40b7114aed93879928adec8a4921d9003f0a21cf4d7190b99f85e73871218c6a

General

Target

d45cec72c8b1652cba1552abc7fc9542.exe
Size

2.0MB
MD5

d45cec72c8b1652cba1552abc7fc9542
SHA1

a4ab9197fd4dc9e667464c4c299babe1120639d5
SHA256

40b7114aed93879928adec8a4921d9003f0a21cf4d7190b99f85e73871218c6a
SHA512

a437e5b30e72bf8fc889a5800ba57edad09edf77ba73a8df69f66a8024656db030129465a87498f400764837903a8d0b5fb11e228baaae1800498368f2bc474c
SSDEEP

49152:rlcxRmQwzMl6k1z/Axiztg5egr6c52J0xIlTnkzNEF8U2:rlzQwAdmx5egucX0qNe2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

h0lafbgw29754rz.exe91qmh53dm8i296k.exe

pid process

1740 h0lafbgw29754rz.exe
2596 91qmh53dm8i296k.exe

pid	process
1740	h0lafbgw29754rz.exe
2596	91qmh53dm8i296k.exe

Loads dropped DLL 10 IoCs

Processes:

d45cec72c8b1652cba1552abc7fc9542.exeh0lafbgw29754rz.exe91qmh53dm8i296k.exe

pid	process
2752	d45cec72c8b1652cba1552abc7fc9542.exe
2752	d45cec72c8b1652cba1552abc7fc9542.exe
1740	h0lafbgw29754rz.exe
1740	h0lafbgw29754rz.exe
1740	h0lafbgw29754rz.exe
1740	h0lafbgw29754rz.exe
1740	h0lafbgw29754rz.exe
2596	91qmh53dm8i296k.exe
2596	91qmh53dm8i296k.exe
2596	91qmh53dm8i296k.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 33 IoCs

Processes:

91qmh53dm8i296k.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0\0\win32\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\VersionIndependentProgID\ = "PortableDeviceValuesCollection.PortableDeviceValuesCollection"	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\TypeLib\ = "{92AD9985-EC33-7024-5007-F17E678E8ED1}"	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\InprocServer32\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0\	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0\0\win32	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0\FLAGS\ = "0"	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\ProgID\ = "PortableDeviceValuesCollection.PortableDeviceValuesCollection.1"	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\Version\ = "1.0"	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\VersionIndependentProgID	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\VersionIndependentProgID\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\InprocServer32\ = "%systemroot%\\SysWow64\\PortableDeviceTypes.dll"	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0\FLAGS	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0\FLAGS\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\TypeLib\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\Version\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\ = "Esalive.Obohe.Lonihav class"	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0\HELPDIR	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0\HELPDIR\	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\TypeLib	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\ProgID	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\Version	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\ProgID\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0\ = "Groove CalendarTool 1.0 Type Library"	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0\0\	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\108"	91qmh53dm8i296k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20CD567F-0A15-446A-A894-33D34FB87960}\InprocServer32	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0	91qmh53dm8i296k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92AD9985-EC33-7024-5007-F17E678E8ED1}\1.0\0	91qmh53dm8i296k.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

91qmh53dm8i296k.exe

pid process

2596 91qmh53dm8i296k.exe

pid	process
2596	91qmh53dm8i296k.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

d45cec72c8b1652cba1552abc7fc9542.exeh0lafbgw29754rz.exe

description	pid	process	target process
PID 2752 wrote to memory of 1740	2752	d45cec72c8b1652cba1552abc7fc9542.exe	h0lafbgw29754rz.exe
PID 2752 wrote to memory of 1740	2752	d45cec72c8b1652cba1552abc7fc9542.exe	h0lafbgw29754rz.exe
PID 2752 wrote to memory of 1740	2752	d45cec72c8b1652cba1552abc7fc9542.exe	h0lafbgw29754rz.exe
PID 2752 wrote to memory of 1740	2752	d45cec72c8b1652cba1552abc7fc9542.exe	h0lafbgw29754rz.exe
PID 2752 wrote to memory of 1740	2752	d45cec72c8b1652cba1552abc7fc9542.exe	h0lafbgw29754rz.exe
PID 2752 wrote to memory of 1740	2752	d45cec72c8b1652cba1552abc7fc9542.exe	h0lafbgw29754rz.exe
PID 2752 wrote to memory of 1740	2752	d45cec72c8b1652cba1552abc7fc9542.exe	h0lafbgw29754rz.exe
PID 1740 wrote to memory of 2596	1740	h0lafbgw29754rz.exe	91qmh53dm8i296k.exe
PID 1740 wrote to memory of 2596	1740	h0lafbgw29754rz.exe	91qmh53dm8i296k.exe
PID 1740 wrote to memory of 2596	1740	h0lafbgw29754rz.exe	91qmh53dm8i296k.exe
PID 1740 wrote to memory of 2596	1740	h0lafbgw29754rz.exe	91qmh53dm8i296k.exe
PID 1740 wrote to memory of 2596	1740	h0lafbgw29754rz.exe	91qmh53dm8i296k.exe
PID 1740 wrote to memory of 2596	1740	h0lafbgw29754rz.exe	91qmh53dm8i296k.exe
PID 1740 wrote to memory of 2596	1740	h0lafbgw29754rz.exe	91qmh53dm8i296k.exe

C:\Users\Admin\AppData\Local\Temp\d45cec72c8b1652cba1552abc7fc9542.exe
"C:\Users\Admin\AppData\Local\Temp\d45cec72c8b1652cba1552abc7fc9542.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\RarSFX0\h0lafbgw29754rz.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\h0lafbgw29754rz.exe" -e -p0581865dny14432
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\RarSFX1\91qmh53dm8i296k.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\91qmh53dm8i296k.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2596

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX1\91qmh53dm8i296k.exe
Filesize
896KB

MD5
ec67d7b90755f0406ac6c86861114c4d

SHA1
36d09f614bb65e6ac38af00ea67db481c3d32694

SHA256
cea71eee366433703e109a9e8785d84120ce87185f636a0e20f1f3ea7b18b988

SHA512
8ca73fca2015237e61f8db716697d009ef787976ada45c9b4d3d294c1c48769aa8d5e6bc9ca5b1181cd0ce887f0cfc5890f73efd97c70e15cef729771df880e7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\h0lafbgw29754rz.exe
Filesize
1.9MB

MD5
cab1cd40a256cef129b78a4a5b0f5517

SHA1
6a9ec5b7ab7d5d5a22505bf031956bd992d21523

SHA256
87635107a794f8d6c0799e87bec3069ddb05ba479ef3bd6ca34338e4a742c9cd

SHA512
5cba4f74089a23b50136c9cd4088d12df5831c01605ff954aea3fcbf76541cdad1b051dd7639e0212c054c6278cf77a711570d6064b5926e6aa79107cd83a76a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\91qmh53dm8i296k.exe
Filesize
1.9MB

MD5
66818087dcda640a66d9a3c772a40f44

SHA1
61fd71dfe66df6a21a34a84e3657486f67038917

SHA256
4dd74cbb1e58e32ef72af6619f5f793609ae093e80822a568be0e3b2012a2d5f

SHA512
96cafd0d36cf995c36cdff6202818f44698629fe23627e4495f2ead41c9ff4c15fe5c38852e113a3e2858f44486ea00ea9af8f0a4c79c7e147efdfe398f88d01

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\91qmh53dm8i296k.exe
Filesize
1.9MB

MD5
d26e81f1ea86530b18e1916e30108eee

SHA1
ef2f8518c96094eb56c22dd159f44a328bde73ab

SHA256
c2d0e4a5354d1fc13d188cfc94bd318e0025908226c70310c14d1922c6f45560

SHA512
fb93c9832379d66a04fe0a49bf1c5c94a38aa0b09a6520f034cc9a30e9440ebbb8b36b38824edd0606162d44e46ba32059875bb58583db3b3ce8e72128563d13

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\91qmh53dm8i296k.exe
Filesize
640KB

MD5
2347767ce8f9229a31b138bcf69a9006

SHA1
7901a5bc81f848febc4c3172be090bea2ef57ce4

SHA256
378dda7d2340a479a40ee6bd6fba54df29eba33c8df441dc28436c1fe3b290b4

SHA512
034b0e698d3cda5750039f9eae120655633440410c04b8d31fb327ecd057560daf9c869915615da1ae3a49dfd96846715d90d98fcf7562f6034533fc5db8e14a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\91qmh53dm8i296k.exe
Filesize
576KB

MD5
6fa4a752584048f5e8e2612588f08a0a

SHA1
2a8309c2f7018224e73539403ee7c3ff098b4b43

SHA256
24df4b9d1bf2aebe703e72278f5aba16aa8b04c644bb3f025e6b76cd64e5a8c9

SHA512
bc0b5b1850f46fc3a4958729f0926c44e602e0472f9d43f814611e3e98159b5d177993350613061cdc7d25dd1473ffee609e7523ae9a3db5326a1f95405c63f0

Download Submit
memory/1740-23-0x0000000003920000-0x0000000003D2E000-memory.dmp

Filesize
4.1MB

Download
memory/1740-35-0x0000000003920000-0x0000000003D2E000-memory.dmp

Filesize
4.1MB

Download
memory/2596-29-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/2596-30-0x0000000000D90000-0x000000000119E000-memory.dmp

Filesize
4.1MB

Download
memory/2596-34-0x0000000000810000-0x000000000086A000-memory.dmp

Filesize
360KB

Download
memory/2596-33-0x0000000003900000-0x0000000003903000-memory.dmp

Filesize
12KB

Download
memory/2596-32-0x0000000000D90000-0x000000000119E000-memory.dmp

Filesize
4.1MB

Download
memory/2596-31-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads