04c6c07e6af92c6148453cba27fa286afe905b87fef3e35121bb259e20484fe3

General

Target

74f55a30c3d053109039d1323ab64db1.exe
Size

1.5MB
MD5

74f55a30c3d053109039d1323ab64db1
SHA1

2c119dae3c57c7e4a5e0a893bed9e01a3e228256
SHA256

04c6c07e6af92c6148453cba27fa286afe905b87fef3e35121bb259e20484fe3
SHA512

b8944ebfa643611ff3def0a9680c0775d3947640c2ef653becbf19cd2eaa8a0a145cecff454be391b5bed53778c16dccf701e1561c9246974100b1f4e72f2af2
SSDEEP

24576:BSLXeYCOLvNSj7bl/narnAN+fhB9tDtrxS7ECq8yvO1xLjYAR4ghdKNIz7xrVKE:qxLvoxCrnfhtrxBRmLAa4ghkoNVKE

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

Confusa.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TnFhPPruMZ.url Confusa.exe.com
Executes dropped EXE 3 IoCs

Processes:

Confusa.exe.comConfusa.exe.comRegAsm.exe

pid process

2860 Confusa.exe.com
2748 Confusa.exe.com
1352 RegAsm.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exeConfusa.exe.comConfusa.exe.comRegAsm.exe

pid process

2740 cmd.exe
2860 Confusa.exe.com
2748 Confusa.exe.com
1352 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Confusa.exe.com

description pid process target process

PID 2748 set thread context of 1352 2748 Confusa.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2744 PING.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TnFhPPruMZ.url	Confusa.exe.com

pid	process
2860	Confusa.exe.com
2748	Confusa.exe.com
1352	RegAsm.exe

pid	process
2740	cmd.exe
2860	Confusa.exe.com
2748	Confusa.exe.com
1352	RegAsm.exe

description	pid	process	target process
PID 2748 set thread context of 1352	2748	Confusa.exe.com	RegAsm.exe

pid	process
2744	PING.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

74f55a30c3d053109039d1323ab64db1.execmd.execmd.exeConfusa.exe.comConfusa.exe.com

description	pid	process	target process
PID 2360 wrote to memory of 2812	2360	74f55a30c3d053109039d1323ab64db1.exe	dllhost.exe
PID 2360 wrote to memory of 2812	2360	74f55a30c3d053109039d1323ab64db1.exe	dllhost.exe
PID 2360 wrote to memory of 2812	2360	74f55a30c3d053109039d1323ab64db1.exe	dllhost.exe
PID 2360 wrote to memory of 2812	2360	74f55a30c3d053109039d1323ab64db1.exe	dllhost.exe
PID 2360 wrote to memory of 2836	2360	74f55a30c3d053109039d1323ab64db1.exe	cmd.exe
PID 2360 wrote to memory of 2836	2360	74f55a30c3d053109039d1323ab64db1.exe	cmd.exe
PID 2360 wrote to memory of 2836	2360	74f55a30c3d053109039d1323ab64db1.exe	cmd.exe
PID 2360 wrote to memory of 2836	2360	74f55a30c3d053109039d1323ab64db1.exe	cmd.exe
PID 2836 wrote to memory of 2740	2836	cmd.exe	cmd.exe
PID 2836 wrote to memory of 2740	2836	cmd.exe	cmd.exe
PID 2836 wrote to memory of 2740	2836	cmd.exe	cmd.exe
PID 2836 wrote to memory of 2740	2836	cmd.exe	cmd.exe
PID 2740 wrote to memory of 2708	2740	cmd.exe	findstr.exe
PID 2740 wrote to memory of 2708	2740	cmd.exe	findstr.exe
PID 2740 wrote to memory of 2708	2740	cmd.exe	findstr.exe
PID 2740 wrote to memory of 2708	2740	cmd.exe	findstr.exe
PID 2740 wrote to memory of 2860	2740	cmd.exe	Confusa.exe.com
PID 2740 wrote to memory of 2860	2740	cmd.exe	Confusa.exe.com
PID 2740 wrote to memory of 2860	2740	cmd.exe	Confusa.exe.com
PID 2740 wrote to memory of 2860	2740	cmd.exe	Confusa.exe.com
PID 2740 wrote to memory of 2744	2740	cmd.exe	PING.EXE
PID 2740 wrote to memory of 2744	2740	cmd.exe	PING.EXE
PID 2740 wrote to memory of 2744	2740	cmd.exe	PING.EXE
PID 2740 wrote to memory of 2744	2740	cmd.exe	PING.EXE
PID 2860 wrote to memory of 2748	2860	Confusa.exe.com	Confusa.exe.com
PID 2860 wrote to memory of 2748	2860	Confusa.exe.com	Confusa.exe.com
PID 2860 wrote to memory of 2748	2860	Confusa.exe.com	Confusa.exe.com
PID 2860 wrote to memory of 2748	2860	Confusa.exe.com	Confusa.exe.com
PID 2748 wrote to memory of 1352	2748	Confusa.exe.com	RegAsm.exe
PID 2748 wrote to memory of 1352	2748	Confusa.exe.com	RegAsm.exe
PID 2748 wrote to memory of 1352	2748	Confusa.exe.com	RegAsm.exe
PID 2748 wrote to memory of 1352	2748	Confusa.exe.com	RegAsm.exe
PID 2748 wrote to memory of 1352	2748	Confusa.exe.com	RegAsm.exe
PID 2748 wrote to memory of 1352	2748	Confusa.exe.com	RegAsm.exe
PID 2748 wrote to memory of 1352	2748	Confusa.exe.com	RegAsm.exe
PID 2748 wrote to memory of 1352	2748	Confusa.exe.com	RegAsm.exe
PID 2748 wrote to memory of 1352	2748	Confusa.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\74f55a30c3d053109039d1323ab64db1.exe
"C:\Users\Admin\AppData\Local\Temp\74f55a30c3d053109039d1323ab64db1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Cheope.doc
2⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^kyZlEtGjnpcqijZRnzmJfibEXwOUCZPwNEUspUFNAJeaxwweJgqikaitIxjDfMKmxzjDsHIDOMpFtypVZLkhYIQxvQJOIwbOZCYqPnLwGvampC$" All.doc
4⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Confusa.exe.com
Confusa.exe.com u
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Confusa.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Confusa.exe.com u
5⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
4⤵
- Runs ping.exe
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\All.doc
Filesize
872KB

MD5
6983585c61191075acf480a8e47a376f

SHA1
c6c39b01150621584548a1f6088a38bd7afbff7f

SHA256
205025ffc9724e33ee83d900424e42112982024dc9b21b4489487c31203e7cec

SHA512
73a2afd5b3ab825a7ed0b11876bfa3b42a2787358207dfee2f8cd50d098fde524157f2a7303a475d786a56defe5cca10b751952e335af1e9f88f902da782302b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cheope.doc
Filesize
514B

MD5
2cf2d38952e20d5a38eee76316c81644

SHA1
dd8c2b47d43e30b3c76bc2b55e3ae8849b2cd7c7

SHA256
6d55c444f8ad79e9dd4f48756d50d205e5b255db8f1e5c390fc199bcae518959

SHA512
85118f3bc47b362db456af5398b789c4a6f48eee655dec0c3f3012cc1d4d05561e5127f603e07263ada9e6a441541408df12265742e78d1125b2609484098fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Crede.doc
Filesize
568KB

MD5
57ea490f060e16dd2ca81d9bb5cdf286

SHA1
1f0f2329d504f2bbc8a19751803e9d77c7d9cd66

SHA256
e858500baed65c1f3857e1b7546f8181e9db77a70aca39875edccaadebc9337e

SHA512
fb7226176c76c5afaa6aed1e7a88d9a11baf1465ca8d68a782a6a3dd2f1048e0ddf22c5997f645291a9daa761c2393e0acde40ae6ccee244bc8839b30f5b67c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dal.doc
Filesize
988KB

MD5
b06ae64571406664375919ff977f6706

SHA1
ec86e42ff636bd894ca903c2acee26b99b0271f7

SHA256
3c06347aa0072594f89e799df49325bd4b3e0532c11199505a30f4d600ebfea3

SHA512
259d7a4260a1c542885bbc71f100d0b3d59550b1fd9173aa368d133436c140ac582cf8e67b04fd38071ebc4be419abd18a602d4204bdf8fac3fad865337a1e37

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Confusa.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1352-34-0x0000000000090000-0x0000000000124000-memory.dmp

Filesize
592KB

Download
memory/1352-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1352-37-0x0000000000090000-0x0000000000124000-memory.dmp

Filesize
592KB

Download
memory/1352-41-0x0000000000090000-0x0000000000124000-memory.dmp

Filesize
592KB

Download
memory/1352-43-0x0000000000090000-0x0000000000124000-memory.dmp

Filesize
592KB

Download
memory/2748-30-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing