de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd

General

Target

de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe
Size

6.9MB
MD5

003ee36f64e5ff439655ddc5a235a9b0
SHA1

555a9ae2f49283ac14c069310206f6260654623a
SHA256

de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd
SHA512

8acb182a98bdf79ee13da73d5e9038aa9dae3cd34b596d9735c1e6f29f9cc1c61f92291bc90e422c1269c197109e19f68faa8988ce97a2278784afc5454dab76
SSDEEP

196608:mhUC3fTTEi1xkEqk+u4p22R2HlS3JdhVkkY7tn5:mhUs/T2mlmVkkY7l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4084	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe

Loads dropped DLL 2 IoCs

pid	Process
3332	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe
4176	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4084	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe
4084	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4176	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe
4084	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe
4176	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe
4176	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4176	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe
4084	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe
4176	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe
4176	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3332	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe
4176	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe
4176	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe
4084	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe
4084	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe
4084	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe
4084	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe
4084	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe
4084	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 4176	3332	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe	85
PID 3332 wrote to memory of 4176	3332	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe	85
PID 3332 wrote to memory of 4176	3332	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe	85
PID 4176 wrote to memory of 4084	4176	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe	89
PID 4176 wrote to memory of 4084	4176	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe	89
PID 4176 wrote to memory of 4084	4176	de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe	89

C:\Users\Admin\AppData\Local\Temp\de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe
"C:\Users\Admin\AppData\Local\Temp\de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Users\Admin\AppData\Local\Temp\de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe
  C:\Users\Admin\AppData\Local\Temp\de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd.exe -a -d
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Users\Admin\AppData\Local\Temp\de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe
    "C:\Users\Admin\AppData\Local\Temp\de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cyyundun.dll

Filesize
332KB

MD5
8722259b998800a37c3991c58ce64f96

SHA1
d370272422272eaf9aca8bc17ba9bcba1b83df70

SHA256
b115d63bee020042256019ee14fa0570483180e29c4deb7ed5b8fab522b05244

SHA512
867872e22769ecdba19daca70d6ef2bbb9e310abd90ddd1c3ff5b9a3375ef11488f1f7ac021c579ab58b7e8125c8bada584a1e96bb15fcee5837307cb64a6857

Download Submit
C:\Users\Admin\AppData\Local\Temp\de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.exe

Filesize
4.0MB

MD5
fb38216b24beaea8d0d7ffae402f1c8a

SHA1
097d208c7e430361a1fee6843f8edd372435dec2

SHA256
994ca9a858c7244d40b35e0bfae562360e2087a8ca9f2cbeeb34f470a13e729c

SHA512
fd48731f4362878413c427892b60af4010f969de19733f204458338a777fc581a35956ad34d4c103c2946fe8bfd2323656cd9fb25f2f7c46efcdecfd6e667cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\de1e5125e6c9722ab5b1e27e8d22e656d71ffbe44e3c77436a17fb60a9d18abd_app.ini

Filesize
1KB

MD5
79f0bae8dc5e9911fdd0de336ad97423

SHA1
39df6d28a5055a0061e2d2bca455e060e5645569

SHA256
228706afc064ba17b5d2ba27d833fa48ec21e7b4cb0c3a6d6f1800ab3f6e2165

SHA512
4385c6eb2ae4e2ea9f0da5cb5b4bca165c2ad9fdd549598c7c39679141fd8c3231d2bdd07663da1ab7ebcc04d863c27306c8037c7acb51990cc19cd41759bbf8

Download Submit
memory/3332-4-0x0000000074D30000-0x0000000074D97000-memory.dmp

Filesize
412KB

Download
memory/3332-6-0x0000000074D30000-0x0000000074D97000-memory.dmp

Filesize
412KB

Download
memory/4176-13-0x0000000074760000-0x00000000747C7000-memory.dmp

Filesize
412KB

Download
memory/4176-28-0x0000000074760000-0x00000000747C7000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing