448503a54b7884e050378fb717a3e5bf590c03c31693b6a773afe0e35e9fcc1c

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3048	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2212	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2212	$_3_.exe
2212	$_3_.exe
2212	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2112	2212	$_3_.exe	30
PID 2212 wrote to memory of 2112	2212	$_3_.exe	30
PID 2212 wrote to memory of 2112	2212	$_3_.exe	30
PID 2212 wrote to memory of 2112	2212	$_3_.exe	30
PID 2112 wrote to memory of 3048	2112	cmd.exe	32
PID 2112 wrote to memory of 3048	2112	cmd.exe	32
PID 2112 wrote to memory of 3048	2112	cmd.exe	32
PID 2112 wrote to memory of 3048	2112	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\14292.bat" "C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\$I3JTVT8

Filesize
544B

MD5
aaad025ea22dcf4795386f3ea5863366

SHA1
61282d43faef6a890f8c203af63a7bb11f6a4b1e

SHA256
5389cfdbcfd0bf443f0a6842b45554c107f0d02d6f14dc4f4218ef9a89ebc1fb

SHA512
53a24b5609cd769e5e6292c8cc89b68b58079f11850baba8f77ec2df257378a36877119158153701ec8202b605893ff635364287187836884b9a0ea6803c7820

Download Submit
C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\$I65T6HK

Filesize
544B

MD5
5539ea3db9a9d521ba14495e1e4b2dd0

SHA1
5d83edf0d93b85f312175ceb3acb91be3de8c70a

SHA256
8fbceeb1a3f5f97a8f4c23df34333a175fe74978576777058b12b2e01fcb54ca

SHA512
1cf25f29629149e317be4104757f38a773030029555d5754fa8c4b4e63715f1171699bb20e93ae4624c2bc962a5adb461f1137d8e7d79ac0f60808612dcb1bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\05919A6219B84B20A5B8A402D5711765_LogFile.txt

Filesize
2KB

MD5
d4ed4dacce4185689117dfaf70b53dde

SHA1
f2fe31333a6b783c029cbf4b9ccb905443c57f34

SHA256
1cf3e885045a7ea88c7172e25fa559aa2464e746ae0d9ee279935a7eac5cd094

SHA512
45390b1feb3bf402f975f3fb5b3c6413754ad04b54b3ff3da6856329ab7e5f34ec1d2bfde6bb3d7e82b3c28f10b75065a954c71b8a6f4a5f02fe27ff039c010e

Download Submit
C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\05919A6219B84B20A5B8A402D5711765_LogFile.txt

Filesize
3KB

MD5
e2d7822b91ce616454d71230a23e05f7

SHA1
ad66601ceaf4c00c1ae871870aa03de91f070506

SHA256
be66d9a31b377daf8d58613381f9eaa24b65df52fcda60710d7b0f542d826107

SHA512
e5d29892a906e5f1fc235e61cbc77945d92fa5be394d7a042bd4214fa52268f19bfaeb0b1796dbc5fc51859ed071c58fb1a33e24a6269d9e2443d95813babc21

Download Submit
C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\05919A6219B84B20A5B8A402D5711765_LogFile.txt

Filesize
4KB

MD5
3feee9435d469f789a73af6bc91cba91

SHA1
c5cf9172c3b95fb3f51ab8f3fb07590a4d38a232

SHA256
7aad40a38da4ae9e5e804ed2c38526977832bcb1ecb1cdd9c0205623230d1fdf

SHA512
fbb45831e59fdc9620a0fd5f02a4e28b1b0f34bea3f6618bd3b6b755391b9859b7297d34d2556e98a8eb3b67bae8b2219a4ce71429b909592d0bcdaa566445cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\05919A~1.TXT

Filesize
28KB

MD5
e7c412065dc56cec1c9e47ce41bb917f

SHA1
9e85438c4f0ea0217a8b132c43b36905faceefaf

SHA256
b140b3055a23e6ebc48a36f811edd2c042ae8d165517d23befd6b2327d665721

SHA512
96501adf47ee7aa3afd46e04a37dc5d7ac53bbb6ecd6b268c2ff35214772e48433a4cf754001a3a71e568418f9abef0131a890f1f29610f606c9536f13c5378d

Download Submit
C:\Users\Admin\AppData\Local\Temp\14292.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
memory/2212-67-0x0000000000190000-0x000000000033F000-memory.dmp

Filesize
1.7MB

Download
memory/2212-201-0x0000000000190000-0x000000000033F000-memory.dmp

Filesize
1.7MB

Download
memory/2212-286-0x0000000000190000-0x000000000033F000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing