cf2217a1e1ad9a9a2cef56b07678b3903a1e64248dc1d4d52a825360ea5e400a

General

Target

9ad8351daa50447c74caf62fdc2e5eb2.exe
Size

868KB
MD5

9ad8351daa50447c74caf62fdc2e5eb2
SHA1

d9adcc7d7923b4cc06c4f98aaa4561e2272b4333
SHA256

cf2217a1e1ad9a9a2cef56b07678b3903a1e64248dc1d4d52a825360ea5e400a
SHA512

5eb3c69e0edc7b8bab73e52af7898016a1fc14bf0f1df38defa6be281bee96b5e66a504f408844fecd1583517605427b90d094fcca54ab4328f801a5df2b0219
SSDEEP

12288:qnhWE6QNhRMRX6A9O5nT4z0KypCHpDehZwIp8KwckJ5oo8JQOPYL6o0VKmmF/LYq:qhbZ2gAozhZwIppo78J46VVLk/YkF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2368	94241828.exe

Loads dropped DLL 5 IoCs

pid	Process
2244	cmd.exe
2244	cmd.exe
2368	94241828.exe
2368	94241828.exe
2368	94241828.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\94241828 = "C:\\ProgramData\\94241828\\94241828.exe"	9ad8351daa50447c74caf62fdc2e5eb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\94241828 = "C:\\PROGRA~3\\94241828\\94241828.exe"	94241828.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2368	94241828.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2368	94241828.exe
2368	94241828.exe
2368	94241828.exe
2368	94241828.exe
2368	94241828.exe
2368	94241828.exe
2368	94241828.exe
2368	94241828.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2368	94241828.exe
2368	94241828.exe
2368	94241828.exe
2368	94241828.exe
2368	94241828.exe
2368	94241828.exe
2368	94241828.exe
2368	94241828.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2820	1220	9ad8351daa50447c74caf62fdc2e5eb2.exe	28
PID 1220 wrote to memory of 2820	1220	9ad8351daa50447c74caf62fdc2e5eb2.exe	28
PID 1220 wrote to memory of 2820	1220	9ad8351daa50447c74caf62fdc2e5eb2.exe	28
PID 1220 wrote to memory of 2820	1220	9ad8351daa50447c74caf62fdc2e5eb2.exe	28
PID 2820 wrote to memory of 2244	2820	cmd.exe	30
PID 2820 wrote to memory of 2244	2820	cmd.exe	30
PID 2820 wrote to memory of 2244	2820	cmd.exe	30
PID 2820 wrote to memory of 2244	2820	cmd.exe	30
PID 2244 wrote to memory of 2368	2244	cmd.exe	31
PID 2244 wrote to memory of 2368	2244	cmd.exe	31
PID 2244 wrote to memory of 2368	2244	cmd.exe	31
PID 2244 wrote to memory of 2368	2244	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\9ad8351daa50447c74caf62fdc2e5eb2.exe
"C:\Users\Admin\AppData\Local\Temp\9ad8351daa50447c74caf62fdc2e5eb2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\94241828\94241828.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\94241828\94241828.exe /i
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\PROGRA~3\94241828\94241828.exe
      C:\PROGRA~3\94241828\94241828.exe /i
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\94241828\94241828.exe

Filesize
868KB

MD5
9ad8351daa50447c74caf62fdc2e5eb2

SHA1
d9adcc7d7923b4cc06c4f98aaa4561e2272b4333

SHA256
cf2217a1e1ad9a9a2cef56b07678b3903a1e64248dc1d4d52a825360ea5e400a

SHA512
5eb3c69e0edc7b8bab73e52af7898016a1fc14bf0f1df38defa6be281bee96b5e66a504f408844fecd1583517605427b90d094fcca54ab4328f801a5df2b0219

Download Submit
C:\ProgramData\94241828\94241828.bat

Filesize
230B

MD5
d0066c732ebd9877ae3f5bae47f1fd16

SHA1
19e12ce22b65051b0ca6a62c1ddd2f7f8999f0c4

SHA256
91e9752c49a8b7f060b1146b34adddaf6d2bffdfb89704a729623b8b72a0368b

SHA512
8adb197fdc7ebc5d514ab0e2345d140bad5bbdd0267143f684dc4bda1c6663e2b576743bafc3aee7a578bfe3fdbc632a9df314354ace9e166d7755c94be21766

Download Submit
\PROGRA~3\94241828\94241828.exe

Filesize
588KB

MD5
b29aea6f718ff507f52f3f086ec22383

SHA1
5771ab9f14b6d2a9d1ea958266062dee8ed853ac

SHA256
9e46de3dae2de01613c401d12f244df3f783c35817f8266892de944e8890b1ac

SHA512
97f9d6b7f5dcacb9f11db287878d3e8d96c6c691b65029e206fbbfe44f55afda258e59e5351341c085ea78f477f8f476a8b5de7491b4ad191e769cf1d4c8b77e

Download Submit
\PROGRA~3\94241828\94241828.exe

Filesize
256KB

MD5
05b2633ac7ca5a374bee43f0ee8b90bf

SHA1
5a57f187b5304524af1a1707c6d1c954bfd10f6e

SHA256
d9bd5754d6a103e4ba634672c1ee6c8864257c64fe6293b665ff02229e73b8fa

SHA512
aa826adb60f813cea5809241acb86726975a917265bb5e3712657926df407e940f4bb8dc62489794901b7d2826665cf5b9470b75794bf6008c848aa5e2f0033e

Download Submit
memory/1220-9-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1220-2-0x0000000000400000-0x000000000057D004-memory.dmp

Filesize
1.5MB

Download
memory/1220-22-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1220-5-0x00000000002F0000-0x00000000002F2000-memory.dmp

Filesize
8KB

Download
memory/1220-4-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/1220-3-0x0000000000400000-0x000000000057D004-memory.dmp

Filesize
1.5MB

Download
memory/2368-35-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2368-33-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2368-30-0x0000000000400000-0x000000000057D004-memory.dmp

Filesize
1.5MB

Download
memory/2368-31-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/2368-1070-0x0000000000400000-0x000000000057D004-memory.dmp

Filesize
1.5MB

Download
memory/2368-1219-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/2368-1369-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2368-1519-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads