2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7

General

Target

2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe
Size

278KB
MD5

895c7f902ad22572547471476f2d4752
SHA1

25c06ae39f12241936491492966c083bb0a5548e
SHA256

2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7
SHA512

1361113e4f6248957240fb35df837c3b904dfaf9fda9c7afca10f1783319054f67285a7769c03a46bcf25f4d2a6f5940457b3c54a073f8386f820b86aa99923e
SSDEEP

6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKY:boSeGUA5YZazpXUmZhZ6SY

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

a1punf5t2of.exe

pid process

2532 a1punf5t2of.exe
Loads dropped DLL 2 IoCs

Processes:

2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exea1punf5t2of.exe

pid process

2488 2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe
2532 a1punf5t2of.exe

pid	process
2532	a1punf5t2of.exe

pid	process
2488	2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe
2532	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exea1punf5t2of.exe

description	pid	process	target process
PID 2488 wrote to memory of 2532	2488	2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe	a1punf5t2of.exe
PID 2488 wrote to memory of 2532	2488	2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe	a1punf5t2of.exe
PID 2488 wrote to memory of 2532	2488	2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe	a1punf5t2of.exe
PID 2488 wrote to memory of 2532	2488	2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe	a1punf5t2of.exe
PID 2488 wrote to memory of 2532	2488	2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe	a1punf5t2of.exe
PID 2488 wrote to memory of 2532	2488	2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe	a1punf5t2of.exe
PID 2488 wrote to memory of 2532	2488	2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe	a1punf5t2of.exe
PID 2532 wrote to memory of 2080	2532	a1punf5t2of.exe	a1punf5t2of.exe
PID 2532 wrote to memory of 2080	2532	a1punf5t2of.exe	a1punf5t2of.exe
PID 2532 wrote to memory of 2080	2532	a1punf5t2of.exe	a1punf5t2of.exe
PID 2532 wrote to memory of 2080	2532	a1punf5t2of.exe	a1punf5t2of.exe
PID 2532 wrote to memory of 2080	2532	a1punf5t2of.exe	a1punf5t2of.exe
PID 2532 wrote to memory of 2080	2532	a1punf5t2of.exe	a1punf5t2of.exe
PID 2532 wrote to memory of 2080	2532	a1punf5t2of.exe	a1punf5t2of.exe

C:\Users\Admin\AppData\Local\Temp\2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe
"C:\Users\Admin\AppData\Local\Temp\2f777e82b65e659254dfd9995d1009dea0d5fa999fa73121b9490fdc3c7505d7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
3⤵
PID:2080

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
Filesize
279KB

MD5
6208d3e542dd5ee17931a1db0f5df7eb

SHA1
ff016be2838b07b2c3895aa10b6ed8c9cc53230d

SHA256
df7a0178e7341507a5342b9f4534a47064d406caf1671e3c85cf4f3c71197c11

SHA512
27992c80156e7992620a7e41b1b3f727978523a44d1767d0864b3c1632b4e19d1d5fbf31c071c3ceed5098e457f89b54eaa8066845625f90c36a21e1ae2ae463

Download Submit
memory/2488-0-0x00000000749A1000-0x00000000749A2000-memory.dmp

Filesize
4KB

Download
memory/2488-1-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2488-2-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2488-3-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2488-12-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-14-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-15-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-13-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-16-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-18-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-19-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads