842e2f289935c92dae5c4435973257202bfc720be0f393dab61db7120d98900c

General

Target

8d83368e27aeb1713f73571137175372.exe
Size

3.4MB
MD5

8d83368e27aeb1713f73571137175372
SHA1

5982ca558e2908efe2d4e0f90258a8f51b832c9e
SHA256

842e2f289935c92dae5c4435973257202bfc720be0f393dab61db7120d98900c
SHA512

bc7c9eb991fdae2112cf96139b1979dc28b9d72913ba115def074fdaf3e4831115523bb7b7c954d235bd378897739151bc8ff377f6c3bf932dc60431362611c8
SSDEEP

49152:cN2ICGPZ/TO7pZLDvNNEXajLYSn/OXQdoHnH0irzC9oaSCbVq5Ij4k9P0hdHb9eR:cN2PSULDvNESyQmHHDTDQsIcOXHl/

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDJQK0Iv0NrdhqHw.exe	8d83368e27aeb1713f73571137175372.exe

Executes dropped EXE 2 IoCs

pid	Process
2084	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe

Loads dropped DLL 3 IoCs

pid	Process
2756	8d83368e27aeb1713f73571137175372.exe
2756	8d83368e27aeb1713f73571137175372.exe
2084	yDJQK0Iv0NrdhqHw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1824	3044	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
2604	yDJQK0Iv0NrdhqHw.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe
3044	cmd.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2756	2896	8d83368e27aeb1713f73571137175372.exe	15
PID 2896 wrote to memory of 2756	2896	8d83368e27aeb1713f73571137175372.exe	15
PID 2896 wrote to memory of 2756	2896	8d83368e27aeb1713f73571137175372.exe	15
PID 2896 wrote to memory of 2756	2896	8d83368e27aeb1713f73571137175372.exe	15
PID 2756 wrote to memory of 2084	2756	8d83368e27aeb1713f73571137175372.exe	31
PID 2756 wrote to memory of 2084	2756	8d83368e27aeb1713f73571137175372.exe	31
PID 2756 wrote to memory of 2084	2756	8d83368e27aeb1713f73571137175372.exe	31
PID 2756 wrote to memory of 2084	2756	8d83368e27aeb1713f73571137175372.exe	31
PID 2084 wrote to memory of 2604	2084	yDJQK0Iv0NrdhqHw.exe	30
PID 2084 wrote to memory of 2604	2084	yDJQK0Iv0NrdhqHw.exe	30
PID 2084 wrote to memory of 2604	2084	yDJQK0Iv0NrdhqHw.exe	30
PID 2084 wrote to memory of 2604	2084	yDJQK0Iv0NrdhqHw.exe	30
PID 2604 wrote to memory of 3044	2604	yDJQK0Iv0NrdhqHw.exe	32
PID 2604 wrote to memory of 3044	2604	yDJQK0Iv0NrdhqHw.exe	32
PID 2604 wrote to memory of 3044	2604	yDJQK0Iv0NrdhqHw.exe	32
PID 2604 wrote to memory of 3044	2604	yDJQK0Iv0NrdhqHw.exe	32
PID 2604 wrote to memory of 3044	2604	yDJQK0Iv0NrdhqHw.exe	32
PID 2604 wrote to memory of 3044	2604	yDJQK0Iv0NrdhqHw.exe	32
PID 3044 wrote to memory of 1824	3044	cmd.exe	34
PID 3044 wrote to memory of 1824	3044	cmd.exe	34
PID 3044 wrote to memory of 1824	3044	cmd.exe	34
PID 3044 wrote to memory of 1824	3044	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\8d83368e27aeb1713f73571137175372.exe
"C:\Users\Admin\AppData\Local\Temp\8d83368e27aeb1713f73571137175372.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDJQK0Iv0NrdhqHw.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDJQK0Iv0NrdhqHw.exe" "C:\Users\Admin\AppData\Local\Temp\8d83368e27aeb1713f73571137175372.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2084

C:\Users\Admin\AppData\Local\Temp\8d83368e27aeb1713f73571137175372.exe
"C:\Users\Admin\AppData\Local\Temp\8d83368e27aeb1713f73571137175372.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDJQK0Iv0NrdhqHw.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDJQK0Iv0NrdhqHw.exe" "C:\Users\Admin\AppData\Local\Temp\8d83368e27aeb1713f73571137175372.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 284
    3⤵
    - Program crash
    PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDJQK0Iv0NrdhqHw.exe

Filesize
775KB

MD5
33e99e6ffcfeb89674695e4dd91708ab

SHA1
97b0851266f75dfc216333e09b6b0dce7d42f444

SHA256
38b5ee5322b03668a8d46b207c804b9551ab4d3a194ffaf4bfeb28eba0799129

SHA512
8b536da6ea66403247aa88356ad9c46ab7d7450dcf047ac80a408e849625cb1cef02cfd24027e2836132b74b9cb3b5271df937cf11abd672272934f2b888d5ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDJQK0Iv0NrdhqHw.exe

Filesize
719KB

MD5
c24cf977fd00adb57c659d1e47f9012f

SHA1
5565cfdff367579a3573f2ac8622ef7a5d1a36d4

SHA256
b28db746760209e0b2498a4056d8c12f3d5f839d19b1f4135e4ec0aa3714c1bc

SHA512
6834f6565022cda653bcbf85a2c697925974b0fc03d6f268ec0d206500d68fcf52c674c338385ab135ddc8257b1e50ac714048a14e59daec79a6f5b19f4b11de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDJQK0Iv0NrdhqHw.exe

Filesize
529KB

MD5
5cb08beb446508117a13ce84237e453a

SHA1
c16db1e0656f888823922403c7b91e3a8cc653f7

SHA256
f2da106105c32ab017ce4ab95585c3dc0d488ff7fbbf7daa6b84dd9ac335cb8c

SHA512
426ee4ffc599e51956c3ce78bd1baf3dcb47fd5922dae2aa26930edf3d46ee2f2cb91eba1b21a8a8f5cc79874547146dd8d25058e14538fbb7e0c4757aba8e54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDJQK0Iv0NrdhqHw.exe

Filesize
585KB

MD5
b4a392d9f4ccc3ad85554cdeecaf422b

SHA1
bca3895370f0e74267d95ff045e31d6aef408d8a

SHA256
07ecc2ad22aa1c40048e30267e79999153a471bcf0e8c65650999ee7946db644

SHA512
3d0e5e430b42850c56e50aef141ada59217eedfe348491deb98cb8e497a0c80a6d87652c70e4cb567dfdcba8ca0f3fa97c99371fa01d768036582c0ee6a4095c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDJQK0Iv0NrdhqHw.exe

Filesize
556KB

MD5
3ea893ae9d0ae5bfd2df834115f2c6ad

SHA1
6a7c8cbfae453039259796865ba75b7e495e69f9

SHA256
2e7b27343ddb9b64ced3a851dd1bc07d12d41e0ad344edf14016d067d8aae94b

SHA512
b3f507e28487bc23e618af28b0d14a80c8b8acce0ef32b865e1eeea13055ad8f6ef281d8b83021747ffd48c0188c735950d50a5bb754b876fb10d1d7c7b97a1e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDJQK0Iv0NrdhqHw.exe

Filesize
825KB

MD5
24d57fe2583a1f2269ac51ff2d475c6b

SHA1
b9c6fdb2b5f430a5aa5108ce3cf8aca6a5d78a10

SHA256
21874fd4a97ba279b2d67ce1267632d934177a2064b734d1ea897b435092a3de

SHA512
e57ac82e20cb6b4694c0820b4f70cdd4d252ff5400da25f448d2cbbe03b3ac5c2f532ea9343238eb8f3a9f81475aff018f8bbddea35069b84a5646de8c82079d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yDJQK0Iv0NrdhqHw.exe

Filesize
798KB

MD5
592e09dd8a8919d8cf768a7584856fa6

SHA1
c967bca6240bbe41ae2593b1b76de49434cb987d

SHA256
a0ad9b133571ee1e4120fcd7c592551bd87668541d9c64c8772708a19e10d023

SHA512
3b399054594cddba1514051cbe7d4784cc8204dadde7b96a8420cd70bafe49da485f06ff7990a99f6f258bd2987fd6a6cc6fbf40c992e6bec559f8b194f562fc

Download Submit
memory/2084-16-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2084-20-0x00000000020E0000-0x00000000024DE000-memory.dmp

Filesize
4.0MB

Download
memory/2604-26-0x0000000076EC0000-0x0000000076EC1000-memory.dmp

Filesize
4KB

Download
memory/2604-25-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2604-24-0x0000000076EC0000-0x0000000076EC1000-memory.dmp

Filesize
4KB

Download
memory/2604-31-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2604-21-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2604-32-0x00000000023B0000-0x000000000244E000-memory.dmp

Filesize
632KB

Download
memory/2604-23-0x00000000023B0000-0x000000000244E000-memory.dmp

Filesize
632KB

Download
memory/2756-1-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2756-3-0x0000000000800000-0x000000000089E000-memory.dmp

Filesize
632KB

Download
memory/2756-15-0x0000000000800000-0x000000000089E000-memory.dmp

Filesize
632KB

Download
memory/2756-14-0x0000000005C80000-0x000000000607E000-memory.dmp

Filesize
4.0MB

Download
memory/2756-13-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2896-2-0x0000000002140000-0x000000000253E000-memory.dmp

Filesize
4.0MB

Download
memory/2896-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3044-47-0x0000000000150000-0x00000000001E9000-memory.dmp

Filesize
612KB

Download
memory/3044-50-0x0000000000F60000-0x0000000000FFE000-memory.dmp

Filesize
632KB

Download
memory/3044-27-0x00000000002F0000-0x0000000000F42000-memory.dmp

Filesize
12.3MB

Download
memory/3044-30-0x0000000000150000-0x00000000001E9000-memory.dmp

Filesize
612KB

Download
memory/3044-29-0x0000000000150000-0x00000000001E9000-memory.dmp

Filesize
612KB

Download
memory/3044-87-0x0000000000F60000-0x0000000000FFE000-memory.dmp

Filesize
632KB

Download
memory/3044-88-0x0000000000F60000-0x0000000000FFE000-memory.dmp

Filesize
632KB

Download
memory/3044-89-0x0000000076EC0000-0x0000000076EC1000-memory.dmp

Filesize
4KB

Download
memory/3044-86-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3044-85-0x0000000076EC0000-0x0000000076EC1000-memory.dmp

Filesize
4KB

Download
memory/3044-90-0x0000000000150000-0x00000000001E9000-memory.dmp

Filesize
612KB

Download
memory/3044-91-0x0000000000F60000-0x0000000000FFE000-memory.dmp

Filesize
632KB

Download
memory/3044-92-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing