3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38

General

Target

3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe
Size

4.5MB
MD5

37b47b3f62158da52a57c1d3ca6e9c0d
SHA1

ac6e9d8babe61cf57ab2890ebc2dfe47b3d78ce5
SHA256

3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38
SHA512

c96bb023da6b5b4571fcf4e5d2ebc09f17c2c02a976a5cb5f6da60b313f5cb1c8872d3574f9cc6ddd7c8af430def0ca3d5309da39f6e71601ec9e146f1a562ad
SSDEEP

49152:w2KXFr7f4ELn86c9Rycf7oq75pWOiejjNxWg0Lcx8J5VJAH8P+l+vcT2y6bXmLRp:NKXFr7fz8x9EcHIVGD+eObWIvfK7

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

zgokr00.exevshost32.exe.3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe

pid process

2160 zgokr00.exe
2480 vshost32.exe
2544 .3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe

pid	process
2160	zgokr00.exe
2480	vshost32.exe
2544	.3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe

Loads dropped DLL 3 IoCs

Processes:

3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exezgokr00.exe

pid	process
1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe
2160	zgokr00.exe
1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vshost32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ScdBcd = "C:\\Users\\Admin\\AppData\\Roaming\\Dibifu_9\\vshost32.exe"	vshost32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe

pid	process
1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe
1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe
1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe

description pid process

Token: SeDebugPrivilege 1984 3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe

description	pid	process
Token: SeDebugPrivilege	1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exezgokr00.execmd.exe

description	pid	process	target process
PID 1984 wrote to memory of 2160	1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe	zgokr00.exe
PID 1984 wrote to memory of 2160	1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe	zgokr00.exe
PID 1984 wrote to memory of 2160	1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe	zgokr00.exe
PID 1984 wrote to memory of 2160	1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe	zgokr00.exe
PID 2160 wrote to memory of 2480	2160	zgokr00.exe	vshost32.exe
PID 2160 wrote to memory of 2480	2160	zgokr00.exe	vshost32.exe
PID 2160 wrote to memory of 2480	2160	zgokr00.exe	vshost32.exe
PID 2160 wrote to memory of 2480	2160	zgokr00.exe	vshost32.exe
PID 2160 wrote to memory of 2520	2160	zgokr00.exe	cmd.exe
PID 2160 wrote to memory of 2520	2160	zgokr00.exe	cmd.exe
PID 2160 wrote to memory of 2520	2160	zgokr00.exe	cmd.exe
PID 2160 wrote to memory of 2520	2160	zgokr00.exe	cmd.exe
PID 1984 wrote to memory of 2544	1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe	.3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe
PID 1984 wrote to memory of 2544	1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe	.3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe
PID 1984 wrote to memory of 2544	1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe	.3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe
PID 1984 wrote to memory of 2544	1984	3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe	.3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe
PID 2520 wrote to memory of 2532	2520	cmd.exe	choice.exe
PID 2520 wrote to memory of 2532	2520	cmd.exe	choice.exe
PID 2520 wrote to memory of 2532	2520	cmd.exe	choice.exe
PID 2520 wrote to memory of 2532	2520	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe
"C:\Users\Admin\AppData\Local\Temp\3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\zgokr00.exe
"C:\Users\Admin\AppData\Local\Temp\zgokr00.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Roaming\Dibifu_9\vshost32.exe
"C:\Users\Admin\AppData\Roaming\Dibifu_9\vshost32.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del C:\Users\Admin\AppData\Local\Temp\zgokr00.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\.3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe
"C:\Users\Admin\AppData\Local\Temp\.3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe"
2⤵
- Executes dropped EXE
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.3db6d14d9e23346be0d518efe166bc47633789ee26ec1a7b89f2730f101c1a38.exe

Filesize
4.0MB

MD5
cd09dc53ca04452ac0e4be7fd77c1c26

SHA1
a01c9e5f64a26706be19988e4d701aec33d14096

SHA256
ba06e066947beb19ac63e7f71e2077ce3d5d80cef45f52766642c23166a7d184

SHA512
b02217973088842c1cfbae44f7be2d380de7127422e1e696df871e6ddfc27467f09dfbe3a8bf79023e8b229d4bdb4b9aab1bc1d373571387c104d2c02f00b3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgokr00.exe

Filesize
461KB

MD5
1f742732e9dd7d04bf13e42edc0b5328

SHA1
5e079a43f1d2e475a90788f427a12afbc35ce21a

SHA256
590f67337b1cbffebc770ea47a8157428a4b5863e8408c2bd12b7c5c54b0d8b0

SHA512
f7e6bb8f94524b69d15e7685af838413c8cd3ea2900d065794429e79a0006ff4aa2558f58a7dc178dc9b01f3b04aba1aea10b9a10d0951271e05b6f3289148cb

Download Submit
memory/1984-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/1984-1-0x0000000000C70000-0x0000000000CEA000-memory.dmp

Filesize
488KB

Download
memory/1984-2-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/1984-31-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2160-12-0x0000000000060000-0x00000000000DA000-memory.dmp

Filesize
488KB

Download
memory/2160-15-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2160-23-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2160-29-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2480-25-0x0000000000970000-0x00000000009EA000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads