3f5a252513f60cbb4b19caf221f27ba0f3b97ef36178f5c2d4a80f06387f3bb4

General

Target

5886bb1be3ecb182711f40cee07b3ef0.exe
Size

978KB
MD5

5886bb1be3ecb182711f40cee07b3ef0
SHA1

52aac383bfaee91573f8007ebdf03cbee2abe8cf
SHA256

3f5a252513f60cbb4b19caf221f27ba0f3b97ef36178f5c2d4a80f06387f3bb4
SHA512

0cfeb4c9cc89eeba57c655862c75cfa33ce81dadbd9a087eb65b340ff87f7a96586f325cfcfd1f0828702e2a04fd576920d535de1c51160cf3f9ea1fc87486dc
SSDEEP

24576:CmT3CK+0EyJqrBcapU1JNzT5b/EQBwk1vJo:C+3D4yJqyaup5b/9wcJ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2672	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	6619912.exe

Loads dropped DLL 4 IoCs

pid	Process
2672	cmd.exe
2672	cmd.exe
2796	6619912.exe
2796	6619912.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\5886bb1be3ecb182711f40cee07b3ef0 = "\"C:\\Users\\Admin\\AppData\\Local\\6619912.exe\" 0 24 "	5886bb1be3ecb182711f40cee07b3ef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\6619912 = "\"C:\\Users\\Admin\\AppData\\Local\\6619912.exe\" 0 37 "	6619912.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2792	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	6619912.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2796	6619912.exe
2796	6619912.exe
2796	6619912.exe
2796	6619912.exe
2796	6619912.exe
2796	6619912.exe
2796	6619912.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2796	6619912.exe
2796	6619912.exe
2796	6619912.exe
2796	6619912.exe
2796	6619912.exe
2796	6619912.exe
2796	6619912.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2672	2272	5886bb1be3ecb182711f40cee07b3ef0.exe	31
PID 2272 wrote to memory of 2672	2272	5886bb1be3ecb182711f40cee07b3ef0.exe	31
PID 2272 wrote to memory of 2672	2272	5886bb1be3ecb182711f40cee07b3ef0.exe	31
PID 2272 wrote to memory of 2672	2272	5886bb1be3ecb182711f40cee07b3ef0.exe	31
PID 2672 wrote to memory of 2792	2672	cmd.exe	29
PID 2672 wrote to memory of 2792	2672	cmd.exe	29
PID 2672 wrote to memory of 2792	2672	cmd.exe	29
PID 2672 wrote to memory of 2792	2672	cmd.exe	29
PID 2672 wrote to memory of 2796	2672	cmd.exe	30
PID 2672 wrote to memory of 2796	2672	cmd.exe	30
PID 2672 wrote to memory of 2796	2672	cmd.exe	30
PID 2672 wrote to memory of 2796	2672	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\5886bb1be3ecb182711f40cee07b3ef0.exe
"C:\Users\Admin\AppData\Local\Temp\5886bb1be3ecb182711f40cee07b3ef0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\32202.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2672

C:\Windows\SysWOW64\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 5886bb1be3ecb182711f40cee07b3ef0 /f
1⤵
- Modifies registry key
PID:2792

C:\Users\Admin\AppData\Local\6619912.exe
C:\Users\Admin\AppData\Local\6619912.exe -i
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6619912.exe

Filesize
978KB

MD5
5886bb1be3ecb182711f40cee07b3ef0

SHA1
52aac383bfaee91573f8007ebdf03cbee2abe8cf

SHA256
3f5a252513f60cbb4b19caf221f27ba0f3b97ef36178f5c2d4a80f06387f3bb4

SHA512
0cfeb4c9cc89eeba57c655862c75cfa33ce81dadbd9a087eb65b340ff87f7a96586f325cfcfd1f0828702e2a04fd576920d535de1c51160cf3f9ea1fc87486dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\32202.bat

Filesize
422B

MD5
aaf0cd6e53d85228374f8f2c89498899

SHA1
c4d7a6dae566019f4923e59fcf9a9064e8a460e6

SHA256
c837d73c9c8d94f230565548b607906241cf500b1f6e0b3d00b293b207fc9d96

SHA512
7345d642cdcc4046fcc12af3df2c7f693ba46ce090aa0d88b5e8fbd7521cfdbc284f1384a090fce2eb6cc8d448d2b6c81af3785123a587c0297d0d6802914a4a

Download Submit
memory/2272-1-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2272-2-0x0000000000250000-0x0000000000450000-memory.dmp

Filesize
2.0MB

Download
memory/2272-3-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2272-4-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2272-14-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2796-29-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2796-33-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2796-23-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2796-25-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2796-28-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2796-21-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2796-30-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2796-31-0x0000000000270000-0x0000000000470000-memory.dmp

Filesize
2.0MB

Download
memory/2796-32-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2796-22-0x0000000000270000-0x0000000000470000-memory.dmp

Filesize
2.0MB

Download
memory/2796-34-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2796-35-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2796-36-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2796-38-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2796-39-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2796-40-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2796-41-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2796-45-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download
memory/2796-46-0x0000000001000000-0x0000000001435600-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads