e68b96f0e99e4b6aebbedd626fbb369c369c8507f5b5cea9013eb3e0ea83e23f

General

Target

74f54405991dc0d284f3158f9266d7e3.exe
Size

1.8MB
MD5

74f54405991dc0d284f3158f9266d7e3
SHA1

eb8b23809c1a72144ef5d3dbec92b8445b790795
SHA256

e68b96f0e99e4b6aebbedd626fbb369c369c8507f5b5cea9013eb3e0ea83e23f
SHA512

3087f74eed15eb522b7938da4859daf0d0af1d13adc1ad23810b599839e94cdc7074ab06a48fae0cce4d2958c5a94ffe799cb9ea1891877ef0b812bf4f1cbbd9
SSDEEP

12288:OsD8BFyOmcNPYmzQ5J0T0aTE6chIoLXGtfbapRVczyu1jZ9sM2cTWzEOk0ksmVgX:FHcNPYDj0T0z6UsapRVclccTWwPdse

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

FileEn.exeFileEn.exe

pid process

2864 FileEn.exe
2700 FileEn.exe

pid	process
2864	FileEn.exe
2700	FileEn.exe

Loads dropped DLL 5 IoCs

Processes:

74f54405991dc0d284f3158f9266d7e3.exe

pid	process
2880	74f54405991dc0d284f3158f9266d7e3.exe
2880	74f54405991dc0d284f3158f9266d7e3.exe
2880	74f54405991dc0d284f3158f9266d7e3.exe
2880	74f54405991dc0d284f3158f9266d7e3.exe
2880	74f54405991dc0d284f3158f9266d7e3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

74f54405991dc0d284f3158f9266d7e3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fileProtect = "C:\\Windows\\system32\\FileEn.exe"	74f54405991dc0d284f3158f9266d7e3.exe

Drops file in System32 directory 9 IoCs

Processes:

74f54405991dc0d284f3158f9266d7e3.exe

description	ioc	process
File created	C:\Windows\SysWOW64\FileProtecter.ico	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\face.dll	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\fileprotect.dll	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\FileProtecter.exe	74f54405991dc0d284f3158f9266d7e3.exe
File opened for modification	C:\Windows\SysWOW64\FileProtecter.exe	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\notewnd.dll	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\verwnd.dll	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\Box.exe	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\FileEn.exe	74f54405991dc0d284f3158f9266d7e3.exe

Drops file in Windows directory 1 IoCs

Processes:

74f54405991dc0d284f3158f9266d7e3.exe

description ioc process

File opened for modification C:\Windows\win.ini 74f54405991dc0d284f3158f9266d7e3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

74f54405991dc0d284f3158f9266d7e3.exe

pid process

2880 74f54405991dc0d284f3158f9266d7e3.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	74f54405991dc0d284f3158f9266d7e3.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

74f54405991dc0d284f3158f9266d7e3.exeFileEn.exeFileEn.exe

pid	process
2880	74f54405991dc0d284f3158f9266d7e3.exe
2880	74f54405991dc0d284f3158f9266d7e3.exe
2864	FileEn.exe
2864	FileEn.exe
2864	FileEn.exe
2864	FileEn.exe
2880	74f54405991dc0d284f3158f9266d7e3.exe
2700	FileEn.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

74f54405991dc0d284f3158f9266d7e3.exe

description	pid	process	target process
PID 2880 wrote to memory of 2864	2880	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe
PID 2880 wrote to memory of 2864	2880	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe
PID 2880 wrote to memory of 2864	2880	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe
PID 2880 wrote to memory of 2864	2880	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe
PID 2880 wrote to memory of 2700	2880	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe
PID 2880 wrote to memory of 2700	2880	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe
PID 2880 wrote to memory of 2700	2880	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe
PID 2880 wrote to memory of 2700	2880	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe

C:\Users\Admin\AppData\Local\Temp\74f54405991dc0d284f3158f9266d7e3.exe
"C:\Users\Admin\AppData\Local\Temp\74f54405991dc0d284f3158f9266d7e3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\FileEn.exe
"C:\Windows\system32\FileEn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Windows\SysWOW64\FileEn.exe
"C:\Windows\system32\FileEn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2700

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini
Filesize
509B

MD5
abdcf9a26efd8b91d7bea6282b65066b

SHA1
a040eb69c4ef83709e263a61af2dbfa30c101d31

SHA256
69e80ad6150ddb1c4e25559d31fc66123e9b803c931cc5b4b73c6c21d38e163e

SHA512
2d87772da5886d6138ca316583ccf241ea4539d99e2f48761165a60debfe81c711b616928ab9cd8bdbb411881c5dab7f1e4e2111ea3468e380160be09dad0453

Download Submit
C:\Windows\win.ini
Filesize
523B

MD5
fbc009a78551b5af7d966a7f16d133f9

SHA1
bf584c32c91f691ef2aa992dc4538c875f19efc6

SHA256
594c1446c2d807ce4d61172f0351f2988dd86fb97f1d3352e5ed4d6d35a43f16

SHA512
78d67f3fcb89585a977da5cb35643a36c410777ed43af1063caa436a802bb236dc949b46194f60fcac2fdac593dbe0f1921ee60d5f3ed30621ba98211a3166da

Download Submit
C:\Windows\win.ini
Filesize
531B

MD5
a43e3ef0c0dccbc846365bbac82d2764

SHA1
ffe416a33b6f59220b54440158a8df69ab64b047

SHA256
9a2d2d74cfcbcb483949354c4d481d76b65f9674299d35e22afdfbbce0fe79cd

SHA512
a0613e53fb04c9d87300377135939507e2ce408ad9679e770792ef8f4d3369f53ee14fb7453f4aec142c0a3d8ae84cc81d4d2db0ad7f0210ba8ded69f9ea12bb

Download Submit
\Windows\SysWOW64\FileEn.exe
Filesize
260KB

MD5
3c0a05b660e41423fec63815f4549e69

SHA1
4feb0a4a9a592f80d6f2d2a27396654fa3eea816

SHA256
b2d49e811a4702709533a500f857149647ac7b8c384c8e5a23a4cbecc664856e

SHA512
c54192e74d646d61a48b65a4df31b1a9757fe9855f91e60f932f9254ce735808bac17c6ada4a34ef38247852ca48d674140f93e135c008e3c4728f7b087105ce

Download Submit
\Windows\SysWOW64\FileEn.exe
Filesize
192KB

MD5
170ad6ba932cc1d81cf8e8e0b4b9aad0

SHA1
9c9c80894efcc0b040f0ca88c52a84f0d47d823b

SHA256
ecb15aeab1b9a93c727e799800c196ec42ce4c24886f56543f1e7f101853f277

SHA512
9a535c2fead56bb36dcd91cb7144c9ae48c10c841f6137ea03e9fc4936f4fd5061d93be16defb4966144e77021388adacec0fee1a71e2e170211b91b5caf91eb

Download Submit
\Windows\SysWOW64\face.dll
Filesize
276KB

MD5
71ae7d6dbb221bf825cc859f5db4a364

SHA1
71ba7e47e29f196d3a4b39747dc2ab287189409c

SHA256
5c02f694e1a8fcd4c81c01014f5aaa011fa5aa4e84ee4adf37f3006082b79083

SHA512
9a4a26b016912f94c3a4b68d23969dc60451bcbb37f0fa9f5c80b315d5819eab931a188618141dbe6972ca7d8dbaaf03c69001b6feb3fe83e9870efc13254a26

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads