ed5926a5f4508a1ca0f4c46f9b45bd8948bab1053e6e2fa5c8a23bc0addb5c193f54f372e8e9b7055408750834b72a7563b7ef1d52b27ff9f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HD5DB.tmp\default.xml

Filesize
2KB

MD5
4c219b78a305d3e52c811542154bb224

SHA1
7efe3e383b29c808cfb3ad0fd90d627ea7b2b2bf

SHA256
a0dbdc08f771e32a5ef06f47b436afb270e860578971a974db0c34c0c1366a7c

SHA512
bced9584568b011c0b2013e48d6b9503f77b01c57e2049722326a40363ce42c533e590c4583cf0cf3a5391f3208db8135b5afdc27ae7359af3ded66b11e628b8

Download Submit
\Users\Admin\AppData\Local\Temp\is-BK94G.tmp\583672a0eb2ad545927384a74172b077.tmp

Filesize
1.1MB

MD5
8811a0652c18dbcf68955f99df537eb8

SHA1
70cff6c43c0f873295dc085018639dff02f33012

SHA256
d69f51e65e3944891ec9c392b3d7410d81f8f93e55b9071584bfd1d384862230

SHA512
ed2ff6cfe272a8ae260233a1bb653adc0eaae13388418a9dea692b9924999d89b8677b8669fa24dcb0c606cfca7045bef779e1c58547f3f17d5096cbbe31d60a

Download Submit
\Users\Admin\AppData\Local\Temp\is-HD5DB.tmp\WMF.exe

Filesize
811KB

MD5
9882d9b7294107617a7d8625256ad935

SHA1
f30c90d5b6d080e873c6aea41b35e80d004b0d36

SHA256
be2936cb77c6c499842846990c9dd2e5bdeaa94bf12e2057fe207c31c9767b62

SHA512
706e30783fb6ea3c099fa469903555a755f4bf79a875dd5a1b33e51657678c93bfe793ee6a68d0dfdb74050bf5073c9e8dd7cf1cbc0d7036ccb65440e4a7c540

Download Submit
\Users\Admin\AppData\Local\Temp\is-HD5DB.tmp\WMF.exe

Filesize
860KB

MD5
5f02b7ab4cb6e91c85015461d34e21d4

SHA1
3bd22a5b1cf4b7fd5539e9e341d6cac87d8a8ae0

SHA256
5472ad083d3d46a053b27404979fc4992f82be6f7a445aa66aaa6374c4a48d01

SHA512
bcd1e71e49c3b127fd5d69757bd5b04808f83d409a6eca7841924e8d039b26ebdac8cb3f6a54e9813664a2aef1867c4e259a8e098bcafd9f3bad1ba4192dfc46

Download Submit
\Users\Admin\AppData\Local\Temp\is-HD5DB.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2344-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2344-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2604-38-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2604-42-0x0000000000400000-0x00000000007E2000-memory.dmp

Filesize
3.9MB

Download
memory/2604-46-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2728-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2728-41-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing