cfc4a9c88dfd582a9146ffcac40af898755d7fcb372aaaade5627fa09ad9b497

General

Target

b5e5602f5d31013cf079f27284fe33f8.exe
Size

3.4MB
MD5

b5e5602f5d31013cf079f27284fe33f8
SHA1

3469fb7cb8a9525d2e6762e80986c86f1d0aba63
SHA256

cfc4a9c88dfd582a9146ffcac40af898755d7fcb372aaaade5627fa09ad9b497
SHA512

ba7e38cfc426622d5a9bac11770f38f4cbd9140cbe62143ea442ba4a011900f10357484eebc3e3a6bc4c9ef094928b02d8b9a754f1f684a0f1c8be397aad718b
SSDEEP

49152:P5RVdJK4h+ZXuGOwg8S1WCfftlBO6XwhO+yAWZTSEFeodqN/i4fWxEXqBB:84h+Z+GOwiWCffJO42O/1FexK3B

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o4UvN7Tli7N.exe	b5e5602f5d31013cf079f27284fe33f8.exe

Executes dropped EXE 2 IoCs

pid	Process
1904	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe

Loads dropped DLL 3 IoCs

pid	Process
2872	b5e5602f5d31013cf079f27284fe33f8.exe
2872	b5e5602f5d31013cf079f27284fe33f8.exe
1904	o4UvN7Tli7N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2004	2408	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2384	o4UvN7Tli7N.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe
2408	cmd.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2872	2664	b5e5602f5d31013cf079f27284fe33f8.exe	28
PID 2664 wrote to memory of 2872	2664	b5e5602f5d31013cf079f27284fe33f8.exe	28
PID 2664 wrote to memory of 2872	2664	b5e5602f5d31013cf079f27284fe33f8.exe	28
PID 2664 wrote to memory of 2872	2664	b5e5602f5d31013cf079f27284fe33f8.exe	28
PID 2872 wrote to memory of 1904	2872	b5e5602f5d31013cf079f27284fe33f8.exe	30
PID 2872 wrote to memory of 1904	2872	b5e5602f5d31013cf079f27284fe33f8.exe	30
PID 2872 wrote to memory of 1904	2872	b5e5602f5d31013cf079f27284fe33f8.exe	30
PID 2872 wrote to memory of 1904	2872	b5e5602f5d31013cf079f27284fe33f8.exe	30
PID 1904 wrote to memory of 2384	1904	o4UvN7Tli7N.exe	31
PID 1904 wrote to memory of 2384	1904	o4UvN7Tli7N.exe	31
PID 1904 wrote to memory of 2384	1904	o4UvN7Tli7N.exe	31
PID 1904 wrote to memory of 2384	1904	o4UvN7Tli7N.exe	31
PID 2384 wrote to memory of 2408	2384	o4UvN7Tli7N.exe	32
PID 2384 wrote to memory of 2408	2384	o4UvN7Tli7N.exe	32
PID 2384 wrote to memory of 2408	2384	o4UvN7Tli7N.exe	32
PID 2384 wrote to memory of 2408	2384	o4UvN7Tli7N.exe	32
PID 2384 wrote to memory of 2408	2384	o4UvN7Tli7N.exe	32
PID 2384 wrote to memory of 2408	2384	o4UvN7Tli7N.exe	32
PID 2408 wrote to memory of 2004	2408	cmd.exe	34
PID 2408 wrote to memory of 2004	2408	cmd.exe	34
PID 2408 wrote to memory of 2004	2408	cmd.exe	34
PID 2408 wrote to memory of 2004	2408	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\b5e5602f5d31013cf079f27284fe33f8.exe
"C:\Users\Admin\AppData\Local\Temp\b5e5602f5d31013cf079f27284fe33f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\b5e5602f5d31013cf079f27284fe33f8.exe
  "C:\Users\Admin\AppData\Local\Temp\b5e5602f5d31013cf079f27284fe33f8.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o4UvN7Tli7N.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o4UvN7Tli7N.exe" "C:\Users\Admin\AppData\Local\Temp\b5e5602f5d31013cf079f27284fe33f8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o4UvN7Tli7N.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o4UvN7Tli7N.exe" "C:\Users\Admin\AppData\Local\Temp\b5e5602f5d31013cf079f27284fe33f8.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 284
        6⤵
        Program crash
        
        PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o4UvN7Tli7N.exe

Filesize
192KB

MD5
887aa637df7c78799502155aaef35878

SHA1
a1080d686537ac7e9935ae23f6f8012a57eec791

SHA256
f108290f19818951b6635d3cb6ccde165b5aea0d175976753834ef7d68b1b4ed

SHA512
0943106e844df8591f08a6b89d8f17f9cbc437d8bc2099d555f3e03b98bbbf873de8c13b930c3433452e24182f5b76acc1932e1c8a8bcb19de3f19c6a61973fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o4UvN7Tli7N.exe

Filesize
1.1MB

MD5
577c39eb994382fdbaaf525d58af0118

SHA1
f36babee832d8dca745e6ed8f6309bbaf1ab1569

SHA256
22c6ab693dbf8d43f8d6cfa737fec8953632dee9a2b1fd061b538a3e4151ce50

SHA512
39dd219d975637d6ae48e98cc8179104b23860313c24c54646161af96092f6c639114beec078934ca3855a6097502b49d574581427c59ab8d6093473a45496ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o4UvN7Tli7N.exe

Filesize
3.4MB

MD5
a00a138bd89ca70f8674f61d7fbf8f39

SHA1
73782bf63ab413bede5e99f9ced44e8974b18c85

SHA256
7194e18643727d094ca7811b3401c97fcc4453aa607b9a0595c87aabb2f8741c

SHA512
ce85f7b6a49c3fedf0da2c494d2a90ea4e577695c2bcc57108edd3fc1306e89df59a5127c80913d18328ed4ba8c4a949b1ab6d40f2948d72758777793cc18711

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o4UvN7Tli7N.exe

Filesize
3.4MB

MD5
f3122768d60f1285a84ab6804c32cb2e

SHA1
d71166da0f7463370a381edf2023dee055a818f0

SHA256
8f1789ccc0df71b8c48673b0557cb641e4e94587d37cc5d852c6bf4da25c3694

SHA512
0d9325575669de8463c2ca034a3da9c517c9def7cb341027679480fecb64236701a9cf38846ad53d7939b27f0a6f4c3653b6fa5cf6a1696e2571db70dc0a1fe2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o4UvN7Tli7N.exe

Filesize
768KB

MD5
815ae4c0090b68efd1f88aa3ab5abc83

SHA1
950e7c4a272eaca2e2051054d07a608cb7049788

SHA256
76687ef428a3009fb4390f9c8f08002a2faf0b534dc8fe636289074cb0843466

SHA512
9bd2c6c387d264aba8f68594eb0213fdf0764f34586be98c86a768f86c2da5e867ad4d2e20e73e25da66d12086ffe8246825dcd4f8871d64cb5b61b2d5668a91

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o4UvN7Tli7N.exe

Filesize
256KB

MD5
f3a11180706d7dc72f96b561c47f3896

SHA1
758fe7fa2f3b88332c3d0fa180510e2fe406906b

SHA256
2b0d63c3f7933e4ee8ccf1c3bc7347388294c7571054bf60f8f33ed3330c9f87

SHA512
1145795cc7e42dfe3411cf475547bd52afc65fd91e5698c3a3718a805138f6480961964fb07dc4b6f4b3527642ed5272f8906bf2ed1206c1a2562114163db7d2

Download Submit
memory/1904-17-0x0000000002300000-0x00000000026FE000-memory.dmp

Filesize
4.0MB

Download
memory/1904-16-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2384-24-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2384-22-0x0000000000330000-0x00000000003CE000-memory.dmp

Filesize
632KB

Download
memory/2384-34-0x0000000000330000-0x00000000003CE000-memory.dmp

Filesize
632KB

Download
memory/2384-27-0x00000000771B0000-0x00000000771B1000-memory.dmp

Filesize
4KB

Download
memory/2384-26-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2384-25-0x00000000771B0000-0x00000000771B1000-memory.dmp

Filesize
4KB

Download
memory/2408-35-0x0000000002F20000-0x0000000002FBE000-memory.dmp

Filesize
632KB

Download
memory/2408-88-0x00000000771B0000-0x00000000771B1000-memory.dmp

Filesize
4KB

Download
memory/2408-92-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2408-91-0x0000000002D30000-0x0000000002DC9000-memory.dmp

Filesize
612KB

Download
memory/2408-28-0x0000000000900000-0x0000000001552000-memory.dmp

Filesize
12.3MB

Download
memory/2408-30-0x0000000002D30000-0x0000000002DC9000-memory.dmp

Filesize
612KB

Download
memory/2408-32-0x0000000002D30000-0x0000000002DC9000-memory.dmp

Filesize
612KB

Download
memory/2408-90-0x0000000002F20000-0x0000000002FBE000-memory.dmp

Filesize
632KB

Download
memory/2408-89-0x0000000002F20000-0x0000000002FBE000-memory.dmp

Filesize
632KB

Download
memory/2408-86-0x00000000771B0000-0x00000000771B1000-memory.dmp

Filesize
4KB

Download
memory/2408-87-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2664-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2664-1-0x00000000022A0000-0x000000000269E000-memory.dmp

Filesize
4.0MB

Download
memory/2872-2-0x0000000000320000-0x00000000003BE000-memory.dmp

Filesize
632KB

Download
memory/2872-9-0x00000000050A0000-0x000000000549E000-memory.dmp

Filesize
4.0MB

Download
memory/2872-7-0x00000000050A0000-0x000000000549E000-memory.dmp

Filesize
4.0MB

Download
memory/2872-18-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2872-20-0x0000000000320000-0x00000000003BE000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing