f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba

General

Target

f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe
Size

896KB
MD5

ef9b1b04c34ed4642fa1c5ae2bf7bbb2
SHA1

a945e308b0918ffc74f11d263c4e8215038b27c1
SHA256

f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba
SHA512

f35ac47e5ed6a94bc2205684f3410e99400cb4508ce7eab6effee27bc75c0f92083b2d2bc112dfd5d4911c12ee8ec6460ed06ea32485ed21c2ff40d75a6cfd5d
SSDEEP

12288:sb5pi7mcdxdG1lFlWcYr70RxnnaaoaMnG8nNnjKU05xopHZYwQB3n7FfJIuw69s0:sTO4Mp+xnF+j8Amln7FfJIu99siMK

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe
File created	C:\Windows\assembly\Desktop.ini	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4512	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 5052	2028	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe	85
PID 2028 wrote to memory of 5052	2028	f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe	85
PID 5052 wrote to memory of 2528	5052	csc.exe	87
PID 5052 wrote to memory of 2528	5052	csc.exe	87

C:\Users\Admin\AppData\Local\Temp\f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe
"C:\Users\Admin\AppData\Local\Temp\f1682cf8a37398db755990957b830893c37aff88145a8c85e76149bbe0d2c8ba.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\url-8kkf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31EE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC31ED.tmp"
    3⤵
    PID:2528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES31EE.tmp

Filesize
1KB

MD5
9b71a22b3897b0d56ad2f07937ae252c

SHA1
2971c71f68915786f5e48f86d76a2972e94d4d5a

SHA256
c56e2332617390ccab9b943ae4f271dd27aaca8dbea136e4c770353f4eadcc22

SHA512
c44100c4901d4342bd11304d9bd5e414bcd898fcd6dada74bb90b9c38f65fce4eeb7299340f2fff45879616a16535cfd532780e204dd8f94c490fcfe692d2c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\url-8kkf.dll

Filesize
76KB

MD5
d72a322d527794362785e0b07af9c33d

SHA1
3629133702b443087a1fc3713421d13b004e39a9

SHA256
1d276d26435fd18fefc9ea333216334cce220d0fcb486ae13f5225195f90e3d6

SHA512
8b28d34920ef4b893a18abfb58164f62670a5e7f2e40a8b72ce9f8ca9d50ece7ea7e73e0d023105eae82de80531e752262d5164d7ac3f310a56c921ad6334aec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC31ED.tmp

Filesize
676B

MD5
f33366cbe4d62b3d59fe0290af050112

SHA1
8bdf098872d64cb21744db133f69f1095326542d

SHA256
24987bc5b55beb7b1f211e3fda3a34ebbba48c5d3ba88768324093668f23f715

SHA512
a6528fd692ce04f45cd665716af788c582043b03d8aea4e7205024702c5028ab38c605f47b4a2eba639603a26fecf09abefebc6ac56f4e321f9112b35bceadb3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\url-8kkf.0.cs

Filesize
208KB

MD5
384d7782b6e342ba79528566a771130b

SHA1
d3d9f8d3858a99720cd1e64515135a740288c3c3

SHA256
00146e0c37032009f8379a5d3d0fa872f7eff58c0d54f159a48a578d07aa80e4

SHA512
c3aac1541f599f752065c5cfebb3a8ab1d12d2978ba4b348373714adfd5173de01cb2059edba8b56eba97d5dfe13d38a103df0a4eb514fbb854e9f432a2746b2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\url-8kkf.cmdline

Filesize
349B

MD5
b8e15aaba2e4f1fe76c5b3ce7ee6b976

SHA1
b8d59852c8a0dffa55df959915e3451353be7c6c

SHA256
5cffcfaf1433761b760b54de104f5cea7196adb4d82c8e62eed33345abe4c25a

SHA512
221afedd23de4fc936a33b52e1997b6b4d45fd6a68148623908a9c393af3a9b466aababd10c9ad8e3ab04549aac7e6580e305a677166268f73d1fb93287565c4

Download Submit
memory/2028-6-0x000000001B680000-0x000000001B68E000-memory.dmp

Filesize
56KB

Download
memory/2028-8-0x000000001C200000-0x000000001C29C000-memory.dmp

Filesize
624KB

Download
memory/2028-7-0x000000001BD30000-0x000000001C1FE000-memory.dmp

Filesize
4.8MB

Download
memory/2028-0-0x00007FF992805000-0x00007FF992806000-memory.dmp

Filesize
4KB

Download
memory/2028-3-0x00007FF992550000-0x00007FF992EF1000-memory.dmp

Filesize
9.6MB

Download
memory/2028-2-0x000000001B590000-0x000000001B5EC000-memory.dmp

Filesize
368KB

Download
memory/2028-1-0x00007FF992550000-0x00007FF992EF1000-memory.dmp

Filesize
9.6MB

Download
memory/2028-23-0x000000001C8A0000-0x000000001C8B6000-memory.dmp

Filesize
88KB

Download
memory/2028-25-0x000000001B4F0000-0x000000001B502000-memory.dmp

Filesize
72KB

Download
memory/2028-26-0x0000000000E30000-0x0000000000E38000-memory.dmp

Filesize
32KB

Download
memory/2028-31-0x00007FF992550000-0x00007FF992EF1000-memory.dmp

Filesize
9.6MB

Download
memory/5052-16-0x00007FF992550000-0x00007FF992EF1000-memory.dmp

Filesize
9.6MB

Download
memory/5052-21-0x00007FF992550000-0x00007FF992EF1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing