5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa

General

Target

5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
Size

277KB
MD5

2f5906278b79fd23837acbf174caeec1
SHA1

e5d9fbcc61665b19d0810d01617e762c3c9d9b99
SHA256

5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa
SHA512

fc99c2c80ca1064923178f5a3baaacb405544b26b44d0c3f3d609a1bb6628be18252a87d44ea9d4f4c8d82f31271a4cb9fd8c02eb2d4aaa12c153fd5c2ba5acc
SSDEEP

6144:6Z1gm4z+Rp4PCL8YM6c2G/FtmUPvo39UPdWNN4:6l4qnM6c26s39hNN4

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe

description pid process target process

PID 4652 created 3540 4652 5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe Explorer.EXE

description	pid	process	target process
PID 4652 created 3540	4652	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe	Explorer.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe

description	ioc	process
File opened (read-only)	\??\M:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\N:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\P:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\S:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\V:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\E:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\H:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\I:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\J:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\W:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\X:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\Z:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\A:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\G:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\O:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\T:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\B:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\K:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\L:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\Q:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\R:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\U:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
File opened (read-only)	\??\Y:	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe

description	pid	process	target process
PID 4652 wrote to memory of 552	4652	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
PID 4652 wrote to memory of 552	4652	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
PID 4652 wrote to memory of 552	4652	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
PID 552 wrote to memory of 3580	552	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe	cmd.exe
PID 552 wrote to memory of 3580	552	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe	cmd.exe
PID 552 wrote to memory of 3580	552	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe	cmd.exe
PID 4652 wrote to memory of 4936	4652	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe	cmd.exe
PID 4652 wrote to memory of 4936	4652	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe	cmd.exe
PID 4652 wrote to memory of 4936	4652	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe

C:\Users\Admin\AppData\Local\Temp\5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
"C:\Users\Admin\AppData\Local\Temp\5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:4936

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\5c8280c3226fa7078d7dae2f343e255ae2ecda2b0e1ba7348836d967eb35c5aa.exe -network
  2⤵
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:3580