9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb

General

Target

9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe
Size

3.6MB
MD5

907edadd9d437915849c9990ff00a419
SHA1

25afb3a7165209e81dca914654b71c4d23f1b300
SHA256

9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb
SHA512

a7028457a7a0b46c3b04f64066c41453d9b5310967721fed14a09f5de65ceca979b99daa718e269ebed4d62fdac8f0a2256e433fa870d0ca04a296bb1c6eea6b
SSDEEP

98304:wMaNKYpz9pWoHo2Ko0rbR2SAmnsMmXP68BRcGBVH5p6d:GKUI80h2Sbf78BRtBV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2768	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2984	6648.exe

Loads dropped DLL 2 IoCs

pid	Process
2972	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe
2972	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\delSexe.vbs	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe
File opened for modification	C:\Windows\SysWOW64\delSexe.vbs	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2972	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe
2972	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe
2984	6648.exe
2984	6648.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2984	2972	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe	28
PID 2972 wrote to memory of 2984	2972	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe	28
PID 2972 wrote to memory of 2984	2972	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe	28
PID 2972 wrote to memory of 2984	2972	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe	28
PID 2972 wrote to memory of 2768	2972	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe	29
PID 2972 wrote to memory of 2768	2972	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe	29
PID 2972 wrote to memory of 2768	2972	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe	29
PID 2972 wrote to memory of 2768	2972	9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe	29

C:\Users\Admin\AppData\Local\Temp\9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe
"C:\Users\Admin\AppData\Local\Temp\9f385c266d25784a0e13d77780380a52363b1a3433b2074b4566137e14679acb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\6648.exe
  "C:\Users\Admin\AppData\Local\Temp\6648.exe" yes
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\delSexe.vbs"
  2⤵
  - Deletes itself
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6648.exe

Filesize
2.3MB

MD5
0709731f5069a64daccca4204bfe2f57

SHA1
555c82b5ff98527d56e3f7b370c5735f97f802ec

SHA256
b2cf8baf67a7c7be754814b46580f19b51a11ed381c721f23c68dfdf387983e0

SHA512
522d5106503507fe757d619e25244e1d2c24ac87952d44d2f281d2e65fd0a15ee3228edbc0d9807e23c01f668fdd484640987deb4ea394aec454eea5503d1f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\6648.exe

Filesize
2.1MB

MD5
7a6c37c3b1eff79be7ab76361e0048b7

SHA1
0c561fb22e6a62c18a03f031e83590a327bb7ce3

SHA256
671268ed03f74fed509a80ebe42f7c2ef7f7d3d447fbb28853df07fed1d28c48

SHA512
3bd407acbc7214b13a0345e8e51cf6850b5345cc74bf0c8aad853e49f09f210f8dbf4a96ec65d4a6781f191a7ab260a980e18298fecb51249c049bb329dcab01

Download Submit
C:\Windows\SysWOW64\delSexe.vbs

Filesize
448B

MD5
79749eb707230cc28c84219a18f7307a

SHA1
a9fabf8b3ba1b1a6482169006f4cf8ca0ca6eb46

SHA256
bc0f80551a5e6f5f0e709a52c835ebf68203a53251b9d5d9b2758feffd04cd50

SHA512
803a7db18b87f8d465d8693959811f8400065b2ff75c5413b29ae87a059c025fc56824facaab75104fa048d43f8d317ef76e9de97d5ef5e94e7504319a222f90

Download Submit
\Users\Admin\AppData\Local\Temp\6648.exe

Filesize
2.3MB

MD5
e2cbb2e0387db637a82c9ef08c544885

SHA1
1d24adb11860322a7ac917be5f4f8bfd96ced5dc

SHA256
959a0f1e2b9d094b09b88d45acdf2aa587b3fa70873d37be8bc29ea2bd586cbb

SHA512
6319225bf1b32897d73ade3999b8d8f19df2491c07a07e57d61f936846b2a3a9c3bfb0cd22ab3c42d9571ae677166330802f0aaded159a21de5aeecdd45111ec

Download Submit
\Users\Admin\AppData\Local\Temp\6648.exe

Filesize
1.8MB

MD5
e8d184b8d70de6c24cbe9457b1aeb46a

SHA1
d260de39e571215364b99189061fc63cad02e186

SHA256
8cd280943b37b16335c99e339bde6bce5b6335d2d7d5be39d421dda7b4c002c2

SHA512
61316e7841bd59c7fc354d584c6a38d197ffeaefd0c96b22931cd88ba13016cca68ec380ec68b2a9180bfe3088e34f1200f93e8362c3c965576835f9d02e00e4

Download Submit
memory/2972-0-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing