044f40d9fa5d3ff14151e14429ef456f1bfdb08d93c1c8f1f756faa37cf7857e

General

Target

044f40d9fa5d3ff14151e14429ef456f1bfdb08d93c1c8f1f756faa37cf7857e.exe
Size

281KB
MD5

547d09f310657d22d4eef832255775ed
SHA1

854783f3d24e057526f36d1ff1dd7456ae9718d7
SHA256

044f40d9fa5d3ff14151e14429ef456f1bfdb08d93c1c8f1f756faa37cf7857e
SHA512

b82b2ae1819bf4df9ec25654990a7ade30f386469bb23173be0a45ddd1b94a6e8ba86cb2d027ee40da7996844efbc4e82433361ee1ca2fb6588ddf7bd9b6ac6e
SSDEEP

6144:XsaocyLCUeW9f/7w6g5DXIHggcnZ6k3cr0Ypw+khYQ:Xtob2Wp/7Tg94Hgjndsr0YpbkhYQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2372	installer.exe
2772	4dc90cd0-7328-42b2-8f65-20295bc06f26.exe

Loads dropped DLL 3 IoCs

pid	Process
2360	044f40d9fa5d3ff14151e14429ef456f1bfdb08d93c1c8f1f756faa37cf7857e.exe
2360	044f40d9fa5d3ff14151e14429ef456f1bfdb08d93c1c8f1f756faa37cf7857e.exe
2360	044f40d9fa5d3ff14151e14429ef456f1bfdb08d93c1c8f1f756faa37cf7857e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2772	4dc90cd0-7328-42b2-8f65-20295bc06f26.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	4dc90cd0-7328-42b2-8f65-20295bc06f26.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2772	4dc90cd0-7328-42b2-8f65-20295bc06f26.exe
2772	4dc90cd0-7328-42b2-8f65-20295bc06f26.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2372	2360	044f40d9fa5d3ff14151e14429ef456f1bfdb08d93c1c8f1f756faa37cf7857e.exe	28
PID 2360 wrote to memory of 2372	2360	044f40d9fa5d3ff14151e14429ef456f1bfdb08d93c1c8f1f756faa37cf7857e.exe	28
PID 2360 wrote to memory of 2372	2360	044f40d9fa5d3ff14151e14429ef456f1bfdb08d93c1c8f1f756faa37cf7857e.exe	28
PID 2360 wrote to memory of 2372	2360	044f40d9fa5d3ff14151e14429ef456f1bfdb08d93c1c8f1f756faa37cf7857e.exe	28
PID 2372 wrote to memory of 2772	2372	installer.exe	30
PID 2372 wrote to memory of 2772	2372	installer.exe	30
PID 2372 wrote to memory of 2772	2372	installer.exe	30
PID 2372 wrote to memory of 2772	2372	installer.exe	30
PID 2372 wrote to memory of 2772	2372	installer.exe	30
PID 2372 wrote to memory of 2772	2372	installer.exe	30
PID 2372 wrote to memory of 2772	2372	installer.exe	30

C:\Users\Admin\AppData\Local\Temp\044f40d9fa5d3ff14151e14429ef456f1bfdb08d93c1c8f1f756faa37cf7857e.exe
"C:\Users\Admin\AppData\Local\Temp\044f40d9fa5d3ff14151e14429ef456f1bfdb08d93c1c8f1f756faa37cf7857e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\nsi540.tmp\installer.exe
  C:\Users\Admin\AppData\Local\Temp\nsi540.tmp\installer.exe 4dc90cd0-7328-42b2-8f65-20295bc06f26.exe /t /dT132210833S /e6004452 /u4dc90cd0-7328-42b2-8f65-20295bc06f26
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\nsi540.tmp\4dc90cd0-7328-42b2-8f65-20295bc06f26.exe
    /t /dT132210833S /e6004452 /u4dc90cd0-7328-42b2-8f65-20295bc06f26
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi540.tmp\4dc90cd0-7328-42b2-8f65-20295bc06f26.exe

Filesize
249KB

MD5
e5fdaf113b510ceaf5672d7af36eaa75

SHA1
ee4c3b6d2343650926944869a07e31a9a2a4ffc5

SHA256
d4f2a25d2831f368313160bf2e2983264426ba9e4027447440b5a3ee8bb8b526

SHA512
f55acf149353251d44d768381a9256f509c62e24479775a24924c584a29fd7cdc2f705b84318a0280ca9731c6c3b4be993045e2e925cd42ef7a9e64e21e584a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsi540.tmp\installer.exe

Filesize
207KB

MD5
de8e9cb3a534359f5809b9c5980ce365

SHA1
34def3bd6d46a97daa546671513733b9a94c1e8a

SHA256
653db07daeedb23437e723f00ab4f7320e5bb6e6689e38e54896ee44d84cfc71

SHA512
dffe030837a4babfb06419ffd893f54b9856e0f1aafb320e923a7a4aea894154207b0f2998fd0ecaaf0105c6ff1bed95d93a8ae2f531e1c8c3aca248a35b1fe2

Download Submit
\Users\Admin\AppData\Local\Temp\nsi540.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/2360-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-27-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-13-0x00000000005D0000-0x00000000005F8000-memory.dmp

Filesize
160KB

Download
memory/2372-19-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-20-0x0000000000BF0000-0x0000000000C70000-memory.dmp

Filesize
512KB

Download
memory/2372-21-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-22-0x0000000001FA0000-0x0000000001FE0000-memory.dmp

Filesize
256KB

Download
memory/2772-25-0x0000000001FA0000-0x0000000001FE0000-memory.dmp

Filesize
256KB

Download
memory/2772-26-0x00000000744C0000-0x0000000074A6B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-24-0x00000000744C0000-0x0000000074A6B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-23-0x00000000744C0000-0x0000000074A6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing