b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a

General

Target

b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe
Size

404KB
MD5

5ebff7118cf6779dd5848202d2f6ad0e
SHA1

1c61d610c6e70111429cb5320516a8fdafc0e212
SHA256

b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a
SHA512

a754a17a64322d26ab22ddf6875c5586b86f254fbd59808baeae654627042b83dcb5b94a9f3c9ca9784b2fd99773b383ebb5b5e7f0f6b598240acf774e14957e
SSDEEP

6144:Cck18MipfIUaQYu8tbS6JBcj0U5hjX/Tvf8MJYFW8jb/HVbdsifRe9+fHrGJS:CX8Djadu8J4YSjX/THmxr1bBGsHrGJS

Score

9^/10

Malware Config

Signatures

Detects executables packed with aPLib. 3 IoCs

resource	yara_rule
behavioral1/memory/2316-0-0x0000000000400000-0x0000000000479000-memory.dmp	INDICATOR_EXE_Packed_aPLib
behavioral1/memory/2316-1-0x0000000000400000-0x0000000000479000-memory.dmp	INDICATOR_EXE_Packed_aPLib
behavioral1/memory/2316-58-0x0000000000400000-0x0000000000479000-memory.dmp	INDICATOR_EXE_Packed_aPLib

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 2740	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2740	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	28
PID 2316 wrote to memory of 2740	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	28
PID 2316 wrote to memory of 2740	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	28
PID 2316 wrote to memory of 2740	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	28
PID 2316 wrote to memory of 2740	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	28
PID 2316 wrote to memory of 2740	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	28
PID 2316 wrote to memory of 2740	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	28
PID 2316 wrote to memory of 2740	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	28
PID 2316 wrote to memory of 2740	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	28
PID 2316 wrote to memory of 2740	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	28
PID 2316 wrote to memory of 2740	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	28
PID 2316 wrote to memory of 2740	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	28
PID 2316 wrote to memory of 2600	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	29
PID 2316 wrote to memory of 2600	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	29
PID 2316 wrote to memory of 2600	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	29
PID 2316 wrote to memory of 2600	2316	b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe	29

C:\Users\Admin\AppData\Local\Temp\b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe
"C:\Users\Admin\AppData\Local\Temp\b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\svchost.exe
  C:\ProgramData\d2j26hh6b4.exe
  2⤵
  PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\xcu9285.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\b02793fc4ca7de6d6267bc1e50dcb50f536e43f7fcca60cc3a9f7f48d316150a.exe""
  2⤵
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\xcu9285.tmp.bat

Filesize
35B

MD5
41ef93c0898d96d307d80a2fdc602949

SHA1
b3ef650ae32cb421c5f104d3abffbf6e782e57d1

SHA256
6663e6b954abaf00e7a8773e7a3da90aca510eba974a28a17759f01c5be5f890

SHA512
727475cb13df33b2a1e5fd3a20ad6d9ff114b91cf42ea3d442879754dfc6b63ebf3753931af84004937832f5d9a90d5a95619dfe3bc41a7b99b90db123f0a9b1

Download Submit
memory/2316-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2316-1-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2316-3-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2316-58-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2740-7-0x00000000003C0000-0x0000000000436000-memory.dmp

Filesize
472KB

Download
memory/2740-6-0x00000000003C0000-0x0000000000436000-memory.dmp

Filesize
472KB

Download
memory/2740-8-0x00000000003C0000-0x0000000000436000-memory.dmp

Filesize
472KB

Download
memory/2740-9-0x00000000003C0000-0x0000000000436000-memory.dmp

Filesize
472KB

Download
memory/2740-10-0x00000000003C0000-0x0000000000436000-memory.dmp

Filesize
472KB

Download
memory/2740-11-0x00000000003C0000-0x0000000000436000-memory.dmp

Filesize
472KB

Download
memory/2740-12-0x00000000003C0000-0x0000000000436000-memory.dmp

Filesize
472KB

Download
memory/2740-13-0x00000000003C0000-0x0000000000436000-memory.dmp

Filesize
472KB

Download
memory/2740-5-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2740-4-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing