b4ae582fb61848d83e1e55dcc4925ea7788dba0c940c5a21157de6566342f06a

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1160	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2188	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2188	$_3_.exe
2188	$_3_.exe
2188	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2512	2188	$_3_.exe	30
PID 2188 wrote to memory of 2512	2188	$_3_.exe	30
PID 2188 wrote to memory of 2512	2188	$_3_.exe	30
PID 2188 wrote to memory of 2512	2188	$_3_.exe	30
PID 2512 wrote to memory of 1160	2512	cmd.exe	32
PID 2512 wrote to memory of 1160	2512	cmd.exe	32
PID 2512 wrote to memory of 1160	2512	cmd.exe	32
PID 2512 wrote to memory of 1160	2512	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\9478.bat" "C:\Users\Admin\AppData\Local\Temp\426DB927D075425A8FEAA5A7CCCE5CCF\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\$I2XT7L6

Filesize
544B

MD5
ef06bde6885f5959255a937139eb517e

SHA1
4e626290814190c494e087029465b8f2898b99a0

SHA256
03dd262a60886d803db52cc0476e6da06560abff83bf0ee6bdbcb4de6c442579

SHA512
f005535b1751b0821757e537376b7c472bd8a9692e64f1ec9c057dfa4cd47947d957eeafaa30670b6a4aee5fc00bfaca2709daf8fb6440308bc1b9355db541be

Download Submit
C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\$IBKYKD1

Filesize
544B

MD5
e7edbf6b923db4da4ecb07d89ede0452

SHA1
3a4485656ffd6c3ed59ba5d1a759f375b4dbe772

SHA256
a94b0974b46545e79d05a4366537c89a60fa268ce257d543a76bbe6513855c93

SHA512
42820a6a554d30e78d92ee8b466054c6050d1e71d8e22a1164355041b065879095022c72d17ed649e221c045fefba5fa109cb3da61f40315a0875bcfb7225d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\426DB927D075425A8FEAA5A7CCCE5CCF\426DB927D075425A8FEAA5A7CCCE5CCF_LogFile.txt

Filesize
2KB

MD5
8fd72a70bf2c13523bbcc4d1b55e7d2c

SHA1
5e80c376f357e613095ebf2fc3a1442109b99369

SHA256
b780437c4a7a5c8f6ae03bfdabe55c1bd27d0c7e89341c338ee19f7d7341a83c

SHA512
1f2cdb093c9b75f563ea34c401fd9adcf87d8c1028eb6ebcc2432f84e4784a085dc049c753cca499cb607556dd505f8b414e2fd66d2140d5c67236dda0ffdfd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\426DB927D075425A8FEAA5A7CCCE5CCF\426DB927D075425A8FEAA5A7CCCE5CCF_LogFile.txt

Filesize
2KB

MD5
69207a4df05a30d4957bf2b7725b3fef

SHA1
13a56aafac7f3adfdd0253b54f2342c5422c61b2

SHA256
363c74a54b310447075e38af694274b369d7c00ee4ccff326fe44da9f5587bcc

SHA512
14f084ee7b93b9ad4efcead7ef57b0845d8597bfd428f378501572c32037df3913636cdf7992a0d7bece8a846c7750134b8e661887624fdab0a3f2ea5781b559

Download Submit
C:\Users\Admin\AppData\Local\Temp\426DB927D075425A8FEAA5A7CCCE5CCF\426DB927D075425A8FEAA5A7CCCE5CCF_LogFile.txt

Filesize
5KB

MD5
e3019e66c7e8fc95fd6cb1aa701d5a3c

SHA1
031ec8f84e39ee76f81c5979aef8fb98b7ba81b7

SHA256
50557c8486b4e239efc64998989faf8d83c7e1cbaef36baaf4f9091b2621fdf5

SHA512
cb59a4803145a5c7382bcaac4747c99712eee74871ffcf72ed988845b9bb66bff98029c5062227cf93ba769f2295360de11bb7a1e96a39430fe6e7ff1f720826

Download Submit
C:\Users\Admin\AppData\Local\Temp\426DB927D075425A8FEAA5A7CCCE5CCF\426DB9~1.TXT

Filesize
27KB

MD5
551bb688a52b3a9e975ab9bdf614c35e

SHA1
20ce37fb2b733c43887d3838d17e623c4b12b7dc

SHA256
e8f8c7cd019a336baeb91f26099e20cd707fda5f79156385ea234864412f330a

SHA512
abba5651468131c87ff9f79fb48e2112c3d8b5cefca28d9903565f187def4551e598610cf3e9a506ddc16f7d9ba2a81e6460f070b2c4f11c370fb3d8e2ec29d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9478.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
memory/2188-67-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2188-199-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing