3094d8212742071abd5e254106b43644f6115b0df3f5056a1d19dd10c4c2f7fb

General

Target

592324bd87d7145b81eb50be82b8be26.exe
Size

292KB
MD5

592324bd87d7145b81eb50be82b8be26
SHA1

76c953ffe5eb5653ecd0b03362b3131b039db9ef
SHA256

3094d8212742071abd5e254106b43644f6115b0df3f5056a1d19dd10c4c2f7fb
SHA512

ab838c6f63fc58fa23fe118b8f04d59584f7e2d3a31b6750cd494b7e3ba2597ed52bc75faabb39348183a741bbc846569e9afa089524e4b159f593f65e372533
SSDEEP

6144:qoBD6iz9BBwwPCM9MeaOsCSP26Vh9BgODLlV98io3PXlB25LtP71cYUG/yx5V:qoGTI33765BgCLl3u3PXTyZxcYHqt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1736	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2568	jbobsfq.exe

Loads dropped DLL 3 IoCs

pid	Process
1736	cmd.exe
1736	cmd.exe
2568	jbobsfq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2268	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2836	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 1736	2496	592324bd87d7145b81eb50be82b8be26.exe	28
PID 2496 wrote to memory of 1736	2496	592324bd87d7145b81eb50be82b8be26.exe	28
PID 2496 wrote to memory of 1736	2496	592324bd87d7145b81eb50be82b8be26.exe	28
PID 2496 wrote to memory of 1736	2496	592324bd87d7145b81eb50be82b8be26.exe	28
PID 1736 wrote to memory of 2268	1736	cmd.exe	30
PID 1736 wrote to memory of 2268	1736	cmd.exe	30
PID 1736 wrote to memory of 2268	1736	cmd.exe	30
PID 1736 wrote to memory of 2268	1736	cmd.exe	30
PID 1736 wrote to memory of 2836	1736	cmd.exe	32
PID 1736 wrote to memory of 2836	1736	cmd.exe	32
PID 1736 wrote to memory of 2836	1736	cmd.exe	32
PID 1736 wrote to memory of 2836	1736	cmd.exe	32
PID 1736 wrote to memory of 2568	1736	cmd.exe	33
PID 1736 wrote to memory of 2568	1736	cmd.exe	33
PID 1736 wrote to memory of 2568	1736	cmd.exe	33
PID 1736 wrote to memory of 2568	1736	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\592324bd87d7145b81eb50be82b8be26.exe
"C:\Users\Admin\AppData\Local\Temp\592324bd87d7145b81eb50be82b8be26.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2496 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\592324bd87d7145b81eb50be82b8be26.exe" & start C:\Users\Admin\AppData\Local\jbobsfq.exe -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 2496
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:2836
- - C:\Users\Admin\AppData\Local\jbobsfq.exe
    C:\Users\Admin\AppData\Local\jbobsfq.exe -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\jbobsfq.exe

Filesize
154KB

MD5
06b5595d90b6919289a71af9a263d43e

SHA1
0bb1b96b7bba912ea3aab809c53527d1bf5a7bce

SHA256
bd68a9a2095fd8a3ca695c531d8e04f8266431a6ef7746b3382e46a49836b0ed

SHA512
409a1d86ea642085fbf919967a6e7dddc7bcd2f90df797e063a2c2fda80d131dda8b0558f6989df5a40a39de3b89c86a498d858cc38076c713efde3bb7184fd6

Download Submit
\Users\Admin\AppData\Local\jbobsfq.exe

Filesize
292KB

MD5
592324bd87d7145b81eb50be82b8be26

SHA1
76c953ffe5eb5653ecd0b03362b3131b039db9ef

SHA256
3094d8212742071abd5e254106b43644f6115b0df3f5056a1d19dd10c4c2f7fb

SHA512
ab838c6f63fc58fa23fe118b8f04d59584f7e2d3a31b6750cd494b7e3ba2597ed52bc75faabb39348183a741bbc846569e9afa089524e4b159f593f65e372533

Download Submit
memory/2496-2-0x0000000001000000-0x000000000109B000-memory.dmp

Filesize
620KB

Download
memory/2496-3-0x0000000000310000-0x0000000000312000-memory.dmp

Filesize
8KB

Download
memory/2496-6-0x0000000001000000-0x000000000109B000-memory.dmp

Filesize
620KB

Download
memory/2496-4-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2496-8-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/2496-7-0x0000000001000000-0x000000000109B000-memory.dmp

Filesize
620KB

Download
memory/2496-0-0x0000000001000000-0x000000000109B000-memory.dmp

Filesize
620KB

Download
memory/2496-1-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/2568-16-0x0000000001000000-0x000000000109B000-memory.dmp

Filesize
620KB

Download
memory/2568-14-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2568-13-0x0000000001000000-0x000000000109B000-memory.dmp

Filesize
620KB

Download
memory/2568-19-0x00000000001C0000-0x0000000000202000-memory.dmp

Filesize
264KB

Download
memory/2568-17-0x0000000001000000-0x000000000109B000-memory.dmp

Filesize
620KB

Download
memory/2568-20-0x0000000000850000-0x00000000008EB000-memory.dmp

Filesize
620KB

Download
memory/2568-18-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/2568-21-0x0000000001000000-0x000000000109B000-memory.dmp

Filesize
620KB

Download
memory/2568-22-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing