bd10e1a80d03bb4929da66d11d90c7ff9573857993eb12bd475a3c6e55add2c1

General

Target

9a44da8c7864f8b677f5497a7f6ffad8.exe
Size

3.4MB
MD5

9a44da8c7864f8b677f5497a7f6ffad8
SHA1

cc0e06f7b68d201b845655ce9826cb7967adfb91
SHA256

bd10e1a80d03bb4929da66d11d90c7ff9573857993eb12bd475a3c6e55add2c1
SHA512

7671e6ea19d06abe8f4359e31cb4706e9ed7b285f35af59c08f73cca459236a089680149754a2f9071c4be3df726d068db08ab353cdc61a4ac48a3c87db30be2
SSDEEP

49152:yMGztB4KZTqjkovMpF7bXohvZxC1YoAGFo0KY9lSDU4wnG+VbbNKSb3otwyw9J+O:sPLI9v6FfXk+WU1KowKGMbleOJL6W

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0TnNEyU.exe	9a44da8c7864f8b677f5497a7f6ffad8.exe

Executes dropped EXE 2 IoCs

pid	Process
2892	0TnNEyU.exe
2908	0TnNEyU.exe

Loads dropped DLL 3 IoCs

pid	Process
2276	9a44da8c7864f8b677f5497a7f6ffad8.exe
2276	9a44da8c7864f8b677f5497a7f6ffad8.exe
2892	0TnNEyU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
108	2616	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2908	0TnNEyU.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe
2616	cmd.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2276	1708	9a44da8c7864f8b677f5497a7f6ffad8.exe	28
PID 1708 wrote to memory of 2276	1708	9a44da8c7864f8b677f5497a7f6ffad8.exe	28
PID 1708 wrote to memory of 2276	1708	9a44da8c7864f8b677f5497a7f6ffad8.exe	28
PID 1708 wrote to memory of 2276	1708	9a44da8c7864f8b677f5497a7f6ffad8.exe	28
PID 2276 wrote to memory of 2892	2276	9a44da8c7864f8b677f5497a7f6ffad8.exe	30
PID 2276 wrote to memory of 2892	2276	9a44da8c7864f8b677f5497a7f6ffad8.exe	30
PID 2276 wrote to memory of 2892	2276	9a44da8c7864f8b677f5497a7f6ffad8.exe	30
PID 2276 wrote to memory of 2892	2276	9a44da8c7864f8b677f5497a7f6ffad8.exe	30
PID 2892 wrote to memory of 2908	2892	0TnNEyU.exe	31
PID 2892 wrote to memory of 2908	2892	0TnNEyU.exe	31
PID 2892 wrote to memory of 2908	2892	0TnNEyU.exe	31
PID 2892 wrote to memory of 2908	2892	0TnNEyU.exe	31
PID 2908 wrote to memory of 2616	2908	0TnNEyU.exe	32
PID 2908 wrote to memory of 2616	2908	0TnNEyU.exe	32
PID 2908 wrote to memory of 2616	2908	0TnNEyU.exe	32
PID 2908 wrote to memory of 2616	2908	0TnNEyU.exe	32
PID 2908 wrote to memory of 2616	2908	0TnNEyU.exe	32
PID 2908 wrote to memory of 2616	2908	0TnNEyU.exe	32
PID 2616 wrote to memory of 108	2616	cmd.exe	34
PID 2616 wrote to memory of 108	2616	cmd.exe	34
PID 2616 wrote to memory of 108	2616	cmd.exe	34
PID 2616 wrote to memory of 108	2616	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\9a44da8c7864f8b677f5497a7f6ffad8.exe
"C:\Users\Admin\AppData\Local\Temp\9a44da8c7864f8b677f5497a7f6ffad8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\9a44da8c7864f8b677f5497a7f6ffad8.exe
  "C:\Users\Admin\AppData\Local\Temp\9a44da8c7864f8b677f5497a7f6ffad8.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0TnNEyU.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0TnNEyU.exe" "C:\Users\Admin\AppData\Local\Temp\9a44da8c7864f8b677f5497a7f6ffad8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0TnNEyU.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0TnNEyU.exe" "C:\Users\Admin\AppData\Local\Temp\9a44da8c7864f8b677f5497a7f6ffad8.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 284
        6⤵
        Program crash
        
        PID:108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0TnNEyU.exe

Filesize
2.0MB

MD5
8343897dd1e8d5c0f1569a10388c8598

SHA1
7e81cd1857e9681e48738d2898092661caf14e7a

SHA256
e9f65643df6dbb133979372f70601c269c670749f558dd99ddb8eafb5f830ae7

SHA512
c6bd10544192dad0fb1f562de06d283cf7999576749e6661f1fa507cf3cd0aee1161976c9c50135abbe650ca3a230ab6e562603dbdb0f9348fe33587a5ef2e6f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0TnNEyU.exe

Filesize
1.6MB

MD5
e6632066f9058c2c526eff0864511518

SHA1
698b3425b8fda06c06df0f85426ea5cb34f85267

SHA256
73ead995b770159e7fccc0a6392149fa27915de1c730b55d3d3af064257be666

SHA512
15f58445b3b9128909167c97df38c8a3759402d60c10b9b390e414bb622fa554dfca39a4a7a63b6f57664ddaae07285dd0b71449c04b17cebf965bf922718f1a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0TnNEyU.exe

Filesize
3.4MB

MD5
b43a9de9e34339c4da1801f8b06699cd

SHA1
7fd1257d25893ab2b9ce6888ec920fcae62f11c1

SHA256
efb4c7a1a3583e9864d993765bbf51b8dcc7fa8a94a10bf843ab823afb33ba29

SHA512
3053950b0d469839fc52ade64322979c87985f90882bba70c6bd90bbc121c119856d355556ad9f86e9a19a116750742b1fb6372bb0c59dec97fa865f30277304

Download Submit
memory/1708-2-0x0000000002120000-0x000000000251E000-memory.dmp

Filesize
4.0MB

Download
memory/1708-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2276-1-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2276-3-0x0000000000320000-0x00000000003BE000-memory.dmp

Filesize
632KB

Download
memory/2276-12-0x0000000005440000-0x000000000583E000-memory.dmp

Filesize
4.0MB

Download
memory/2276-14-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2276-16-0x0000000000320000-0x00000000003BE000-memory.dmp

Filesize
632KB

Download
memory/2616-90-0x0000000002D40000-0x0000000002DDE000-memory.dmp

Filesize
632KB

Download
memory/2616-34-0x0000000002D40000-0x0000000002DDE000-memory.dmp

Filesize
632KB

Download
memory/2616-85-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2616-89-0x0000000002CA0000-0x0000000002D39000-memory.dmp

Filesize
612KB

Download
memory/2616-91-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2616-88-0x0000000002D40000-0x0000000002DDE000-memory.dmp

Filesize
632KB

Download
memory/2616-26-0x0000000000650000-0x00000000012A2000-memory.dmp

Filesize
12.3MB

Download
memory/2616-84-0x0000000077690000-0x0000000077691000-memory.dmp

Filesize
4KB

Download
memory/2616-29-0x0000000002CA0000-0x0000000002D39000-memory.dmp

Filesize
612KB

Download
memory/2616-31-0x0000000002CA0000-0x0000000002D39000-memory.dmp

Filesize
612KB

Download
memory/2616-87-0x0000000002D40000-0x0000000002DDE000-memory.dmp

Filesize
632KB

Download
memory/2616-86-0x0000000077690000-0x0000000077691000-memory.dmp

Filesize
4KB

Download
memory/2892-15-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2892-28-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2908-24-0x0000000077690000-0x0000000077691000-memory.dmp

Filesize
4KB

Download
memory/2908-33-0x0000000000320000-0x00000000003BE000-memory.dmp

Filesize
632KB

Download
memory/2908-32-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2908-25-0x0000000077690000-0x0000000077691000-memory.dmp

Filesize
4KB

Download
memory/2908-23-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/2908-22-0x0000000077690000-0x0000000077691000-memory.dmp

Filesize
4KB

Download
memory/2908-21-0x0000000000320000-0x00000000003BE000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing