19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb

General

Target

19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe
Size

7.3MB
MD5

888284957e75b8b7db670ce4711ba2dd
SHA1

032c11005496fb72208409dcc39d14949ce2f908
SHA256

19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb
SHA512

596156aca8449664ced425cf86600fbc747730d2544ef217bc4e9b6dd407033c1579cf05b5c5beafa8622b86eebf63dc2abdc16a14d86256308120aaa48fb6ef
SSDEEP

196608:zLkqSpYCYzubVwvtK/D0P+7Zi2aAhHEmkGmmlyv:mYtU4OgP+IATjmoyv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2144	autorun.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe
2144	autorun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2144	autorun.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2204	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe
2204	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe
2144	autorun.exe
2144	autorun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2144	2204	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe	28
PID 2204 wrote to memory of 2144	2204	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe	28
PID 2204 wrote to memory of 2144	2204	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe	28
PID 2204 wrote to memory of 2144	2204	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe	28
PID 2204 wrote to memory of 2144	2204	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe	28
PID 2204 wrote to memory of 2144	2204	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe	28
PID 2204 wrote to memory of 2144	2204	19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe	28

C:\Users\Admin\AppData\Local\Temp\19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe
"C:\Users\Admin\AppData\Local\Temp\19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\19b95a73de4838af73256397e9468ceee9947b5e1f3fc088995a0cb9a633d0bb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\0001-windows-7.btn

Filesize
3KB

MD5
967fdfe0a01c083804673b4976ad6730

SHA1
5d05ade6dd0d1d67ea7879cd8f7779ef53abbd4c

SHA256
72eda9d49bcd0cd3b540f75c4215714378afbb1ce40afcbb7a0b246ab2a44f21

SHA512
50acacf15fa4cfa8319f789fb534cdb4a8d559ceb3e5e832b32015ff2fbee2c3902abfc83bc2493d57298ed32d0aeb6817e077758c4c2c956432b1d3f3c738d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\iphone-iphone-699344_1280_800_2.jpg

Filesize
386KB

MD5
bfb0add91733214d2412ffe7ab436046

SHA1
c937db6796933e3fecee6d99eece9462a074eda9

SHA256
e4b0ffe09d0df0fc3bf93777610546cdc9ff6eb528bf1edbbb3d3edc5e965627

SHA512
1fe8660d4a3ea51f742ea2ec212e21b34fb0b68de3428d661798f4fcb06d5f8aca0cdd6f447a7878b915cef7b6520724b4125322a219c5d4b154bfb28c1a81cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
473KB

MD5
6fff38d7b9c42c22193f1fab22452abf

SHA1
4f70831adafd58eff89fdbc9801351115ee4ab00

SHA256
478f98f85b515931ece964bf03027ebdd00615f3fa12be75f7daa4ce50242e5a

SHA512
569a6b562172574e48f94cb9755512c82963ac5cf1601e50437c658072684ccb4936be243d07805b66576ecbdcae879ba3fb9138460a9b7c311d3663caa70a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\jajr_logo-32x32.ico

Filesize
1KB

MD5
3d9ecabffb8558560941f1b3172c3c38

SHA1
433a85b775c815dfeb16e2761cf623aa794299ee

SHA256
b38a3b25527a64744df7b3d17a93a77bb251e778c1e5fde37e6f894820197e7e

SHA512
326b5687f98632f2bbeb29ddb0eebe7fc8d43b2f6caed00df30b14feb7d1875199ded7cf27ac704145d78e67fe7efcef7df1e29b59f28e8dac9ecf76433feb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

Filesize
318KB

MD5
2e34ae97aeff9034f66d04e6c2bf987f

SHA1
a362799075fe1e8c6afa77f8ca831bd5787073df

SHA256
45bd2e6cbd5b8dfea5f471a4e179b01c4cb764afcf2493e86494272be8dd9342

SHA512
194df497d750903537bdc76b0527bb75e3091154dce32f1eccfc855d0019665ca08fe49848380335325417e5b9b53265fa3c6c226900c68f0e8fd92be5f15591

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
6.5MB

MD5
008a95ddb966d162294fabdf8170b7c6

SHA1
957b076184c504213fa5b535a15392c38ac94687

SHA256
7181a8eb305ce67bb028330724b6f4c0715b4e4aab75b2a6d1765d52d827498e

SHA512
c9491b7c39d3c9ae686864389098225389da416eb1426c2736408419ceedecec1b91f097afa933802996287c4d505a19be625858758d59c244435172cb4ef82b

Download Submit

Analysis

Sharing