0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec

General

Target

0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe
Size

168KB
MD5

266b7a0b55a3cf48547107cbf51c023b
SHA1

224f284c1ff4786813cd797e4b78cc93811a36df
SHA256

0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec
SHA512

569db070086e09478fe77bb5d72b757ac50ca7d4343336b6191a03d553623ec8b6230db307374f22f2eb99025de62f61f2e62f0ef5b0799a14678ae8cd215207
SSDEEP

3072:5arsteHd+LeDhoQ3nICTTuJZqOFK+fxJw12DMbwHTG:5BeHdGeDhoQ3nICTTWZqOFK+fxJyGhT

Score

6^/10

Malware Config

Signatures

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2600	3040	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2600	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2600	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe
2600	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3040	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2600	3040	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	28
PID 3040 wrote to memory of 2600	3040	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	28
PID 3040 wrote to memory of 2600	3040	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	28
PID 3040 wrote to memory of 2600	3040	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	28
PID 3040 wrote to memory of 2600	3040	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	28
PID 3040 wrote to memory of 2600	3040	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	28
PID 3040 wrote to memory of 2600	3040	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	28
PID 3040 wrote to memory of 2600	3040	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	28
PID 2600 wrote to memory of 2548	2600	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	29
PID 2600 wrote to memory of 2548	2600	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	29
PID 2600 wrote to memory of 2548	2600	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	29
PID 2600 wrote to memory of 2548	2600	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	29
PID 2600 wrote to memory of 2548	2600	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	29
PID 2600 wrote to memory of 2548	2600	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	29
PID 2600 wrote to memory of 2548	2600	0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe	29

C:\Users\Admin\AppData\Local\Temp\0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe
"C:\Users\Admin\AppData\Local\Temp\0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe
  "C:\Users\Admin\AppData\Local\Temp\0344c96caa8e385e0376de92ac9112330593fa1075ddca40acfbd7917b3587ec.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2548-66-0x0000000000420000-0x0000000000434000-memory.dmp

Filesize
80KB

Download
memory/2548-64-0x0000000000420000-0x0000000000434000-memory.dmp

Filesize
80KB

Download
memory/2548-62-0x0000000000420000-0x0000000000434000-memory.dmp

Filesize
80KB

Download
memory/2600-37-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2600-61-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2600-59-0x000000007EFA0000-0x000000007EFA2000-memory.dmp

Filesize
8KB

Download
memory/2600-60-0x000000007EF90000-0x000000007EF91000-memory.dmp

Filesize
4KB

Download
memory/2600-57-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2600-53-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2600-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2600-41-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2600-45-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3040-36-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-58-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-40-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-44-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-46-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-49-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-38-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-48-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-52-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3040-55-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-42-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-34-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-56-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3040-32-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-30-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-28-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-25-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3040-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3040-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3040-69-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing