9a17977c01a6d0ce92033f97f187b1347edef59f6217006368e6a7234e49a565

General

Target

c8d660631ecb682a0d5ed0b035b24eb4.exe
Size

3.4MB
MD5

c8d660631ecb682a0d5ed0b035b24eb4
SHA1

0fff35edd81551ba89f075d0ba9795b02bac6163
SHA256

9a17977c01a6d0ce92033f97f187b1347edef59f6217006368e6a7234e49a565
SHA512

fa15f5cf25e36b00b6ff6cf0420f64b09a1ca373ed35fce6c9ce5c214a4eac8c18bda8fe34aa6be2419bc25054eed143a81e010ba5f956a5cf18d7e4ebc38d22
SSDEEP

98304:wNCqzknetu3O0cAIHziTmksJSKmcz8noORQVbcLFT:wNCqzkne43OlbzCsJXjz81QVbq

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g4PyccJYvlgM5cAn.exe	c8d660631ecb682a0d5ed0b035b24eb4.exe

Executes dropped EXE 2 IoCs

pid	Process
2564	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe

Loads dropped DLL 3 IoCs

pid	Process
2192	c8d660631ecb682a0d5ed0b035b24eb4.exe
2192	c8d660631ecb682a0d5ed0b035b24eb4.exe
2564	g4PyccJYvlgM5cAn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2476	2536	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2672	g4PyccJYvlgM5cAn.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe
2536	cmd.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2192	2176	c8d660631ecb682a0d5ed0b035b24eb4.exe	28
PID 2176 wrote to memory of 2192	2176	c8d660631ecb682a0d5ed0b035b24eb4.exe	28
PID 2176 wrote to memory of 2192	2176	c8d660631ecb682a0d5ed0b035b24eb4.exe	28
PID 2176 wrote to memory of 2192	2176	c8d660631ecb682a0d5ed0b035b24eb4.exe	28
PID 2192 wrote to memory of 2564	2192	c8d660631ecb682a0d5ed0b035b24eb4.exe	30
PID 2192 wrote to memory of 2564	2192	c8d660631ecb682a0d5ed0b035b24eb4.exe	30
PID 2192 wrote to memory of 2564	2192	c8d660631ecb682a0d5ed0b035b24eb4.exe	30
PID 2192 wrote to memory of 2564	2192	c8d660631ecb682a0d5ed0b035b24eb4.exe	30
PID 2564 wrote to memory of 2672	2564	g4PyccJYvlgM5cAn.exe	31
PID 2564 wrote to memory of 2672	2564	g4PyccJYvlgM5cAn.exe	31
PID 2564 wrote to memory of 2672	2564	g4PyccJYvlgM5cAn.exe	31
PID 2564 wrote to memory of 2672	2564	g4PyccJYvlgM5cAn.exe	31
PID 2672 wrote to memory of 2536	2672	g4PyccJYvlgM5cAn.exe	32
PID 2672 wrote to memory of 2536	2672	g4PyccJYvlgM5cAn.exe	32
PID 2672 wrote to memory of 2536	2672	g4PyccJYvlgM5cAn.exe	32
PID 2672 wrote to memory of 2536	2672	g4PyccJYvlgM5cAn.exe	32
PID 2672 wrote to memory of 2536	2672	g4PyccJYvlgM5cAn.exe	32
PID 2672 wrote to memory of 2536	2672	g4PyccJYvlgM5cAn.exe	32
PID 2536 wrote to memory of 2476	2536	cmd.exe	34
PID 2536 wrote to memory of 2476	2536	cmd.exe	34
PID 2536 wrote to memory of 2476	2536	cmd.exe	34
PID 2536 wrote to memory of 2476	2536	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c8d660631ecb682a0d5ed0b035b24eb4.exe
"C:\Users\Admin\AppData\Local\Temp\c8d660631ecb682a0d5ed0b035b24eb4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\c8d660631ecb682a0d5ed0b035b24eb4.exe
  "C:\Users\Admin\AppData\Local\Temp\c8d660631ecb682a0d5ed0b035b24eb4.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g4PyccJYvlgM5cAn.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g4PyccJYvlgM5cAn.exe" "C:\Users\Admin\AppData\Local\Temp\c8d660631ecb682a0d5ed0b035b24eb4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g4PyccJYvlgM5cAn.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g4PyccJYvlgM5cAn.exe" "C:\Users\Admin\AppData\Local\Temp\c8d660631ecb682a0d5ed0b035b24eb4.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 284
        6⤵
        Program crash
        
        PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g4PyccJYvlgM5cAn.exe

Filesize
2.1MB

MD5
c95d2aa54c0327df9c73b473c8fb43ba

SHA1
e24aee6f4fc3e121139beb7dc24cc1bae45e4861

SHA256
1f2bc5c57f1873db8f47ba253f0aae95256cbcaf37df5d618e4ff748e9896c4c

SHA512
134d7a53b5b8d68068af3354557a4a8f733ea0c94c0b55c4d69a0bccf9cf48a2ec0cca0511470b525472267622f9cfe4116e82b99b61c27d74754bb5b1d9ed60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g4PyccJYvlgM5cAn.exe

Filesize
2.0MB

MD5
1fe91bba4c72f9587ebd66b378c64baa

SHA1
a4db2887efcee115a1b0b13f1de3a8afa2d172d3

SHA256
44bac4bfb64cf80f0a5845d0458e54863665cf6ad7a5d44d3f18002fcb090681

SHA512
6ebb2cfeb2cf96f32b5b6ec020a1b20bda005f8a61cfe268902cee9f06a1febb3e299c44a12eca99c4c897eedfbc21a6d8ff859bc57ea7c7c7b4d0a701dc264a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g4PyccJYvlgM5cAn.exe

Filesize
1.3MB

MD5
1b9612451400a39507825333100f6ee4

SHA1
3149414e52435a2e66c9ebf2b24e24cc136e906a

SHA256
adc5c6e11e60619e3f9827bac1e1b368395e9eb51db1a11af74a07b1d0a752f4

SHA512
fd292faf93068cc1dff87e98e7270a62aea863382b24975ebaa0af9279cec961b47c5340a2767690c962038401cc945868b48ff03aa807cbb3eed2447b751482

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g4PyccJYvlgM5cAn.exe

Filesize
3.4MB

MD5
8fa5bd62ef9bee3b4ed0ebcf4ea7cf71

SHA1
953f1027697ed8538298be8f71e64aa82a8b3256

SHA256
5f9e3564d873aa1a865cef0ac7772fa96283fc2fca16bd88e84ec987884cf83e

SHA512
5e1fcd4fec6f47f188d5c66a6cd756043c5f7337a7e9532dbe4d7fad8517edb6275e1d7afddfee08ea51e6e57e53dc6e83d56cee12e8faf74bf6ad2bd210bdf0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g4PyccJYvlgM5cAn.exe

Filesize
832KB

MD5
ca437b54f5006490955b8314d8637b92

SHA1
5838efa2260e2596f8a98606e6f40e7841784076

SHA256
80a8abbbbe42d172b90e6e31bc45cf69d2178846d76ed1f4120f1f61db5e1938

SHA512
f3c0d089071c2e3cd98afe08dcf15debe50bc2fb01a7f6547697f702c65b326f48c83afc11006f8676065c228a59cb181aeb348e2ff4490397b1cd8464ae6616

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g4PyccJYvlgM5cAn.exe

Filesize
2.2MB

MD5
40870fd946eaf20133cd415ec7c1878d

SHA1
98e8f6ee674e817519627f1a98f6e7909e6d899e

SHA256
47821781388f0b15faff5f7e7311d12465c6291015144b5581a1093c54f76a54

SHA512
0676f53b43e9bbaf4efd8e0159eb55b5e3976a07826929300a5ce6bbf95e65bcd7ffc5fc714e05bacbb152dc3f488538989203e2f521eabed2549258881fd686

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g4PyccJYvlgM5cAn.exe

Filesize
1.8MB

MD5
4cca6be0103cd34c81c2012a3985dad9

SHA1
022fc0337a5a56b966ef90af7eeb8f5fc40e76d0

SHA256
77be1aa00b094e4a76055faf97032a67cceadd92445ab527f6ca013c53231d1e

SHA512
89d59818540ed7cca6b284da28a8fe439fd3885026f4065fdd77e628df03adcca5157792664057a189474563b61f25442523272ba2a81f8d8906aea24c419bba

Download Submit
memory/2176-2-0x00000000020C0000-0x00000000024BE000-memory.dmp

Filesize
4.0MB

Download
memory/2176-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2192-20-0x0000000002340000-0x00000000023DE000-memory.dmp

Filesize
632KB

Download
memory/2192-9-0x0000000005290000-0x000000000568E000-memory.dmp

Filesize
4.0MB

Download
memory/2192-3-0x0000000002340000-0x00000000023DE000-memory.dmp

Filesize
632KB

Download
memory/2192-1-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2192-11-0x0000000005290000-0x000000000568E000-memory.dmp

Filesize
4.0MB

Download
memory/2192-19-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2536-89-0x0000000000450000-0x00000000004EE000-memory.dmp

Filesize
632KB

Download
memory/2536-30-0x0000000000310000-0x00000000003A9000-memory.dmp

Filesize
612KB

Download
memory/2536-91-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2536-85-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/2536-90-0x0000000077BF0000-0x0000000077D70000-memory.dmp

Filesize
1.5MB

Download
memory/2536-87-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/2536-27-0x0000000000610000-0x0000000001262000-memory.dmp

Filesize
12.3MB

Download
memory/2536-86-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2536-29-0x0000000000310000-0x00000000003A9000-memory.dmp

Filesize
612KB

Download
memory/2536-88-0x0000000000450000-0x00000000004EE000-memory.dmp

Filesize
632KB

Download
memory/2536-33-0x0000000077BF0000-0x0000000077D70000-memory.dmp

Filesize
1.5MB

Download
memory/2536-34-0x0000000000450000-0x00000000004EE000-memory.dmp

Filesize
632KB

Download
memory/2564-18-0x0000000002220000-0x000000000261E000-memory.dmp

Filesize
4.0MB

Download
memory/2564-17-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2672-26-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/2672-32-0x0000000002350000-0x00000000023EE000-memory.dmp

Filesize
632KB

Download
memory/2672-31-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2672-24-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/2672-25-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2672-23-0x0000000002350000-0x00000000023EE000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing