d48c3ad01262cd7d4a3d1c777937fb38e96c47ab19f53dbd5dda1fe1cdb3f76b

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3064	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1296	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1296	$_3_.exe
1296	$_3_.exe
1296	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1660	1296	$_3_.exe	30
PID 1296 wrote to memory of 1660	1296	$_3_.exe	30
PID 1296 wrote to memory of 1660	1296	$_3_.exe	30
PID 1296 wrote to memory of 1660	1296	$_3_.exe	30
PID 1660 wrote to memory of 3064	1660	cmd.exe	32
PID 1660 wrote to memory of 3064	1660	cmd.exe	32
PID 1660 wrote to memory of 3064	1660	cmd.exe	32
PID 1660 wrote to memory of 3064	1660	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\18352.bat" "C:\Users\Admin\AppData\Local\Temp\7F732E91D38F43ACAE9F75B5B01D1E4E\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\$I311WGR

Filesize
544B

MD5
4f244328048169af8c669ac99b63c696

SHA1
807281b1ed06a848e3f0cac710442ca53ebd30fe

SHA256
8013950cbde7864c0d3df8f3fb91d122f68b5509b1293a4a4d227a585cf5c758

SHA512
249a4b79adf204e2e9e02c310875f5b52c89141b00d7a372aa09554cd72a8888420db7ee2d8ea08c6cfc84dc982013bceb47c939779f1263e9606f7fab0d1328

Download Submit
C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\$IHPSLQH

Filesize
544B

MD5
e414bdeb232aee2f54d414904425ae1e

SHA1
dfa9ab3da320182660b5da899f4d8adb5da8ffd7

SHA256
5b136bfbfb07c5b228de9c2ba0a2ff7c199f718faabe8cd6817e7afee48ae0e4

SHA512
fe3fccec0edb5953094c9a669acb05032c2de92dc42d445187494512c9a7e9a0e5dc2dc8732ecb6bede5764793c4cb461e196272f385fcf662b94bbb82aacfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\18352.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F732E91D38F43ACAE9F75B5B01D1E4E\7F732E91D38F43ACAE9F75B5B01D1E4E_LogFile.txt

Filesize
2KB

MD5
2af732ea8db4b5fd0e590b82fda79936

SHA1
f2323f4c07b5c7a05be86e9ce21526d72cc7d34c

SHA256
f66ea6231d7ec4ebcd5fde07856299d57f7b8224f1104cafb4072b1ee87f82cb

SHA512
30f6c252b0048d69bae2240fd967e9ee1f99602f39de6caf828c4e4cbbd8c0cf9c99244299183ec4049bb2f8e9f0f8032084ba5553018fd2498df2b9438ad723

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F732E91D38F43ACAE9F75B5B01D1E4E\7F732E91D38F43ACAE9F75B5B01D1E4E_LogFile.txt

Filesize
3KB

MD5
9883985cad6f4099e82b4227c0b49036

SHA1
729acb776a2708e3563329ed70718b1e6ca08749

SHA256
7b384e8f4ee0812b07236442addd7a4d6e5ee1fb819a105104a2a330d75f7461

SHA512
e045bfe610879082e9aec95aa37cf28fa5df0e7ac72abf1106badd9dd29b2b83992f222ce4b91dc1538f5d15b1dca06c461d4af3393ec2bcfcc73772cac205a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F732E91D38F43ACAE9F75B5B01D1E4E\7F732E91D38F43ACAE9F75B5B01D1E4E_LogFile.txt

Filesize
5KB

MD5
5494b5d694a957e3835b23b322fd300d

SHA1
56f25b14cce7e81c6141ba6a4e79e8d532964e65

SHA256
ef05b460474e2d4e1fa365540b9ba27d6ce63f98993d9ddcfc6d96eeb729f66d

SHA512
ef755be6ac0b52762bbf981119542ffd3a1fd96c88e77fdad69f96cefeb3306679d3b3cd98fc3a96ec54436ab7f305d578009315c2054359d8c2dd47a30da566

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F732E91D38F43ACAE9F75B5B01D1E4E\7F732E~1.TXT

Filesize
28KB

MD5
6aa3204d630881b9de234f5db5bb72ae

SHA1
e13a21ff6d371a763103326e42a7d4eca7fb5b8f

SHA256
421332c3957208e2992bff5859216ccb3ab7349769c99bdde9ac978156544a2c

SHA512
9e369350e70a137fe0756d4cc18652dde9cecf4b91ae994111550ad98d79568e1dcca047be831c012521c0f31201ffdcd73ee4f5767b583a852c55246cc83113

Download Submit
memory/1296-67-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1296-201-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing