fff85a6ec67c92863803c9323cd453845a182b6595672cac13368726be558ced

General

Target

70fd6802627d319aa8c735a2ddf76e4f.exe
Size

152KB
MD5

70fd6802627d319aa8c735a2ddf76e4f
SHA1

58f977d9879aadc64ffc9485852140922df5dcbc
SHA256

fff85a6ec67c92863803c9323cd453845a182b6595672cac13368726be558ced
SHA512

b757525d5ee99e5d1a79b6d3c09c3b2a978c59406555400e61b57c61894de438a88c537fea07fa8d873157f4355015e07bc382221c92cf8e7d66e8b22c5d588b
SSDEEP

3072:2H1sRlpc6j1GQutQ5bb+utqNt2rRS3Y/gJzJfOJx6X:2HKznRSK5byM8AwYufVX

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

70fd6802627d319aa8c735a2ddf76e4f.exe

pid	process
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe
1940	70fd6802627d319aa8c735a2ddf76e4f.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

70fd6802627d319aa8c735a2ddf76e4f.exeCMD.exeCMD.exeCMD.exeCMD.exe

description	pid	process	target process
PID 1940 wrote to memory of 2272	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2272	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2272	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2272	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 2272 wrote to memory of 2876	2272	CMD.exe	attrib.exe
PID 2272 wrote to memory of 2876	2272	CMD.exe	attrib.exe
PID 2272 wrote to memory of 2876	2272	CMD.exe	attrib.exe
PID 2272 wrote to memory of 2876	2272	CMD.exe	attrib.exe
PID 1940 wrote to memory of 2300	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2300	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2300	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2300	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 2300 wrote to memory of 2768	2300	CMD.exe	attrib.exe
PID 2300 wrote to memory of 2768	2300	CMD.exe	attrib.exe
PID 2300 wrote to memory of 2768	2300	CMD.exe	attrib.exe
PID 2300 wrote to memory of 2768	2300	CMD.exe	attrib.exe
PID 1940 wrote to memory of 2788	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2788	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2788	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2788	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 2788 wrote to memory of 2688	2788	CMD.exe	attrib.exe
PID 2788 wrote to memory of 2688	2788	CMD.exe	attrib.exe
PID 2788 wrote to memory of 2688	2788	CMD.exe	attrib.exe
PID 2788 wrote to memory of 2688	2788	CMD.exe	attrib.exe
PID 1940 wrote to memory of 2656	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2656	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2656	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2656	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 2656 wrote to memory of 2664	2656	CMD.exe	attrib.exe
PID 2656 wrote to memory of 2664	2656	CMD.exe	attrib.exe
PID 2656 wrote to memory of 2664	2656	CMD.exe	attrib.exe
PID 2656 wrote to memory of 2664	2656	CMD.exe	attrib.exe
PID 1940 wrote to memory of 2572	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2572	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2572	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2572	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 3016	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 3016	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 3016	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 3016	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2228	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2228	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2228	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 2228	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 652	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 652	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 652	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1940 wrote to memory of 652	1940	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

2876 attrib.exe
2768 attrib.exe
2688 attrib.exe
2664 attrib.exe

pid	process
2876	attrib.exe
2768	attrib.exe
2688	attrib.exe
2664	attrib.exe

C:\Users\Admin\AppData\Local\Temp\70fd6802627d319aa8c735a2ddf76e4f.exe
"C:\Users\Admin\AppData\Local\Temp\70fd6802627d319aa8c735a2ddf76e4f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\CMD.exe
CMD /C ATTRIB -s -h -r -a C:\RECYCLER\*.exe /S /D
2⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\attrib.exe
ATTRIB -s -h -r -a C:\RECYCLER\*.exe /S /D
3⤵
- Views/modifies file attributes
PID:2876

C:\Windows\SysWOW64\CMD.exe
CMD /C ATTRIB -s -h -r -a %TEMP%\*.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\attrib.exe
ATTRIB -s -h -r -a C:\Users\Admin\AppData\Local\Temp\*.exe
3⤵
- Views/modifies file attributes
PID:2768

C:\Windows\SysWOW64\CMD.exe
CMD /C ATTRIB -s -h -r -a %WINDIR%\TEMP\*.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\attrib.exe
ATTRIB -s -h -r -a C:\Windows\TEMP\*.exe
3⤵
- Views/modifies file attributes
PID:2688

C:\Windows\SysWOW64\CMD.exe
CMD /C ATTRIB -s -h -r -a "%USERPROFILE%\*.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\attrib.exe
ATTRIB -s -h -r -a "C:\Users\Admin\*.exe"
3⤵
- Views/modifies file attributes
PID:2664

C:\Windows\SysWOW64\CMD.exe
CMD /C DEL C:\RECYCLER\*.exe /F /S /Q
2⤵
PID:2572

C:\Windows\SysWOW64\CMD.exe
CMD /C DEL %TEMP%\*.exe /F /Q
2⤵
PID:3016

C:\Windows\SysWOW64\CMD.exe
CMD /C DEL %WINDIR%\TEMP\*.exe /F /Q
2⤵
PID:2228

C:\Windows\SysWOW64\CMD.exe
CMD /C DEL "%USERPROFILE%\*.exe" /F /Q
2⤵
PID:652

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-1-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1940-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1940-3-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1940-2-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1940-4-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1940-6-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1940-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing