eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda

General

Target

eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe
Size

7.4MB
MD5

6d911503abe0fe2fca7175749dfc7ab1
SHA1

a45295dc3526c9e7d6c7e221b613443a4c07ad42
SHA256

eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda
SHA512

35e2d33975454b8c4e4bcbd03f81a073f91c10325c17f45f5ece60f90cbcf004d9d4d3063695c480c89ed7682ab25b91d147e491fd8c70305b54f809854b92f7
SSDEEP

196608:v+Uz+x7JTIrJ/X6kEfUSjfQ7c46UaRsPCDvKn/M:raN5IF/eMqJ46fGKZ

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2332	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp

Loads dropped DLL 2 IoCs

pid	Process
1504	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe
2332	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2840	taskkill.exe
2528	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2332	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2332	1504	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe	28
PID 1504 wrote to memory of 2332	1504	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe	28
PID 1504 wrote to memory of 2332	1504	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe	28
PID 1504 wrote to memory of 2332	1504	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe	28
PID 1504 wrote to memory of 2332	1504	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe	28
PID 1504 wrote to memory of 2332	1504	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe	28
PID 1504 wrote to memory of 2332	1504	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe	28
PID 2332 wrote to memory of 2840	2332	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp	29
PID 2332 wrote to memory of 2840	2332	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp	29
PID 2332 wrote to memory of 2840	2332	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp	29
PID 2332 wrote to memory of 2840	2332	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp	29
PID 2332 wrote to memory of 2528	2332	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp	32
PID 2332 wrote to memory of 2528	2332	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp	32
PID 2332 wrote to memory of 2528	2332	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp	32
PID 2332 wrote to memory of 2528	2332	eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp	32

C:\Users\Admin\AppData\Local\Temp\eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe
"C:\Users\Admin\AppData\Local\Temp\eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\is-4DMGT.tmp\eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4DMGT.tmp\eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp" /SL5="$4010A,6820482,1208320,C:\Users\Admin\AppData\Local\Temp\eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /im PhotosRecovery.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im "PRNotifier.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-4DMGT.tmp\eaa91bccdf81e98a45db6726d7f813924267f2dbdff3d06c68a393de8f3f4dda.tmp

Filesize
2.9MB

MD5
9bbf6787cc7011eb5ab75adcbfab6891

SHA1
7f86cee0f3df676898843c72b5f955f0b955c047

SHA256
f2a193655a3f9806cc7d3321e4c1b75971568306eade06124b12917629f9e7f2

SHA512
42f9a9c19bc57b5ff1d0e3f52b66d3e31b936e9d72c60c7db3922e339aad3cabcfaeda13b37afab5f79f50acb0575ccf681fb6b5bce13602141362366bee0903

Download Submit
\Users\Admin\AppData\Local\Temp\is-BU4FE.tmp\isxdl.dll

Filesize
147KB

MD5
4beded47aa9b07f05a56c0f97331d1a4

SHA1
c2b4df1ad01c5f9b7fb60694312444450f285dbe

SHA256
da171a2e0eec75f372d1fc0a69be17a4a7d519908a6f75b76abe6ec7ab71d284

SHA512
488e68d604259d0d2e546edf45429ace33054dbc71098977e82b43c4c97ba341d1a4bdab4170e48a5178423183bb06ff947149cfbeb8b868b4175996b211cfc7

Download Submit
memory/1504-0-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1504-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1504-14-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2332-9-0x0000000000400000-0x00000000006EB000-memory.dmp

Filesize
2.9MB

Download
memory/2332-15-0x0000000000400000-0x00000000006EB000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing