418428514829c077330fc99bad10d7ff1dc1264f9ed10937eac98225efa6a5be

General

Target

649733f4a7b39a739f07503c200898fc.exe
Size

925KB
MD5

649733f4a7b39a739f07503c200898fc
SHA1

a652b4dcbc5e5b1a01a51713ac124e13b1c6eb43
SHA256

418428514829c077330fc99bad10d7ff1dc1264f9ed10937eac98225efa6a5be
SHA512

fe0b8049967ef19718b7ddcfa83609a3e24d56e0dc6ef76b60c4457ba3a9d974065437d88c1a18fe2e8866ef8e5f5d6fa676005b98abde560bd2aa26ae7612f9
SSDEEP

24576:giL5fK//QEDSeQgw5Ww4EkPOE8CpaONa4jq:giL5fK/oeQgdwtkPOZCpNK

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2804	ipconfig.exe
3924	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	649733f4a7b39a739f07503c200898fc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4608	649733f4a7b39a739f07503c200898fc.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4608	649733f4a7b39a739f07503c200898fc.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe
4608	649733f4a7b39a739f07503c200898fc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 4064	4608	649733f4a7b39a739f07503c200898fc.exe	95
PID 4608 wrote to memory of 4064	4608	649733f4a7b39a739f07503c200898fc.exe	95
PID 4608 wrote to memory of 4064	4608	649733f4a7b39a739f07503c200898fc.exe	95
PID 4064 wrote to memory of 2804	4064	cmd.exe	97
PID 4064 wrote to memory of 2804	4064	cmd.exe	97
PID 4064 wrote to memory of 2804	4064	cmd.exe	97
PID 4608 wrote to memory of 408	4608	649733f4a7b39a739f07503c200898fc.exe	98
PID 4608 wrote to memory of 408	4608	649733f4a7b39a739f07503c200898fc.exe	98
PID 4608 wrote to memory of 408	4608	649733f4a7b39a739f07503c200898fc.exe	98
PID 408 wrote to memory of 3924	408	cmd.exe	100
PID 408 wrote to memory of 3924	408	cmd.exe	100
PID 408 wrote to memory of 3924	408	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\649733f4a7b39a739f07503c200898fc.exe
"C:\Users\Admin\AppData\Local\Temp\649733f4a7b39a739f07503c200898fc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /all >>C:\Users\Admin\AppData\Local\Temp\tmp1.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /all >>C:\Users\Admin\AppData\Local\Temp\tmp1.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
ca06d5ea8732ca00742db63ba534fdb5

SHA1
247beee14b00f2ee9eb66c6756c5576dced048ea

SHA256
3934593c2535f618a089a8be9bfa56bbb7eb59571c6dfd44870d157a361f8958

SHA512
c827f8dfabf11765f3b532d7f2bcfd85c3044ac9a7074ea3de59c3b6480d48ebd6b50d6e89bc3fade3a0575b21a61dcbc616dd90ea1f1b36b331f3d91b38de26

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\xplib.fne

Filesize
52KB

MD5
c435ee6431b43a078db44e24eed8c779

SHA1
986418b33c5d12f6a91b174ede109124498fb324

SHA256
b06b71e150a8760dda8ac1c916bdffd24af5bec5819b28af20d748df63943e58

SHA512
59020c2d3b412f5ef0d0ad07ccb4df6bbd7bcb7a7ce435c602f3862efc056e47ed92cf394fc836ffb42808cd7b6510752718f033b99747461f24de767a9acc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1.txt

Filesize
1021B

MD5
3f9871da19b0e226defec7f36f294d8f

SHA1
5993ef995dc84bfb401ecc9f65c4b164e81ea591

SHA256
9c1b10d5baf77345ee3a65f881402b256546bc400472893120824a1ae9c412a2

SHA512
adc03de1204b8223a72e2f7f498edb4e9155813d9c25c09a1625879a881b327dfbf8f6e0a7f9ad2b20572a2c494eea27c2338981346c1b10c09e6c46bd09974b

Download Submit
memory/4608-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4608-5-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4608-13-0x0000000002330000-0x000000000233E000-memory.dmp

Filesize
56KB

Download
memory/4608-14-0x0000000002330000-0x000000000233E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing