80a97158281ad3a2d4fccc0ca9cb92b16f824d128418f977abb4cc7b098fdd69

General

Target

8efbbcfb771a2062e0c1c957f3589f8b.exe
Size

159KB
MD5

8efbbcfb771a2062e0c1c957f3589f8b
SHA1

4a7a431cab162690d984d5dcf352de0e57fb7d8d
SHA256

80a97158281ad3a2d4fccc0ca9cb92b16f824d128418f977abb4cc7b098fdd69
SHA512

6ed83b4b29c094c7924b0b8ffa9c720166bbf78555200dc58adf58da5255b874b319c412185f26e6205435edfcd47613bb7cedca1654866241b3ae8a87db0324
SSDEEP

3072:J7IAwHYNoG5/A3GhSWN0kmMm7gFzYVR3HuFWRHRzPq6vrX9qDe:J8ATXm1LNuFuNnX4D

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2008	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2648	scitffn.exe

Loads dropped DLL 4 IoCs

pid	Process
2008	cmd.exe
2008	cmd.exe
2648	scitffn.exe
2648	scitffn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2972	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2124	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2648	scitffn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2648	scitffn.exe
2648	scitffn.exe
2648	scitffn.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2648	scitffn.exe
2648	scitffn.exe
2648	scitffn.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2008	2216	8efbbcfb771a2062e0c1c957f3589f8b.exe	16
PID 2216 wrote to memory of 2008	2216	8efbbcfb771a2062e0c1c957f3589f8b.exe	16
PID 2216 wrote to memory of 2008	2216	8efbbcfb771a2062e0c1c957f3589f8b.exe	16
PID 2216 wrote to memory of 2008	2216	8efbbcfb771a2062e0c1c957f3589f8b.exe	16
PID 2008 wrote to memory of 2972	2008	cmd.exe	17
PID 2008 wrote to memory of 2972	2008	cmd.exe	17
PID 2008 wrote to memory of 2972	2008	cmd.exe	17
PID 2008 wrote to memory of 2972	2008	cmd.exe	17
PID 2008 wrote to memory of 2124	2008	cmd.exe	23
PID 2008 wrote to memory of 2124	2008	cmd.exe	23
PID 2008 wrote to memory of 2124	2008	cmd.exe	23
PID 2008 wrote to memory of 2124	2008	cmd.exe	23
PID 2008 wrote to memory of 2648	2008	cmd.exe	33
PID 2008 wrote to memory of 2648	2008	cmd.exe	33
PID 2008 wrote to memory of 2648	2008	cmd.exe	33
PID 2008 wrote to memory of 2648	2008	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\8efbbcfb771a2062e0c1c957f3589f8b.exe
"C:\Users\Admin\AppData\Local\Temp\8efbbcfb771a2062e0c1c957f3589f8b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2216 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8efbbcfb771a2062e0c1c957f3589f8b.exe" & start C:\Users\Admin\AppData\Local\scitffn.exe -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 2216
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:2124
- - C:\Users\Admin\AppData\Local\scitffn.exe
    C:\Users\Admin\AppData\Local\scitffn.exe -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\scitffn.exe

Filesize
159KB

MD5
8efbbcfb771a2062e0c1c957f3589f8b

SHA1
4a7a431cab162690d984d5dcf352de0e57fb7d8d

SHA256
80a97158281ad3a2d4fccc0ca9cb92b16f824d128418f977abb4cc7b098fdd69

SHA512
6ed83b4b29c094c7924b0b8ffa9c720166bbf78555200dc58adf58da5255b874b319c412185f26e6205435edfcd47613bb7cedca1654866241b3ae8a87db0324

Download Submit
\Users\Admin\AppData\Local\scitffn.exe

Filesize
154KB

MD5
bb5f018ae7fb1b7de45fb53f857a8478

SHA1
337ba7325dc01bd441ec5ae2bcc3f81489b3aa29

SHA256
5ee264dd07c359b4fb37c17c46be233b5029aee0560aed5a6ec7d5f7638834bb

SHA512
e4bade2e81457248f41df0b76fcca88b1be96b144119655652f35e6047dfd6bb20774fa17ae58e9d20caa12b7a99775a8a8c0ca952be54aeb00dce216b713219

Download Submit
memory/2216-3-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2216-2-0x0000000001000000-0x00000000010D1000-memory.dmp

Filesize
836KB

Download
memory/2216-4-0x0000000001000000-0x00000000010D1000-memory.dmp

Filesize
836KB

Download
memory/2216-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2648-14-0x0000000001000000-0x00000000010D1000-memory.dmp

Filesize
836KB

Download
memory/2648-9-0x0000000001000000-0x00000000010D1000-memory.dmp

Filesize
836KB

Download
memory/2648-10-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2648-15-0x0000000001000000-0x00000000010D1000-memory.dmp

Filesize
836KB

Download
memory/2648-16-0x0000000001000000-0x00000000010D1000-memory.dmp

Filesize
836KB

Download
memory/2648-18-0x0000000001000000-0x00000000010D1000-memory.dmp

Filesize
836KB

Download
memory/2648-19-0x0000000001000000-0x00000000010D1000-memory.dmp

Filesize
836KB

Download
memory/2648-20-0x0000000001000000-0x00000000010D1000-memory.dmp

Filesize
836KB

Download
memory/2648-21-0x0000000001000000-0x00000000010D1000-memory.dmp

Filesize
836KB

Download
memory/2648-22-0x0000000001000000-0x00000000010D1000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing