69e62c01d01514823c9f50a77e79b456241aed9f23596e48d78490d227fbb18b

General

Target

751b0391c47ac27fd5880602095c2b75.exe
Size

392KB
MD5

751b0391c47ac27fd5880602095c2b75
SHA1

57bb747fc1bff49bb43598d4e9ef035589ff8a65
SHA256

69e62c01d01514823c9f50a77e79b456241aed9f23596e48d78490d227fbb18b
SHA512

7ac38504d483601ec7dc660559f23b75d127a82091eba15f50f4f62d715c8d327f5950c5cc99ba7cf31c1f60c2457ff8fa6fc3691dffb60abca7a355eb7ae607
SSDEEP

3072:TjeF/OZ/HI8IhYt5BjAsoDYp9qducrNK+B968s655MjawzakfWeiKWVOzYZO:TjC/4/HI87/Xr6UKzB92hOvVUYZO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2140 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

exoxrrnev.exe

pid process

2980 exoxrrnev.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeexoxrrnev.exe

pid process

2140 cmd.exe
2140 cmd.exe
2980 exoxrrnev.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1916 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2596 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1916 taskkill.exe

pid	process
2140	cmd.exe

pid	process
2980	exoxrrnev.exe

pid	process
2140	cmd.exe
2140	cmd.exe
2980	exoxrrnev.exe

pid	process
1916	taskkill.exe

pid	process
2596	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1916	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

751b0391c47ac27fd5880602095c2b75.execmd.exe

description	pid	process	target process
PID 780 wrote to memory of 2140	780	751b0391c47ac27fd5880602095c2b75.exe	cmd.exe
PID 780 wrote to memory of 2140	780	751b0391c47ac27fd5880602095c2b75.exe	cmd.exe
PID 780 wrote to memory of 2140	780	751b0391c47ac27fd5880602095c2b75.exe	cmd.exe
PID 780 wrote to memory of 2140	780	751b0391c47ac27fd5880602095c2b75.exe	cmd.exe
PID 2140 wrote to memory of 1916	2140	cmd.exe	taskkill.exe
PID 2140 wrote to memory of 1916	2140	cmd.exe	taskkill.exe
PID 2140 wrote to memory of 1916	2140	cmd.exe	taskkill.exe
PID 2140 wrote to memory of 1916	2140	cmd.exe	taskkill.exe
PID 2140 wrote to memory of 2596	2140	cmd.exe	PING.EXE
PID 2140 wrote to memory of 2596	2140	cmd.exe	PING.EXE
PID 2140 wrote to memory of 2596	2140	cmd.exe	PING.EXE
PID 2140 wrote to memory of 2596	2140	cmd.exe	PING.EXE
PID 2140 wrote to memory of 2980	2140	cmd.exe	exoxrrnev.exe
PID 2140 wrote to memory of 2980	2140	cmd.exe	exoxrrnev.exe
PID 2140 wrote to memory of 2980	2140	cmd.exe	exoxrrnev.exe
PID 2140 wrote to memory of 2980	2140	cmd.exe	exoxrrnev.exe

C:\Users\Admin\AppData\Local\Temp\751b0391c47ac27fd5880602095c2b75.exe
"C:\Users\Admin\AppData\Local\Temp\751b0391c47ac27fd5880602095c2b75.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 780 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\751b0391c47ac27fd5880602095c2b75.exe" & start C:\Users\Admin\AppData\Local\EXOXRR~1.EXE -f
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\exoxrrnev.exe
C:\Users\Admin\AppData\Local\EXOXRR~1.EXE -f
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 780
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
1⤵
- Runs ping.exe
PID:2596

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\exoxrrnev.exe
Filesize
240KB

MD5
3e5ae3ad340ad00f3e816c0ce0298cf8

SHA1
aece1b468e6bf4c834c91a07534718b08a601202

SHA256
1ee863a6be9a1193c3b1522339e902826d4934653b309d5b03055b08a6202348

SHA512
1c72f8e322ed5e6c4bd7882a4e7fc4908edf9b2ba7ae14c34b958d80fe517f2a691d8105f6d21d002ba2db36fd678e839350bb7cbc7a1e1494f36a92c3b5c945

Download Submit
C:\Users\Admin\AppData\Local\exoxrrnev.exe
Filesize
1KB

MD5
f8b5efff2c5d4ea32ae3acf564f24a2a

SHA1
bbb9422f26226c888a9d35030a1b8a26fbe944c9

SHA256
7b20bb388d146247669332df0240405fffceb7132f76df631bcc0eadc0c58cbd

SHA512
063d0dd479833cbb1a39230f8a0231c46bb922d100cec09e95cd86bf49d203827b82026a2dc00335a408662023382845ba4e1772edddbd25ff44ef42e662215f

Download Submit
\Users\Admin\AppData\Local\exoxrrnev.exe
Filesize
152KB

MD5
c8d63645f19570de282924406a2e87c4

SHA1
bd00538116ee2bb85f1255511416d79887048204

SHA256
348c1cf289e1a3c2261500fbcb2bdedd270e33adf437ac83281e9e6bc5603b0f

SHA512
63a6f27fbfc8ca9e86c32edf42792068f3032d98179b1ffaf85db95c2201fb4892d30208f1a14a041be8bedd2a67566992e2b74885d560ae78908e0ca7e428bf

Download Submit
\Users\Admin\AppData\Local\exoxrrnev.exe
Filesize
265KB

MD5
472f38f7a2196d7ff69442c538d4e5e6

SHA1
7a7279b1694aeab19465cf4e68696f96fa0cddd2

SHA256
8f7923236f802f0403240a9c1bb8c75925f11ba5b012e42038ebda83b3dd9f9b

SHA512
99abfbeb938a8c57716ba953ccf377f89988662b74991a1f79b486b4946ad9ea950234c6c251c1e455395d0760f9fde7d0ffbd0af9a2d7e1f55c03b899995448

Download Submit
\Users\Admin\AppData\Local\exoxrrnev.exe
Filesize
138KB

MD5
47cd759d03a280062d4c2ec14d3ef923

SHA1
0a066211f332b5a943e041b6d9e65f09558f4936

SHA256
1ae064585c094a93cf4834b4ec5dc1b0f67e660d17f0043587cd03edb37e7110

SHA512
88956e9a3f439ff65db6736be481ad04f5018441131e34c9ea174c82de15dda8123a13f7115664c120183f72460a63c93ed885d3db62a195c302274fede1677d

Download Submit
memory/780-4-0x0000000000330000-0x0000000000332000-memory.dmp

Filesize
8KB

Download
memory/780-0-0x0000000001000000-0x0000000001102000-memory.dmp

Filesize
1.0MB

Download
memory/780-5-0x0000000001000000-0x0000000001102000-memory.dmp

Filesize
1.0MB

Download
memory/780-3-0x0000000001000000-0x0000000001102000-memory.dmp

Filesize
1.0MB

Download
memory/780-2-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2140-9-0x00000000023B0000-0x00000000024B2000-memory.dmp

Filesize
1.0MB

Download
memory/2980-15-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/2980-17-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2980-16-0x0000000000CE0000-0x0000000000DE2000-memory.dmp

Filesize
1.0MB

Download
memory/2980-14-0x0000000001000000-0x0000000001102000-memory.dmp

Filesize
1.0MB

Download
memory/2980-13-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2980-11-0x0000000001000000-0x0000000001102000-memory.dmp

Filesize
1.0MB

Download
memory/2980-18-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing