815fe5b643e336ece5af687fd74bc1b15286591dcf5d961ed6793e00aeef1b32

General

Target

VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe
Size

97KB
MD5

1d91bcd70a99c3515b337c628b5b559d
SHA1

f366968f20ab292ae03219fcffcf23114a3016b5
SHA256

815fe5b643e336ece5af687fd74bc1b15286591dcf5d961ed6793e00aeef1b32
SHA512

996e537fd4c8bb20c7a4efe88a22de1b5d7be00fe3a6012622329cbf6af7ac451e9fc5ca3596159c88590bd05fb08e7dac9012ee21f516dfc2fdd5dd8ca4a06e
SSDEEP

3072:9+eYMX7jf+i6JJ+2aylNK0qq/Ekqq/4Lb9XPc2+/px:wXDi6y2/l00qvkqbLpc28

Score

10^/10

evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	o.i.exe

Loads dropped DLL 4 IoCs

pid	Process
1568	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe
1568	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe
1568	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe
1568	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\mo.I	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.esj	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.esj\ = "JSEFile"	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2228	1568	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe	28
PID 1568 wrote to memory of 2228	1568	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe	28
PID 1568 wrote to memory of 2228	1568	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe	28
PID 1568 wrote to memory of 2228	1568	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe	28
PID 1568 wrote to memory of 2700	1568	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe	30
PID 1568 wrote to memory of 2700	1568	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe	30
PID 1568 wrote to memory of 2700	1568	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe	30
PID 1568 wrote to memory of 2700	1568	VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe	30

C:\Users\Admin\AppData\Local\Temp\VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare-1d91bcd70a99c3515b337c628b5b559d.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\SysWOW64\CMD.exe
  "C:\Windows\system32\CMD.exe" /c copy C:\Windows\system32\mo.I C:\Windows\system32\letAo.ICo /Y
  2⤵
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\o.i.exe
  "C:\Users\Admin\AppData\Local\Temp\o.i.exe" "C:\Users\Admin\AppData\Local\Temp\co.esj"
  2⤵
  - Executes dropped EXE
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nc\231546465654879.txt

Filesize
10KB

MD5
ca12d5cb1157a358b3372399d7f755a7

SHA1
58526974fa83dea844acd64290e13a2bcbaf96b7

SHA256
0b20b428e376bc266a1a6dbc5fc440ef2b3ef701de0dcba2da3f30aae5897163

SHA512
a51143d1de5fef5de5c2c5555449341629acd3b45cffdfe54a39db987f5d01c127f0439e110de8cca5eba0103bb1b40daaf2f445914bff5d4f65efdeb12300cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nc\o.I

Filesize
14KB

MD5
468fada123f5548ac87e57bae81f6782

SHA1
edb8f012c25906e6afd8bf335b495e16c440243d

SHA256
091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d

SHA512
635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

Download Submit
\Users\Admin\AppData\Local\Temp\nso1DBF.tmp\nsExec.dll

Filesize
6KB

MD5
4d9e573fe1168379555d0d55b0628d3b

SHA1
cd73704040704504fc61f8a1d0427cb1b9237854

SHA256
4ec84fe474f324244bfd050bb91a994ad3a7aadd9118baaed164ca5b74246409

SHA512
0a87b1a42f175dbb90eeda58a785e34fc83cc3f6743c8e880dfe563ae86d2255fe5db6e980060c67b4178ab2d4220f2049af43f1b9b1312f21ef02f18b307504

Download Submit
\Users\Admin\AppData\Local\Temp\o.I.exe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
memory/1568-0-0x0000000000400000-0x0000000000438200-memory.dmp

Filesize
224KB

Download
memory/1568-37-0x0000000000400000-0x0000000000438200-memory.dmp

Filesize
224KB

Download

Analysis

Sharing