fa6eae73527d0fe9a5b011b225d21ea71f7d8363e57de3347ebb817ed3b43443

General

Target

df61aa9b6626a6aed2da2edc8a33f0e5.exe
Size

971KB
MD5

df61aa9b6626a6aed2da2edc8a33f0e5
SHA1

1d493fa7505b140d4c13b66486b86c332bd96396
SHA256

fa6eae73527d0fe9a5b011b225d21ea71f7d8363e57de3347ebb817ed3b43443
SHA512

4989dba701959001a0f6e14053ebe9838e0350e7140fd7c96cccefc75f75aa77338bdce80ef1c5b98c8b3bc459a195c889925ae41ffeac9c8cc78050fcb0a30e
SSDEEP

12288:sVyHqncOUXqqX6msZ1nTsIVqaa5F1Amx412JbUK4peOMnIKxJZzW4Jt4E2Tl+W+a:8GaqKXV63AmPpHD4E2TldgbkIN8n5+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2484	物商物望家她.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2484	物商物望家她.exe
2484	物商物望家她.exe
2484	物商物望家她.exe
2484	物商物望家她.exe
2484	物商物望家她.exe
2484	物商物望家她.exe
2484	物商物望家她.exe
2484	物商物望家她.exe
2484	物商物望家她.exe
2484	物商物望家她.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	df61aa9b6626a6aed2da2edc8a33f0e5.exe
Token: SeDebugPrivilege	2484	物商物望家她.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2484	2456	df61aa9b6626a6aed2da2edc8a33f0e5.exe	28
PID 2456 wrote to memory of 2484	2456	df61aa9b6626a6aed2da2edc8a33f0e5.exe	28
PID 2456 wrote to memory of 2484	2456	df61aa9b6626a6aed2da2edc8a33f0e5.exe	28
PID 2484 wrote to memory of 2632	2484	物商物望家她.exe	29
PID 2484 wrote to memory of 2632	2484	物商物望家她.exe	29
PID 2484 wrote to memory of 2632	2484	物商物望家她.exe	29
PID 2484 wrote to memory of 2632	2484	物商物望家她.exe	29
PID 2484 wrote to memory of 2580	2484	物商物望家她.exe	30
PID 2484 wrote to memory of 2580	2484	物商物望家她.exe	30
PID 2484 wrote to memory of 2580	2484	物商物望家她.exe	30
PID 2484 wrote to memory of 2580	2484	物商物望家她.exe	30
PID 2484 wrote to memory of 2532	2484	物商物望家她.exe	31
PID 2484 wrote to memory of 2532	2484	物商物望家她.exe	31
PID 2484 wrote to memory of 2532	2484	物商物望家她.exe	31
PID 2484 wrote to memory of 2532	2484	物商物望家她.exe	31
PID 2484 wrote to memory of 2500	2484	物商物望家她.exe	32
PID 2484 wrote to memory of 2500	2484	物商物望家她.exe	32
PID 2484 wrote to memory of 2500	2484	物商物望家她.exe	32
PID 2484 wrote to memory of 2500	2484	物商物望家她.exe	32
PID 2484 wrote to memory of 2508	2484	物商物望家她.exe	33
PID 2484 wrote to memory of 2508	2484	物商物望家她.exe	33
PID 2484 wrote to memory of 2508	2484	物商物望家她.exe	33
PID 2484 wrote to memory of 2508	2484	物商物望家她.exe	33

C:\Users\Admin\AppData\Local\Temp\df61aa9b6626a6aed2da2edc8a33f0e5.exe
"C:\Users\Admin\AppData\Local\Temp\df61aa9b6626a6aed2da2edc8a33f0e5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\物商物望家她.exe
  "C:\Users\Admin\AppData\Local\Temp\物商物望家她.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2532
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2500
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\物商物望家她.exe

Filesize
285KB

MD5
ed8d07e8f6d7527a4830d7a5d7117fd5

SHA1
f6aa21b80a906929f56ceacedf941c822dcfb1e9

SHA256
482182850c0594a9ff60ca587fe57b0d5752975d353674e6eb51c131f45b2bfc

SHA512
46a218985495af660fabf260bd9e2be7be0fdbb8efc5221dc67183891acc8ad3d4fe1a22d9fd5bf1f989e4726fa7619a2e915775dff9f4c1b2473db7f9f6bae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\物商物望家她.exe

Filesize
135KB

MD5
69aac6494bc2114b1b7a6d5cc5c39071

SHA1
c286e4fe9b8605b208918b667d19e77bb2555130

SHA256
92ed25ab63538e16f1aec78821282e9707b68c2eb250f7869cf3050358f3ba17

SHA512
f27fbabe0e9df951ec8e15ffce0185b7d3bd2a2b3f1051ab045dfc0967173c9ee896ff7ea053272a434ce371f9bb014feec3fcaaa64dc028fbf4fbf3c2a45796

Download Submit
memory/2456-3-0x000000001AF20000-0x000000001AFA0000-memory.dmp

Filesize
512KB

Download
memory/2456-0-0x0000000000E20000-0x0000000000F18000-memory.dmp

Filesize
992KB

Download
memory/2456-4-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/2456-2-0x000007FEF6020000-0x000007FEF6A0C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-1-0x00000000003C0000-0x0000000000416000-memory.dmp

Filesize
344KB

Download
memory/2456-11-0x000007FEF6020000-0x000007FEF6A0C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-10-0x0000000000950000-0x0000000000A48000-memory.dmp

Filesize
992KB

Download
memory/2484-13-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2484-12-0x000007FEF6020000-0x000007FEF6A0C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-14-0x000000001AFA0000-0x000000001B020000-memory.dmp

Filesize
512KB

Download
memory/2484-15-0x000007FEF6020000-0x000007FEF6A0C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing