856be80198034f9fabda3f15e7c17e5bb51fa95b38e5d62f448e4ae59cd6d21c

General

Target

$_3_.exe
Size

1.7MB
MD5

c4ca24ec91ced69fc98fac6fba21dc88
SHA1

b84f3a1ceef89673e31e0be210eb33d865d60659
SHA256

c690bea2115b2a16e23c845785772d14fdb978d32cb22bbbce83f53673eda821
SHA512

5783d1b8599d472039e9afca35590f76fe8930c73af4fa35fb796e819ca6d7219bd7ba1a0a6bcf3e8d76e9d873a078d74857a2318f8bbc3eca34c051a9ca4d41
SSDEEP

49152:27mrmYPoEHVGTWFkO4ITVpSuECY/vrM3rA3SuNM:Nm2Z12WFYFJ+

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2356	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2320	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2320	$_3_.exe
2320	$_3_.exe
2320	$_3_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1716	2320	$_3_.exe	30
PID 2320 wrote to memory of 1716	2320	$_3_.exe	30
PID 2320 wrote to memory of 1716	2320	$_3_.exe	30
PID 2320 wrote to memory of 1716	2320	$_3_.exe	30
PID 1716 wrote to memory of 2356	1716	cmd.exe	32
PID 1716 wrote to memory of 2356	1716	cmd.exe	32
PID 1716 wrote to memory of 2356	1716	cmd.exe	32
PID 1716 wrote to memory of 2356	1716	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\32321.bat" "C:\Users\Admin\AppData\Local\Temp\C988FB2AA1D941AAB5B03CF26C5C149F\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\$IEKAXTN

Filesize
544B

MD5
eef688b020d096315ee01d65c00bab50

SHA1
fc38bfb118e2e73373be393e0c35a76a94d7d0c9

SHA256
93b345127cc7b46eed5935b8fea9c3d27f023e8e1d94063968cf20b6444c705f

SHA512
b0d223a985ba451275df0c08bfe499e4107841c4da8c245ffd4a0268970388e4a70cf3c658af7c03cbdd647e75dd3a15bc893b7fa4609058275d04885606820a

Download Submit
C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\$IF1NMFB

Filesize
544B

MD5
25d4fb8337151d08bbba2f4519094a77

SHA1
5a098a2e7afc6bf66b87ac24b7fd2636e4f0008d

SHA256
8341e803c9281eb160ca8bf56ba475863299201f40c55bc7309991cbe980c6d7

SHA512
8c8c4038f93dba1bceeb81c74f8dcbbbce73c5c47ce71416443f31c898b44311290123325ee79ea3e03f4d941a20e44055b877bdf5b0d7aa2250055ca0f69f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\32321.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\C988FB2AA1D941AAB5B03CF26C5C149F\C988FB2AA1D941AAB5B03CF26C5C149F_LogFile.txt

Filesize
2KB

MD5
2f5b5f257716cf0b7e6605b0a2ec8cd7

SHA1
4e9cf06daeb0c93f3b083c9f0f72336bb27efd28

SHA256
03c51e4b3975e8413c92d97ea03c8534aec9665729802934a23431fd948c86ab

SHA512
d0b2027861e000d8b7ad5b8b58a8261d70059ae3cb287aeebcc57358ae47a74794bcfbb856dea21e9fd79ac467dfc14a4377c249c67a20d090322c8a9e6ade3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C988FB2AA1D941AAB5B03CF26C5C149F\C988FB2AA1D941AAB5B03CF26C5C149F_LogFile.txt

Filesize
2KB

MD5
4eb24da3930400647e681b891e692723

SHA1
9bb17fedcfa1ad79037914f86673b41f34c3d6d7

SHA256
3cdb28d6eee2319b53c81598a00040bf3bf0291148dafcff99d8be30dadba54b

SHA512
f60d6050c46c458c656eb139d4b4366c4c3e666855b2fbaca3fc319eabd4506f6b543fc6f7df59c90baebb02ebd2fe7e43597259fd48b385cd274d2adacdfd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\C988FB2AA1D941AAB5B03CF26C5C149F\C988FB2AA1D941AAB5B03CF26C5C149F_LogFile.txt

Filesize
2KB

MD5
a6e2631f6a12f1ef39b6043057b25188

SHA1
437e5f66a58bf05d6ecbf4e1f815d2832cab3f45

SHA256
c33e0a269be955925872ba23d9645ad08cd215f52f1458c9efc6a6cfcc0d5574

SHA512
c504500d4e7350d71349113b6facd920f2cd2e4c78869aa35b6e85e31f92bd0729b0c7dc2f78488ccad72cfe220bc8b022a4dc6cc44e90d450428caf317f7b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C988FB2AA1D941AAB5B03CF26C5C149F\C988FB2AA1D941AAB5B03CF26C5C149F_LogFile.txt

Filesize
4KB

MD5
c21280cea91066d2e5ea965c0d2ca708

SHA1
02b9164322cca4e7e5e60a9dcbf9ff09d3859c3f

SHA256
066d21578ff8db6e4a2991e1f3b80015a9ad739988a1aa0c4a3c9d5aa3164fa1

SHA512
777880f50db64e94d99b9bed9ec090cf27e5ee6919efe02039cce111c9857f092878b75204570409236628f97c2d9dbab5c3e0466be36b73579b17aae5f1e64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C988FB2AA1D941AAB5B03CF26C5C149F\C988FB~1.TXT

Filesize
27KB

MD5
c1d0ff0539f7058cf541bd651785fcf1

SHA1
c0abb902ee7003a678a3fc0fd9ba75465fa511b6

SHA256
c0eb9203e200cf64b43e6eba324eff60bb034d8fed74936a86c0842687a55824

SHA512
fbdc19d8b45ac3293a07b374042782f6779fcead1e163b8d08f8b8c520e580936e6cea0122917453b073e154e4c8070553b26983e2367a102495a8be41fddc96

Download Submit
memory/2320-67-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2320-201-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing