bdc5e88ee7de3fe18eb38af9cadf1878258fe0f55dac409418fd3458235139d2

General

Target

5a23641be49c0eea5f7f8852563f6d33.exe
Size

1.2MB
MD5

5a23641be49c0eea5f7f8852563f6d33
SHA1

3469f3a77f4391a288fd272b8af7a1116d5b5326
SHA256

bdc5e88ee7de3fe18eb38af9cadf1878258fe0f55dac409418fd3458235139d2
SHA512

91a999ac19387149e8a2065a9db117e5b0a80fc128b14946f6efa3e216b9119f196d9524740abb12291be87a2d5bf3f2265a2418503f8a221ead389a292285d9
SSDEEP

24576:7f7WNMY2HYvGAZHByqTIA/hZwz/DqllU8i5QFAWBBajC0jww:7DWOiTB/IDql/iOVzbVw

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1716	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2876	25905122.exe

Loads dropped DLL 4 IoCs

pid	Process
2716	cmd.exe
2716	cmd.exe
2876	25905122.exe
2876	25905122.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\25905122 = "C:\\ProgramData\\25905122\\25905122.exe"	5a23641be49c0eea5f7f8852563f6d33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\25905122 = "C:\\PROGRA~3\\25905122\\25905122.exe"	25905122.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2852	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\_Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	25905122.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop	25905122.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2876	25905122.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2876	25905122.exe
2876	25905122.exe
2876	25905122.exe
2876	25905122.exe
2876	25905122.exe
2876	25905122.exe
2876	25905122.exe
2876	25905122.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2876	25905122.exe
2876	25905122.exe
2876	25905122.exe
2876	25905122.exe
2876	25905122.exe
2876	25905122.exe
2876	25905122.exe
2876	25905122.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1716	2380	5a23641be49c0eea5f7f8852563f6d33.exe	29
PID 2380 wrote to memory of 1716	2380	5a23641be49c0eea5f7f8852563f6d33.exe	29
PID 2380 wrote to memory of 1716	2380	5a23641be49c0eea5f7f8852563f6d33.exe	29
PID 2380 wrote to memory of 1716	2380	5a23641be49c0eea5f7f8852563f6d33.exe	29
PID 1716 wrote to memory of 2852	1716	cmd.exe	30
PID 1716 wrote to memory of 2852	1716	cmd.exe	30
PID 1716 wrote to memory of 2852	1716	cmd.exe	30
PID 1716 wrote to memory of 2852	1716	cmd.exe	30
PID 1716 wrote to memory of 2716	1716	cmd.exe	32
PID 1716 wrote to memory of 2716	1716	cmd.exe	32
PID 1716 wrote to memory of 2716	1716	cmd.exe	32
PID 1716 wrote to memory of 2716	1716	cmd.exe	32
PID 2716 wrote to memory of 2876	2716	cmd.exe	33
PID 2716 wrote to memory of 2876	2716	cmd.exe	33
PID 2716 wrote to memory of 2876	2716	cmd.exe	33
PID 2716 wrote to memory of 2876	2716	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\5a23641be49c0eea5f7f8852563f6d33.exe
"C:\Users\Admin\AppData\Local\Temp\5a23641be49c0eea5f7f8852563f6d33.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\25905122\25905122.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 5a23641be49c0eea5f7f8852563f6d33.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\25905122\25905122.exe /install
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\PROGRA~3\25905122\25905122.exe
      C:\PROGRA~3\25905122\25905122.exe /install
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies Control Panel
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\25905122\25905122.exe

Filesize
341KB

MD5
5dfd975919f60744eead377575bf5872

SHA1
3aa11e9553e3f310592f72fdcd2c5409dc7da7a6

SHA256
1a4c74b2cf4639de55c2ca913e2605d5533090a22b7566b1d2cc6fcf6a616b7b

SHA512
93272c0b625fa92a2cae5da5a32d095948e27a58207eae0e3353f71bc352a86070688bea72eae11f66e25f0ba95df72416857dc26352a73feb2b7f1280c1110e

Download Submit
C:\PROGRA~3\25905122\25905122.exe

Filesize
271KB

MD5
778f496f0d94000c0c1c2206abeea061

SHA1
a415ae6b201781e6a82a502736cd02d72e346e5e

SHA256
0d621a870f7c9ba2016d34b3a7fbb3896aeaa9404757c1f9a4d1a821535c2f92

SHA512
5b8f7658a506edd86e06bc76275b071e70601655ec3401921c13105ae673b2e3ef1fdc76e8dd7142c4270a4f2453708981e23951887434a5150756fd5e8d1142

Download Submit
C:\ProgramData\25905122\25905122.bat

Filesize
290B

MD5
506e1bcdc6455082cd13c721c53c5092

SHA1
64cfb3bde34e848252e72e4b0fac15cb1b22e5ad

SHA256
6292b03241c3e5d6160b6c9e0532dc26fd44a39dfc4ebb6952cff21f55d208c0

SHA512
0110f50d950be8fe8341775e7ee107d6caa04eafbb3810b6784a1acbfc4a6b6fe11d619f80597fab51b878abb390470ef46524b19e0143f09a559decfdb22174

Download Submit
\PROGRA~3\25905122\25905122.exe

Filesize
332KB

MD5
5a8eaa1af97651c810bd7ae3f63c318a

SHA1
832f74c30adf467004821e1a3739f1faa4e49df1

SHA256
e4e74591f8cdba6aa8f60701536471111ec30c9af05678070362316ec981799f

SHA512
e85ea574106b450b524c3cc72a5b5b628bbec1abbe1efaea78c17f655f036a33f8ea191cfd9db71998ec6e762d7e2ca36a69adba588c1fe3eeed4b43f6ab3903

Download Submit
\PROGRA~3\25905122\25905122.exe

Filesize
256KB

MD5
9537ca3b2c45eccd9443b118f48f0442

SHA1
87c41782c03bab78fa0e14277a60d1df1421578d

SHA256
6997e6806cd7e5d2c3ef8d9d5b11e1fc81c6348e93a8562b38e7fc0e09572760

SHA512
17663182b7d696c2115cc3c4ad079f60b4386801b394d0648a40798b8b98e6584eb133bec81147b778eba13f5b009b935dc0cf29f3b4c5ea4a49e881bfa1aa4f

Download Submit
\PROGRA~3\25905122\25905122.exe

Filesize
1.2MB

MD5
5a23641be49c0eea5f7f8852563f6d33

SHA1
3469f3a77f4391a288fd272b8af7a1116d5b5326

SHA256
bdc5e88ee7de3fe18eb38af9cadf1878258fe0f55dac409418fd3458235139d2

SHA512
91a999ac19387149e8a2065a9db117e5b0a80fc128b14946f6efa3e216b9119f196d9524740abb12291be87a2d5bf3f2265a2418503f8a221ead389a292285d9

Download Submit
memory/2380-2-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2380-1-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2380-3-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2380-14-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2380-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2380-33-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-25-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-35-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-26-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-24-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2876-21-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-22-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2876-32-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-23-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2876-34-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2876-27-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-36-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-37-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2876-38-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-39-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-41-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-42-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-43-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-44-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2876-45-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads