93542d6e0cb546ade0a4fb5ccedcc1d6dcb3aaba9b44183e692b76fc363cc15f

General

Target

c2e1f3e3fa536facf8404a621607558c.exe
Size

14.8MB
MD5

c2e1f3e3fa536facf8404a621607558c
SHA1

a6dfe475decd18fe22daa0d17d5a94f82453cfff
SHA256

93542d6e0cb546ade0a4fb5ccedcc1d6dcb3aaba9b44183e692b76fc363cc15f
SHA512

2b332fb30474c0cc7c54586dbc14cd35d3655ed3c2fb0db630f7edef8ab328d1c7037a079d115eec35a2b8e474a7f2e18b92638ecd951acedafa6a5b755c0ab7
SSDEEP

393216:nefNC/zPdHvWwjof9H+xdQlG6tSuQL0c6JkSBmNBStVKFOM:ecdHzoF8dQc6tSLE9mvvFOM

Score

7^/10

Malware Config

Signatures

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe	c2e1f3e3fa536facf8404a621607558c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe	c2e1f3e3fa536facf8404a621607558c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259430676	freebitcoin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BTC.exe	freebitcoin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BTC.exe	freebitcoin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259429241	c2e1f3e3fa536facf8404a621607558c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Eagle.Proxy.Scraper.exe	c2e1f3e3fa536facf8404a621607558c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Eagle.Proxy.Scraper.exe	c2e1f3e3fa536facf8404a621607558c.exe

Executes dropped EXE 1 IoCs

pid	Process
852	freebitcoin.exe

Loads dropped DLL 4 IoCs

pid	Process
848	c2e1f3e3fa536facf8404a621607558c.exe
848	c2e1f3e3fa536facf8404a621607558c.exe
848	c2e1f3e3fa536facf8404a621607558c.exe
848	c2e1f3e3fa536facf8404a621607558c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 852	848	c2e1f3e3fa536facf8404a621607558c.exe	28
PID 848 wrote to memory of 852	848	c2e1f3e3fa536facf8404a621607558c.exe	28
PID 848 wrote to memory of 852	848	c2e1f3e3fa536facf8404a621607558c.exe	28
PID 848 wrote to memory of 852	848	c2e1f3e3fa536facf8404a621607558c.exe	28

C:\Users\Admin\AppData\Local\Temp\c2e1f3e3fa536facf8404a621607558c.exe
"C:\Users\Admin\AppData\Local\Temp\c2e1f3e3fa536facf8404a621607558c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe

Filesize
228KB

MD5
ed7035bfafb98ffa7756b4ce62d17982

SHA1
f95e40a740f2ebad53d7e2a785cc60d2fd431778

SHA256
03b7bfbd52024287e95589cf53f159efa490e3d56121b943cdf64f0d193825ee

SHA512
9d269dc2a525d44753ebabc41294deaafb43f6562d40b73c2a578598ec930791e6897b4240cab25218b26ab461d7aee37b549421461535ebfe286f5cc520531b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe

Filesize
202KB

MD5
d79650fdb79a8f799b626e4377bb46e2

SHA1
d4159b63933ceb558a920b4b48151c94b8fbf7cf

SHA256
4f9b4661921f9ef3a66cec4d427f7031a64c2e523a931bedb2e03eb15f0f2d44

SHA512
e32646706b1c74b88ebcea845156d556a19d482b0f64c23c6814dc6f282e0c27e919c70563659aca1853af45100f2f0399f61dfd022055856ef93149ccaeded5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe

Filesize
810KB

MD5
daf24ccb9f8aa00c41a44d2e7f85b6b6

SHA1
62e43eb0dfed60b9ab9782aa14fcd3da57d58c13

SHA256
7136d6e76cb799737c52e35bc93c9b14d9787e2d6a73aa60c51df9e5ef6f59d8

SHA512
63185824484270f94af53b3e4ff29f99445305e937882d50467653fc995fc592329600a50ec9a5c23d8e21e53a90a172660e93cc04a9941856cbb796af4de36c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe

Filesize
981KB

MD5
8f300e428105ac72ae0afbce87438134

SHA1
502efd3e7fb719278941d7c71b7becf9237410b1

SHA256
b917fa123b0558de6ceaad749fb51322cd34c5effb6f363f3e2d10d069a447f6

SHA512
cedd6d2eaf9e0bc8e0aa651212e5384b05ad56aa5d546f53d636a0fb6650ace9fb114630d2da1099db3d20f36018cc77f9846cab7b90ca679edfd4eee0cdef11

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe

Filesize
835KB

MD5
19fef73db1a38cb261c5c52e4485015d

SHA1
0b207cf4520d1191623e0f4d67b3efa59aeefdbf

SHA256
fc69092d51dbb62d9a67569e635236c89115a34cb58859c0606e5b42fe9021b4

SHA512
7a7661fc2be188f32e415c9c01ec1ed182271dd3f2230bdf724b80d255a111e57406c0e7c519fed9a8db9f872ed80628e6de90f42263faf8b9a89d33afe0acd5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe

Filesize
2.4MB

MD5
79cf908b5ecc4dc40260fac8d3aeb071

SHA1
d240de1e6408647ddfb9abc2c255194bccec975c

SHA256
6b7d41508a5b8bb09b1e39d0d1b229a0968f1a5d15c211eebff8ad5001b15396

SHA512
053e3117e9e58491948fb326bd38a48a5ca14932c205d2c719f1e650f3de582e974376b7c14527c69932b24dd296eb3cf4db5252079befe780af2d18f6c96ac6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freebitcoin.exe

Filesize
955KB

MD5
ded4213cc64fa68c5bb8721a5dea03ab

SHA1
e7d08845241b1f7e07798d82ca33f9b384e7977d

SHA256
0b078837d6cf839d859ff67f7bd09514c4fba3107da69fd4ee89bf54999e4ff6

SHA512
a66012da1299e52508580e482a6ffc512a6b25f9471546acc992e3f434171a3407c9ba7456fa900e830f60523d24d9220d2401841ec3b7e8689b73168fb5b4a6

Download Submit

Analysis

Sharing