aebdca242faa2ab7e15a4c8c6fc877a7c46c869a32890c413130b2e57e82afba

General

Target

SpamKiller2908.exe
Size

2.2MB
MD5

cc2024cb2a62218709403a1b0849541b
SHA1

4af74a011f36d28edc4a11000942205e8b0af16b
SHA256

1cea75341207205bf53a8bdf9eb57db0b778d14a4fda3def32de50ec16609e98
SHA512

c8833850f4bbe4f57bf29a3723b63ffd10f340ed98d9f8dffcd2ee21604b485dae464d98c597ae91b012dfd11fe14961a8d9f4ab258ef44fd51191b7b74dcfa1
SSDEEP

49152:kZ62RExWZ8QX8AyHo/Cu9vgUEcptjsBF63CoK+YS8Td:kZ6PS3X0WCu9LZvQBQyYYxd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2176	TGSETUP.EXE

Loads dropped DLL 8 IoCs

pid	Process
4944	SpamKiller2908.exe
4944	SpamKiller2908.exe
4944	SpamKiller2908.exe
4944	SpamKiller2908.exe
2176	TGSETUP.EXE
2176	TGSETUP.EXE
2176	TGSETUP.EXE
2176	TGSETUP.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	SpamKiller2908.exe
File opened (read-only)	\??\H:	SpamKiller2908.exe
File opened (read-only)	\??\J:	SpamKiller2908.exe
File opened (read-only)	\??\M:	SpamKiller2908.exe
File opened (read-only)	\??\N:	SpamKiller2908.exe
File opened (read-only)	\??\T:	SpamKiller2908.exe
File opened (read-only)	\??\U:	SpamKiller2908.exe
File opened (read-only)	\??\A:	SpamKiller2908.exe
File opened (read-only)	\??\B:	SpamKiller2908.exe
File opened (read-only)	\??\O:	SpamKiller2908.exe
File opened (read-only)	\??\P:	SpamKiller2908.exe
File opened (read-only)	\??\Q:	SpamKiller2908.exe
File opened (read-only)	\??\W:	SpamKiller2908.exe
File opened (read-only)	\??\I:	SpamKiller2908.exe
File opened (read-only)	\??\L:	SpamKiller2908.exe
File opened (read-only)	\??\V:	SpamKiller2908.exe
File opened (read-only)	\??\Y:	SpamKiller2908.exe
File opened (read-only)	\??\E:	SpamKiller2908.exe
File opened (read-only)	\??\G:	SpamKiller2908.exe
File opened (read-only)	\??\K:	SpamKiller2908.exe
File opened (read-only)	\??\R:	SpamKiller2908.exe
File opened (read-only)	\??\S:	SpamKiller2908.exe
File opened (read-only)	\??\X:	SpamKiller2908.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 2176	4944	SpamKiller2908.exe	86
PID 4944 wrote to memory of 2176	4944	SpamKiller2908.exe	86
PID 4944 wrote to memory of 2176	4944	SpamKiller2908.exe	86

C:\Users\Admin\AppData\Local\Temp\SpamKiller2908.exe
"C:\Users\Admin\AppData\Local\Temp\SpamKiller2908.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\TGSETUP0.TMP\TGSETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\TGSETUP0.TMP\TGSETUP.EXE "/bC:\Users\Admin\AppData\Local\Temp\SpamKiller2908.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TGSETUP0.TMP\BOOT0409.DLL

Filesize
58KB

MD5
bdebc6ec15c17718a2465d52e5b49ea7

SHA1
2ff0fda712f319a7d24b99f483f36a0923af0991

SHA256
ed384856cd5819d1b954bf14a975e7be2ce03aa279d730cecb8994d9750419c5

SHA512
77cfadb55e1c50b65643ab90952f500bc9ad1f67f684d18183a19fc55630b697c017bb734c5cecff32a370a8be7ac38b31684a80062b99def641e9deecf2aebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGSETUP0.TMP\SETUP.LNG

Filesize
93B

MD5
fb73c5225d8b164cfa0f09df242cf2a7

SHA1
0f4a612a261cd701ddf9dbbccacb06f3d55a0740

SHA256
b07b46ab3c0738158b14c450c7fdb12bcb3a8580400e7ff5277bc0836398a9b0

SHA512
80ffcb20db4dee82ad4e433d523178d76ab240c0884cde17e747ce22140bd64658b79f08bec586e1a977c23c29339489373f84ab04df397f9352c2a7560b1bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGSETUP0.TMP\SETUPLNG.DLL

Filesize
161KB

MD5
12c45be56f39800c812574d6feb4feaa

SHA1
28307cd67be948c96103d9c50b51961d23754f5d

SHA256
31f2afbbdf032a7c6b159135a6e35e3bb7754d3a3f21a56bc77c8440e8a09882

SHA512
3bbb4d3ee1ecbcba3a46271174d7a20f59cc8d8b71faae6fc49761173b4ccff97c02baa7b760ab419d514acbef744c8e09cacc294b21490ec850e69022b4efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGSETUP0.TMP\SetUpC.dll

Filesize
413KB

MD5
ba0e334cc809913c91cf09a4e70a7813

SHA1
0a3ea48b7d40bc8cfc7a4902879dc27f3b9a963b

SHA256
03be0334537addc110a57a0c3b428cec25175c7ec882a886abd2cc8b1c4e2e7d

SHA512
bef0e8fa578402340a25023a5258bb24a2e5096da1d59bf6b071f496ad170ad408dc8f898da27226a40b91d1b36c6527b9b83ba3c1769f3c8138854e1c1c2acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGSETUP0.TMP\TGSETUP.EXE

Filesize
338KB

MD5
3db7dfd0c651eb411758fb04ac49706d

SHA1
6c6ad7e87e5dde4f68d335a50385f4c2685dafb3

SHA256
89314735afb290ed076ee6d6f820812bc9116756a47ce1c0c518e58ac92ed7d1

SHA512
b48655f6cf45b8ed8c93f3a4484b727dd5fecd23d49c7ea65a56c5879b53775626ee2f010176ce3db6dd75829a3de9860e36c59a78572207e8e1c1f6f3196761

Download Submit
memory/2176-52-0x0000000002F90000-0x0000000002FFC000-memory.dmp

Filesize
432KB

Download
memory/2176-36-0x0000000000600000-0x000000000062E000-memory.dmp

Filesize
184KB

Download
memory/2176-45-0x0000000002F90000-0x0000000002FFC000-memory.dmp

Filesize
432KB

Download
memory/2176-50-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2176-51-0x0000000000600000-0x000000000062E000-memory.dmp

Filesize
184KB

Download
memory/2176-61-0x0000000000600000-0x000000000062E000-memory.dmp

Filesize
184KB

Download
memory/2176-62-0x0000000002F90000-0x0000000002FFC000-memory.dmp

Filesize
432KB

Download
memory/4944-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4944-49-0x0000000000690000-0x00000000006A4000-memory.dmp

Filesize
80KB

Download
memory/4944-11-0x0000000000690000-0x00000000006A4000-memory.dmp

Filesize
80KB

Download
memory/4944-59-0x0000000000690000-0x00000000006A4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing