fff85a6ec67c92863803c9323cd453845a182b6595672cac13368726be558ced

General

Target

70fd6802627d319aa8c735a2ddf76e4f.exe
Size

152KB
MD5

70fd6802627d319aa8c735a2ddf76e4f
SHA1

58f977d9879aadc64ffc9485852140922df5dcbc
SHA256

fff85a6ec67c92863803c9323cd453845a182b6595672cac13368726be558ced
SHA512

b757525d5ee99e5d1a79b6d3c09c3b2a978c59406555400e61b57c61894de438a88c537fea07fa8d873157f4355015e07bc382221c92cf8e7d66e8b22c5d588b
SSDEEP

3072:2H1sRlpc6j1GQutQ5bb+utqNt2rRS3Y/gJzJfOJx6X:2HKznRSK5byM8AwYufVX

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

70fd6802627d319aa8c735a2ddf76e4f.exe

description ioc process

File opened for modification C:\Windows\fontdrvhost.exe 70fd6802627d319aa8c735a2ddf76e4f.exe

description	ioc	process
File opened for modification	C:\Windows\fontdrvhost.exe	70fd6802627d319aa8c735a2ddf76e4f.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

70fd6802627d319aa8c735a2ddf76e4f.exe

pid	process
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe
4068	70fd6802627d319aa8c735a2ddf76e4f.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

70fd6802627d319aa8c735a2ddf76e4f.exeCMD.exeCMD.exeCMD.exeCMD.exe

description	pid	process	target process
PID 4068 wrote to memory of 1996	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 1996	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 1996	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 1996 wrote to memory of 3116	1996	CMD.exe	attrib.exe
PID 1996 wrote to memory of 3116	1996	CMD.exe	attrib.exe
PID 1996 wrote to memory of 3116	1996	CMD.exe	attrib.exe
PID 4068 wrote to memory of 4992	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 4992	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 4992	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4992 wrote to memory of 4316	4992	CMD.exe	attrib.exe
PID 4992 wrote to memory of 4316	4992	CMD.exe	attrib.exe
PID 4992 wrote to memory of 4316	4992	CMD.exe	attrib.exe
PID 4068 wrote to memory of 4516	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 4516	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 4516	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4516 wrote to memory of 4788	4516	CMD.exe	attrib.exe
PID 4516 wrote to memory of 4788	4516	CMD.exe	attrib.exe
PID 4516 wrote to memory of 4788	4516	CMD.exe	attrib.exe
PID 4068 wrote to memory of 5068	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 5068	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 5068	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 5068 wrote to memory of 1000	5068	CMD.exe	attrib.exe
PID 5068 wrote to memory of 1000	5068	CMD.exe	attrib.exe
PID 5068 wrote to memory of 1000	5068	CMD.exe	attrib.exe
PID 4068 wrote to memory of 4932	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 4932	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 4932	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 972	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 972	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 972	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 2632	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 2632	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 2632	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 3740	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 3740	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe
PID 4068 wrote to memory of 3740	4068	70fd6802627d319aa8c735a2ddf76e4f.exe	CMD.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

4316 attrib.exe
4788 attrib.exe
1000 attrib.exe
3116 attrib.exe

pid	process
4316	attrib.exe
4788	attrib.exe
1000	attrib.exe
3116	attrib.exe

C:\Users\Admin\AppData\Local\Temp\70fd6802627d319aa8c735a2ddf76e4f.exe
"C:\Users\Admin\AppData\Local\Temp\70fd6802627d319aa8c735a2ddf76e4f.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\CMD.exe
CMD /C ATTRIB -s -h -r -a C:\RECYCLER\*.exe /S /D
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\attrib.exe
ATTRIB -s -h -r -a C:\RECYCLER\*.exe /S /D
3⤵
- Views/modifies file attributes
PID:3116

C:\Windows\SysWOW64\CMD.exe
CMD /C ATTRIB -s -h -r -a %TEMP%\*.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\attrib.exe
ATTRIB -s -h -r -a C:\Users\Admin\AppData\Local\Temp\*.exe
3⤵
- Views/modifies file attributes
PID:4316

C:\Windows\SysWOW64\CMD.exe
CMD /C ATTRIB -s -h -r -a %WINDIR%\TEMP\*.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SysWOW64\attrib.exe
ATTRIB -s -h -r -a C:\Windows\TEMP\*.exe
3⤵
- Views/modifies file attributes
PID:4788

C:\Windows\SysWOW64\CMD.exe
CMD /C ATTRIB -s -h -r -a "%USERPROFILE%\*.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\attrib.exe
ATTRIB -s -h -r -a "C:\Users\Admin\*.exe"
3⤵
- Views/modifies file attributes
PID:1000

C:\Windows\SysWOW64\CMD.exe
CMD /C DEL C:\RECYCLER\*.exe /F /S /Q
2⤵
PID:4932

C:\Windows\SysWOW64\CMD.exe
CMD /C DEL %TEMP%\*.exe /F /Q
2⤵
PID:972

C:\Windows\SysWOW64\CMD.exe
CMD /C DEL %WINDIR%\TEMP\*.exe /F /Q
2⤵
PID:2632

C:\Windows\SysWOW64\CMD.exe
CMD /C DEL "%USERPROFILE%\*.exe" /F /Q
2⤵
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4068-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4068-1-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4068-2-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4068-3-0x0000000002070000-0x0000000002074000-memory.dmp

Filesize
16KB

Download
memory/4068-4-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/4068-6-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4068-8-0x0000000002070000-0x0000000002074000-memory.dmp

Filesize
16KB

Download
memory/4068-10-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4068-16-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing