3f4b4b11b72e1293ca354173546e07402962269a2b95f2097b2a9cca7eeb5d97

General

Target

5c3be5dd59684b11ee2b879c8d949898.exe
Size

3.4MB
MD5

5c3be5dd59684b11ee2b879c8d949898
SHA1

7841daa18d7f00ddea7e50c8dd1e5485cea12051
SHA256

3f4b4b11b72e1293ca354173546e07402962269a2b95f2097b2a9cca7eeb5d97
SHA512

d5b0a79f84b25b7345b3437ba821b224699d585c391c3834d01de92bfd283f0b60ca8d330923e2c33c10f9f8cd39ba6d7a49d68bae550031c198f80d60916a2f
SSDEEP

98304:da56u8mVi1owAwdyVjafKQBEyeqZmWsH:dtdmFwAw+jmCydLsH

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwA5rK90TfrmYp.exe	5c3be5dd59684b11ee2b879c8d949898.exe

Executes dropped EXE 2 IoCs

pid	Process
3012	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe

Loads dropped DLL 3 IoCs

pid	Process
2912	5c3be5dd59684b11ee2b879c8d949898.exe
2912	5c3be5dd59684b11ee2b879c8d949898.exe
3012	nwA5rK90TfrmYp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2812	1168	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
2664	nwA5rK90TfrmYp.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe
1168	cmd.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2912	2784	5c3be5dd59684b11ee2b879c8d949898.exe	28
PID 2784 wrote to memory of 2912	2784	5c3be5dd59684b11ee2b879c8d949898.exe	28
PID 2784 wrote to memory of 2912	2784	5c3be5dd59684b11ee2b879c8d949898.exe	28
PID 2784 wrote to memory of 2912	2784	5c3be5dd59684b11ee2b879c8d949898.exe	28
PID 2912 wrote to memory of 3012	2912	5c3be5dd59684b11ee2b879c8d949898.exe	30
PID 2912 wrote to memory of 3012	2912	5c3be5dd59684b11ee2b879c8d949898.exe	30
PID 2912 wrote to memory of 3012	2912	5c3be5dd59684b11ee2b879c8d949898.exe	30
PID 2912 wrote to memory of 3012	2912	5c3be5dd59684b11ee2b879c8d949898.exe	30
PID 3012 wrote to memory of 2664	3012	nwA5rK90TfrmYp.exe	31
PID 3012 wrote to memory of 2664	3012	nwA5rK90TfrmYp.exe	31
PID 3012 wrote to memory of 2664	3012	nwA5rK90TfrmYp.exe	31
PID 3012 wrote to memory of 2664	3012	nwA5rK90TfrmYp.exe	31
PID 2664 wrote to memory of 1168	2664	nwA5rK90TfrmYp.exe	32
PID 2664 wrote to memory of 1168	2664	nwA5rK90TfrmYp.exe	32
PID 2664 wrote to memory of 1168	2664	nwA5rK90TfrmYp.exe	32
PID 2664 wrote to memory of 1168	2664	nwA5rK90TfrmYp.exe	32
PID 2664 wrote to memory of 1168	2664	nwA5rK90TfrmYp.exe	32
PID 2664 wrote to memory of 1168	2664	nwA5rK90TfrmYp.exe	32
PID 1168 wrote to memory of 2812	1168	cmd.exe	34
PID 1168 wrote to memory of 2812	1168	cmd.exe	34
PID 1168 wrote to memory of 2812	1168	cmd.exe	34
PID 1168 wrote to memory of 2812	1168	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\5c3be5dd59684b11ee2b879c8d949898.exe
"C:\Users\Admin\AppData\Local\Temp\5c3be5dd59684b11ee2b879c8d949898.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\5c3be5dd59684b11ee2b879c8d949898.exe
  "C:\Users\Admin\AppData\Local\Temp\5c3be5dd59684b11ee2b879c8d949898.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwA5rK90TfrmYp.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwA5rK90TfrmYp.exe" "C:\Users\Admin\AppData\Local\Temp\5c3be5dd59684b11ee2b879c8d949898.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwA5rK90TfrmYp.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwA5rK90TfrmYp.exe" "C:\Users\Admin\AppData\Local\Temp\5c3be5dd59684b11ee2b879c8d949898.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 364
        6⤵
        Program crash
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwA5rK90TfrmYp.exe

Filesize
2.6MB

MD5
e55daf00cc16966207064e22678c0230

SHA1
5a945d5259a5490c2400594cffa00d9d5a7da44e

SHA256
15ea340255862b7591f5b4a508935f08348bd3199b5243d264f36c00395ef32f

SHA512
6685eee40e96063e44c3cb460e5362cc6064c1fe5abec86f14a12387b129804376a8522883e8ff72f57d96c1bafb656fc3ec8f9e01b1eae8ee495ec51096cb3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwA5rK90TfrmYp.exe

Filesize
2.7MB

MD5
bfc781c5b6c0f840ff56410ac73b670d

SHA1
6742cd2807068b417e64f54100d7ac967792d4be

SHA256
51cb28dc2295078869cc9d1b8ac044541589a035dbfcf9bc89f7faa1ffde706f

SHA512
53f2d226494234f739f50dd0e41977ad99d47f02297d2a946beab6da84ddf7eaa5a9eb9350d25cbb4ac9de0c6f1e558940ed0cd9f98a40f836fc24e5a98e08e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwA5rK90TfrmYp.exe

Filesize
2.7MB

MD5
f7105f8d55ed02e2de227ca316e5341d

SHA1
60d668a199b18e47fbc4833f5372831ab39223dd

SHA256
7c9abca84707749e1145eee926c279ee529687aee1c7ac9fa43d65270d153138

SHA512
2da337bb1f1cbf10c6e49f638ea5a449819cd9ac15cb47bed38abf985891e2f026bb308d171ab4c5b1df493eb736b2b829a55189917ae396ea2d99a5ded9119e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwA5rK90TfrmYp.exe

Filesize
2.3MB

MD5
3a97dd355e8c2528384019ccf52a09da

SHA1
3f6d5979e3ef1f9df43b3fb3f397d6500ef3ab6e

SHA256
a3a541c360f85df36911c1e86ce5dfc42f3b186f1c76d09220f218155c203737

SHA512
88f8a61414a9651987a846c09cae2da95368b67e8acb902564ed8c5af3a9f7c27937a9368d28cc5c347a7879c073641e9cf87e5402e81f842f6d848c9ca29c20

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwA5rK90TfrmYp.exe

Filesize
3.4MB

MD5
0a2494847198e0b968a0cd9a3340d193

SHA1
9cc4c48c6bec8e2dbe406712d3f1072388c952ff

SHA256
be82dfb1ca4028ebf80d9c268343c7e3d0c9be3c4a7ab9e93a108f76451d9e56

SHA512
ea1de8e966cbaba7bd8162eb78aaeaf11b79c65fe0c133e3492da56e1ac6b904faae20a57f85aca31ea84306cde428849abb359cb1215cec4e949dd758fa6824

Download Submit
memory/1168-86-0x00000000033A0000-0x000000000343E000-memory.dmp

Filesize
632KB

Download
memory/1168-88-0x0000000000280000-0x0000000000319000-memory.dmp

Filesize
612KB

Download
memory/1168-87-0x00000000033A0000-0x000000000343E000-memory.dmp

Filesize
632KB

Download
memory/1168-25-0x0000000000630000-0x0000000001282000-memory.dmp

Filesize
12.3MB

Download
memory/1168-89-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1168-85-0x0000000077DC0000-0x0000000077DC1000-memory.dmp

Filesize
4KB

Download
memory/1168-83-0x0000000077DC0000-0x0000000077DC1000-memory.dmp

Filesize
4KB

Download
memory/1168-84-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1168-28-0x0000000000280000-0x0000000000319000-memory.dmp

Filesize
612KB

Download
memory/1168-41-0x0000000000280000-0x0000000000319000-memory.dmp

Filesize
612KB

Download
memory/1168-42-0x00000000033A0000-0x000000000343E000-memory.dmp

Filesize
632KB

Download
memory/1168-27-0x0000000000280000-0x0000000000319000-memory.dmp

Filesize
612KB

Download
memory/2664-23-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2664-19-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2664-29-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2664-22-0x0000000077DC0000-0x0000000077DC1000-memory.dmp

Filesize
4KB

Download
memory/2664-30-0x0000000000320000-0x00000000003BE000-memory.dmp

Filesize
632KB

Download
memory/2664-21-0x0000000000320000-0x00000000003BE000-memory.dmp

Filesize
632KB

Download
memory/2664-24-0x0000000077DC0000-0x0000000077DC1000-memory.dmp

Filesize
4KB

Download
memory/2784-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2784-1-0x00000000020C0000-0x00000000024BE000-memory.dmp

Filesize
4.0MB

Download
memory/2912-12-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2912-18-0x0000000000920000-0x00000000009BE000-memory.dmp

Filesize
632KB

Download
memory/2912-2-0x0000000000920000-0x00000000009BE000-memory.dmp

Filesize
632KB

Download
memory/3012-13-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3012-17-0x0000000002380000-0x000000000277E000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing