cff77fc0706799bd9fbef9698d1c45a2b435a906dfff9f20dd026406f467b113

General

Target

d7b2b72600f362026592d011a5d05816.exe
Size

922KB
MD5

d7b2b72600f362026592d011a5d05816
SHA1

6cccb71befdc892fd8c5580be23dd0a5abf66b3f
SHA256

cff77fc0706799bd9fbef9698d1c45a2b435a906dfff9f20dd026406f467b113
SHA512

97beae48735bc04b5429e351f6c85828d99115141e08fcd76cb93d0685b1fa1e532a50f404b8878d09d2f3640ef1a0bf7c4307fecaf850da5a7c22c50b15ef45
SSDEEP

24576:3fbEK3qFGfFe0eveAc5pffBzNfpTFrjzU1P:3TFyEFRv5pXtNfpT5i

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3032	288896779.exe

Loads dropped DLL 4 IoCs

pid	Process
3068	cmd.exe
3068	cmd.exe
3032	288896779.exe
3032	288896779.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\d7b2b72600f362026592d011a5d05816 = "\"C:\\Users\\Admin\\AppData\\Local\\288896779.exe\" 0 30 "	d7b2b72600f362026592d011a5d05816.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\288896779 = "\"C:\\Users\\Admin\\AppData\\Local\\288896779.exe\" 0 49 "	288896779.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2900	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3032	288896779.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe
3032	288896779.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 3068	2136	d7b2b72600f362026592d011a5d05816.exe	28
PID 2136 wrote to memory of 3068	2136	d7b2b72600f362026592d011a5d05816.exe	28
PID 2136 wrote to memory of 3068	2136	d7b2b72600f362026592d011a5d05816.exe	28
PID 2136 wrote to memory of 3068	2136	d7b2b72600f362026592d011a5d05816.exe	28
PID 3068 wrote to memory of 2900	3068	cmd.exe	30
PID 3068 wrote to memory of 2900	3068	cmd.exe	30
PID 3068 wrote to memory of 2900	3068	cmd.exe	30
PID 3068 wrote to memory of 2900	3068	cmd.exe	30
PID 3068 wrote to memory of 3032	3068	cmd.exe	31
PID 3068 wrote to memory of 3032	3068	cmd.exe	31
PID 3068 wrote to memory of 3032	3068	cmd.exe	31
PID 3068 wrote to memory of 3032	3068	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\d7b2b72600f362026592d011a5d05816.exe
"C:\Users\Admin\AppData\Local\Temp\d7b2b72600f362026592d011a5d05816.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7134167672.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v d7b2b72600f362026592d011a5d05816 /f
    3⤵
    - Modifies registry key
    PID:2900
- - C:\Users\Admin\AppData\Local\288896779.exe
    C:\Users\Admin\AppData\Local\288896~1.EXE -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\288896779.exe

Filesize
922KB

MD5
d7b2b72600f362026592d011a5d05816

SHA1
6cccb71befdc892fd8c5580be23dd0a5abf66b3f

SHA256
cff77fc0706799bd9fbef9698d1c45a2b435a906dfff9f20dd026406f467b113

SHA512
97beae48735bc04b5429e351f6c85828d99115141e08fcd76cb93d0685b1fa1e532a50f404b8878d09d2f3640ef1a0bf7c4307fecaf850da5a7c22c50b15ef45

Download Submit
C:\Users\Admin\AppData\Local\Temp\7134167672.bat

Filesize
426B

MD5
6e1451ad4be35aa641f2abaad8641103

SHA1
d8c25e5e9c46ec7016778c247f8c8a8a4724285b

SHA256
242070f3e693c2dead1593bed037c3937db006198907255934c33c3b3b47b0d2

SHA512
4823d1d156b2bda4a8cd5c70939e17615bb056c851c6677fc373567ee554ceadf5ded8b7a542bf6993554b8543b0c8e844a331e3c6b871ec5c45281175ed75d1

Download Submit
memory/2136-1-0x0000000000400000-0x00000000008308C2-memory.dmp

Filesize
4.2MB

Download
memory/2136-2-0x00000000008A0000-0x0000000000AA0000-memory.dmp

Filesize
2.0MB

Download
memory/2136-3-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2136-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2136-14-0x0000000000400000-0x00000000008308C2-memory.dmp

Filesize
4.2MB

Download
memory/3032-29-0x00000000009A0000-0x0000000000BA0000-memory.dmp

Filesize
2.0MB

Download
memory/3032-33-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/3032-23-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/3032-25-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/3032-28-0x0000000000400000-0x00000000008308C2-memory.dmp

Filesize
4.2MB

Download
memory/3032-21-0x0000000000400000-0x00000000008308C2-memory.dmp

Filesize
4.2MB

Download
memory/3032-30-0x0000000000400000-0x00000000008308C2-memory.dmp

Filesize
4.2MB

Download
memory/3032-31-0x0000000000400000-0x00000000008308C2-memory.dmp

Filesize
4.2MB

Download
memory/3032-32-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/3032-22-0x00000000009A0000-0x0000000000BA0000-memory.dmp

Filesize
2.0MB

Download
memory/3032-34-0x0000000000400000-0x00000000008308C2-memory.dmp

Filesize
4.2MB

Download
memory/3032-36-0x0000000000400000-0x00000000008308C2-memory.dmp

Filesize
4.2MB

Download
memory/3032-37-0x0000000000400000-0x00000000008308C2-memory.dmp

Filesize
4.2MB

Download
memory/3032-38-0x0000000000400000-0x00000000008308C2-memory.dmp

Filesize
4.2MB

Download
memory/3032-39-0x0000000000400000-0x00000000008308C2-memory.dmp

Filesize
4.2MB

Download
memory/3032-40-0x0000000000400000-0x00000000008308C2-memory.dmp

Filesize
4.2MB

Download
memory/3032-45-0x0000000000400000-0x00000000008308C2-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads