ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38

General

Target

ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe
Size

6.3MB
MD5

787842bce9203f00d5df89e588d61c31
SHA1

3c98800a143bc46c3349b7ce25e8dbe0e9fcce9a
SHA256

ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38
SHA512

e1a29df8a9000a893e95528acddc838245d8824d6f4ae00e64cb3e25f861b275fb91d9a2acc95ca86ca288e31d5d7801570cd5beef93e16765049ca2cc68488d
SSDEEP

98304:vWATqbvhK7kY/aBvyXuFm6SaYgtNBwLCDBvpqDb0H6eqyK0h4JBAUZLlXcw:vWjk7kgNaFt77qyK0yJVF

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows×ÊÔ´¹ÜÀíÆ÷.exe.lnk	ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe

Executes dropped EXE 3 IoCs

pid	Process
3056	Windows×ÊÔ´¹ÜÀíÆ÷.exe
2512	Oeciekg.exe
2608	Oeciekg.exe

Loads dropped DLL 3 IoCs

pid	Process
2872	ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe
2872	ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe
2872	ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Fujkvq\Oeciekg.exe	Windows×ÊÔ´¹ÜÀíÆ÷.exe
File opened for modification	C:\Program Files (x86)\Microsoft Fujkvq\Oeciekg.exe	Windows×ÊÔ´¹ÜÀíÆ÷.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2872	ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2872	ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe
2872	ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe
3056	Windows×ÊÔ´¹ÜÀíÆ÷.exe
3056	Windows×ÊÔ´¹ÜÀíÆ÷.exe
2512	Oeciekg.exe
2512	Oeciekg.exe
2872	ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe
2608	Oeciekg.exe
2608	Oeciekg.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 3056	2872	ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe	28
PID 2872 wrote to memory of 3056	2872	ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe	28
PID 2872 wrote to memory of 3056	2872	ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe	28
PID 2872 wrote to memory of 3056	2872	ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe	28
PID 2512 wrote to memory of 2608	2512	Oeciekg.exe	30
PID 2512 wrote to memory of 2608	2512	Oeciekg.exe	30
PID 2512 wrote to memory of 2608	2512	Oeciekg.exe	30
PID 2512 wrote to memory of 2608	2512	Oeciekg.exe	30

C:\Users\Admin\AppData\Local\Temp\ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe
"C:\Users\Admin\AppData\Local\Temp\ce13e6ef912e34b1336738929cca1230985b4948c229956b6a8e28c8f5ce1f38.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Roaming\data\Windows×ÊÔ´¹ÜÀíÆ÷.exe
  C:\Users\Admin\AppData\Roaming\data\Windows×ÊÔ´¹ÜÀíÆ÷.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:3056

C:\Program Files (x86)\Microsoft Fujkvq\Oeciekg.exe
"C:\Program Files (x86)\Microsoft Fujkvq\Oeciekg.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files (x86)\Microsoft Fujkvq\Oeciekg.exe
  "C:\Program Files (x86)\Microsoft Fujkvq\Oeciekg.exe" Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\pass.txt

Filesize
8B

MD5
71d864b6b132a9235400af39917131b3

SHA1
b79d02acde8be0d57bedef9bd3edeab0a5a066f3

SHA256
f4392ea35b8bafc5813b48055be473c4eceb72f11936a67a92cd9086efc2492e

SHA512
f331a1c933e016667682d3339784e57f4518305954a7e02643b4deab5ff8ded663232f38190d535457f4351d506f642cea961ea09dc3182c7917f8e483dbd0d3

Download Submit
\Users\Admin\AppData\Roaming\data\Windows×ÊÔ´¹ÜÀíÆ÷.exe

Filesize
2.5MB

MD5
a45d8954cd672381107704643279e2b3

SHA1
b2fe5c580d293a83d23012d325d9f559ebaefbec

SHA256
f5aee374a8487ea15062efef5247e949ae50a14d4edb2cb38048b258d367cf50

SHA512
b421902adbc5c745b0b19cecb0ce319371cce28a9cda9c650907fc8d38f348a2e42f21bd500e81cf83c16f43639986e4a61d8ac0742121da3b1a228bfe93615d

Download Submit
memory/2872-38-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2872-41-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2872-31-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2872-37-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2872-39-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2872-40-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2872-53-0x00000000083C0000-0x00000000083C1000-memory.dmp

Filesize
4KB

Download
memory/2872-36-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2872-35-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2872-33-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2872-34-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2872-30-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2872-43-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2872-42-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2872-54-0x00000000083B0000-0x00000000083B1000-memory.dmp

Filesize
4KB

Download
memory/3056-15-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3056-67-0x0000000001280000-0x0000000001514000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing