d5400b917851857e8c8b7b31f656dd88d725d83ad61d87cb8a4b896345938ee1

General

Target

b9ecf50bf3a11fc3246362f1eadaf583.exe
Size

318KB
MD5

b9ecf50bf3a11fc3246362f1eadaf583
SHA1

37a3f62ff28f5830cd99646db0a7f413df063209
SHA256

d5400b917851857e8c8b7b31f656dd88d725d83ad61d87cb8a4b896345938ee1
SHA512

6f1ab3ac2c3eeffdc9980c40c6517ea0e997bc15dce043f62971d96fc3e9f63a42dd173bd9174d3eac30836e3b40af0fd853d630fdf3abd2f2a9c93e58eba64d
SSDEEP

6144:0rmHZusx8Y9boWjznxNtJcm7BBtwgmZ2ARREhug0tcOA2klxH9AJjQp/B:0AZusx8Y9b5/xqmLta2ARREhugYcOeqS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2316 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

pfyfjwgvq.exe

pid process

2600 pfyfjwgvq.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exepfyfjwgvq.exe

pid process

2316 cmd.exe
2316 cmd.exe
2600 pfyfjwgvq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2372 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1504 PING.EXE

pid	process
2316	cmd.exe

pid	process
2316	cmd.exe
2316	cmd.exe
2600	pfyfjwgvq.exe

pid	process
2372	taskkill.exe

pid	process
1504	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

pfyfjwgvq.exe

pid	process
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe
2600	pfyfjwgvq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2372 taskkill.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pfyfjwgvq.exe

pid process

2600 pfyfjwgvq.exe
2600 pfyfjwgvq.exe
2600 pfyfjwgvq.exe
2600 pfyfjwgvq.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pfyfjwgvq.exe

pid process

2600 pfyfjwgvq.exe
2600 pfyfjwgvq.exe
2600 pfyfjwgvq.exe
2600 pfyfjwgvq.exe

description	pid	process
Token: SeDebugPrivilege	2372	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b9ecf50bf3a11fc3246362f1eadaf583.execmd.exe

description	pid	process	target process
PID 2340 wrote to memory of 2316	2340	b9ecf50bf3a11fc3246362f1eadaf583.exe	cmd.exe
PID 2340 wrote to memory of 2316	2340	b9ecf50bf3a11fc3246362f1eadaf583.exe	cmd.exe
PID 2340 wrote to memory of 2316	2340	b9ecf50bf3a11fc3246362f1eadaf583.exe	cmd.exe
PID 2340 wrote to memory of 2316	2340	b9ecf50bf3a11fc3246362f1eadaf583.exe	cmd.exe
PID 2316 wrote to memory of 2372	2316	cmd.exe	taskkill.exe
PID 2316 wrote to memory of 2372	2316	cmd.exe	taskkill.exe
PID 2316 wrote to memory of 2372	2316	cmd.exe	taskkill.exe
PID 2316 wrote to memory of 2372	2316	cmd.exe	taskkill.exe
PID 2316 wrote to memory of 1504	2316	cmd.exe	PING.EXE
PID 2316 wrote to memory of 1504	2316	cmd.exe	PING.EXE
PID 2316 wrote to memory of 1504	2316	cmd.exe	PING.EXE
PID 2316 wrote to memory of 1504	2316	cmd.exe	PING.EXE
PID 2316 wrote to memory of 2600	2316	cmd.exe	pfyfjwgvq.exe
PID 2316 wrote to memory of 2600	2316	cmd.exe	pfyfjwgvq.exe
PID 2316 wrote to memory of 2600	2316	cmd.exe	pfyfjwgvq.exe
PID 2316 wrote to memory of 2600	2316	cmd.exe	pfyfjwgvq.exe

C:\Users\Admin\AppData\Local\Temp\b9ecf50bf3a11fc3246362f1eadaf583.exe
"C:\Users\Admin\AppData\Local\Temp\b9ecf50bf3a11fc3246362f1eadaf583.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2340 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\b9ecf50bf3a11fc3246362f1eadaf583.exe" & start C:\Users\Admin\AppData\Local\PFYFJW~1.EXE -f
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 2340
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
3⤵
- Runs ping.exe
PID:1504

C:\Users\Admin\AppData\Local\pfyfjwgvq.exe
C:\Users\Admin\AppData\Local\PFYFJW~1.EXE -f
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\pfyfjwgvq.exe
Filesize
318KB

MD5
b9ecf50bf3a11fc3246362f1eadaf583

SHA1
37a3f62ff28f5830cd99646db0a7f413df063209

SHA256
d5400b917851857e8c8b7b31f656dd88d725d83ad61d87cb8a4b896345938ee1

SHA512
6f1ab3ac2c3eeffdc9980c40c6517ea0e997bc15dce043f62971d96fc3e9f63a42dd173bd9174d3eac30836e3b40af0fd853d630fdf3abd2f2a9c93e58eba64d

Download Submit
memory/2340-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2340-1-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2340-2-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2340-4-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2600-13-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2600-17-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2600-12-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2600-10-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2600-14-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2600-15-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2600-16-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2600-11-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2600-18-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2600-19-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2600-20-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2600-21-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2600-22-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/2600-23-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing