df865220917beb88f2da227a5be7bbbd2874a02ba27a25d01d1a2c38207d37a7

General

Target

d374354cf81755b830d254ea6ad6294e.exe
Size

157KB
MD5

d374354cf81755b830d254ea6ad6294e
SHA1

2b7ebd6b1de59cdad9356f84b62f4596d7002541
SHA256

df865220917beb88f2da227a5be7bbbd2874a02ba27a25d01d1a2c38207d37a7
SHA512

22cac4f8a6be23602537220ee2fec569dc9485f7881692448182e489e399edd609b1cf0fbfe7c0f860b451eb3a9e4d8926498d8e7d69dcb6ead158e485e8cfef
SSDEEP

3072:PXYiVSJs7ijR01Q2Kl92MSP7x+8GpC+Eh9DpVZVCuqn:PpV2s+P2ARK7x+8KV89V3V

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d374354cf81755b830d254ea6ad6294e.exe

Deletes itself 1 IoCs

pid	Process
2276	volmgr.exe

Executes dropped EXE 1 IoCs

pid	Process
2276	volmgr.exe

Loads dropped DLL 4 IoCs

pid	Process
2192	d374354cf81755b830d254ea6ad6294e.exe
2192	d374354cf81755b830d254ea6ad6294e.exe
2276	volmgr.exe
1572	DllHost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\volmgr = "C:\\Users\\Admin\\AppData\\Local\\volmgr.exe"	d374354cf81755b830d254ea6ad6294e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\volmgr = "C:\\Users\\Admin\\AppData\\Local\\volmgr.exe"	d374354cf81755b830d254ea6ad6294e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2276	volmgr.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2192	d374354cf81755b830d254ea6ad6294e.exe
2276	volmgr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2276	2192	d374354cf81755b830d254ea6ad6294e.exe	29
PID 2192 wrote to memory of 2276	2192	d374354cf81755b830d254ea6ad6294e.exe	29
PID 2192 wrote to memory of 2276	2192	d374354cf81755b830d254ea6ad6294e.exe	29
PID 2192 wrote to memory of 2276	2192	d374354cf81755b830d254ea6ad6294e.exe	29

C:\Users\Admin\AppData\Local\Temp\d374354cf81755b830d254ea6ad6294e.exe
"C:\Users\Admin\AppData\Local\Temp\d374354cf81755b830d254ea6ad6294e.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\volmgr.exe
  "C:\Users\Admin\AppData\Local\volmgr.exe" C:\Users\Admin\AppData\Local\Temp\d374354cf81755b830d254ea6ad6294e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:2276

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Loads dropped DLL
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\422E.tmp

Filesize
70KB

MD5
3ef8b428adacce8517746797a292aeed

SHA1
d582a25c976b65bcf78c7452d68018c08f4ed97a

SHA256
02642d6185be0e51a5f75693b2e47fbb091deea217e5f51e023803fcf21b0908

SHA512
444f60a972cbcfa3ee590fdee958b9adfb4b6e131ac4ec91fc74d25829dc9bea80e0cdc6e6ba4a21c52262822ec137a72af182a8b9f4f38f4180ad6e4d900357

Download Submit
C:\Users\Admin\AppData\Local\Temp\422F.tmp

Filesize
32KB

MD5
107383dd70dfe82c5c4c29f187d40500

SHA1
0cd7e829acd79ab2742faacf8ba0df172f79c704

SHA256
645352428bf382f513ff59269ecddde3ec195b8c1476709a8b5e81be53ba0bab

SHA512
6fd485dbe7c3bd47ad443c15743815c984bcd4301505cae2847fa331531563f7f8da01cc578329fd646a5cf203e20dd317d225ba4fea6c344a5c59ef196a93cb

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
884B

MD5
3f0493d494f1ca681c73976f4f97c262

SHA1
51766ebd206c8a62b3e1604fd64ac7be896fe909

SHA256
aa4f8c0fff53953056dff9c26af2c2bb97245c32d523982981d307270f48a308

SHA512
ea7a4717238285dbce3336d30410d8647ebfa37d858f92c555f8d0ce2722516ad435d2f8bad2359699fbfe84094b1464795f8657bf7d570aea761abef5027b6b

Download Submit
memory/1572-41-0x0000000076ECF000-0x0000000076ED0000-memory.dmp

Filesize
4KB

Download
memory/1572-38-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/1572-39-0x0000000000AA0000-0x0000000000AA5000-memory.dmp

Filesize
20KB

Download
memory/1572-40-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/1572-43-0x0000000076360000-0x0000000076470000-memory.dmp

Filesize
1.1MB

Download
memory/1572-42-0x0000000076360000-0x0000000076470000-memory.dmp

Filesize
1.1MB

Download
memory/2192-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2192-24-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/2192-4-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2192-0-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/2276-36-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2276-31-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2276-32-0x0000000076ED0000-0x0000000076ED1000-memory.dmp

Filesize
4KB

Download
memory/2276-34-0x0000000076360000-0x0000000076470000-memory.dmp

Filesize
1.1MB

Download
memory/2276-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2276-28-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2276-27-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2276-33-0x0000000076ECF000-0x0000000076ED0000-memory.dmp

Filesize
4KB

Download
memory/2276-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2276-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2276-21-0x0000000000020000-0x0000000000037000-memory.dmp

Filesize
92KB

Download
memory/2276-26-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/2276-44-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2276-45-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/2276-46-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads