b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4

General

Target

b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
Size

2.3MB
MD5

16ff011dcdd203ed50522b0495da07c2
SHA1

8914e394a89f0ba8c634438b00c881459c812017
SHA256

b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4
SHA512

a1e1a12a6753776e2d4bec31fcb94fcc6582fcc2300dfd4c6f5e77d0b68c18577fdc7998dbb709e3c85026c75399a7fbc6d4467327bbb06822cf44371b625e5f
SSDEEP

49152:sri/kTIiaWG55+ovfGYqEAf8RlPMJlio68D:srlLaWG55+ovfGYqEAf8RlPlo68

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1636	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe

Loads dropped DLL 5 IoCs

pid	Process
1748	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
1748	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
1748	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
1748	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
1636	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\T:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\R:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\P:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\H:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\N:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\K:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\J:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\I:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\Y:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\W:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\U:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\Q:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\E:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\D:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\O:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\M:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\L:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\G:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\Z:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\X:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\V:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File opened (read-only)	\??\S:	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\xjkSet_171122\b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
File created	C:\Program Files (x86)\xjkSet_171122\api2xxx_dll_M.dll	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1748	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
1748	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
1636	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
1636	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1636	1748	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe	28
PID 1748 wrote to memory of 1636	1748	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe	28
PID 1748 wrote to memory of 1636	1748	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe	28
PID 1748 wrote to memory of 1636	1748	b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe	28

C:\Users\Admin\AppData\Local\Temp\b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
"C:\Users\Admin\AppData\Local\Temp\b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Program Files (x86)\xjkSet_171122\b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe
  "C:\Program Files (x86)\xjkSet_171122\b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\xjkSet_171122\api2xxx_dll_M.dll

Filesize
1.8MB

MD5
ff1c75cd32367a44baba026c6e65d237

SHA1
a89c7f1a61a4d88fcd06d6a261534fbfd1d12020

SHA256
792f847ac258fdfa929a7bcce0c7d8e3653e6cbe8814b5fdb047235e798a9f35

SHA512
4d5866c40f9d69bcbea061f46790d7bc7fc3379cc8a2609bab7bdb88d75e0f8bfe7d908a2ce28e4de411c179fdfd84052bf043bdf0be311c95be92887f167a5a

Download Submit
\Program Files (x86)\xjkSet_171122\b4eaf46a3f0cdef69f054d18d5c3c3bbf8c3843ecb6df00b124840c4051fb7c4.exe

Filesize
300KB

MD5
b2225628520d9e99176a8b2fa83186cb

SHA1
2190f3ac989d80cc78ba859a9268fc306eee1d28

SHA256
28d9076c7314de1970f30aee33aeba73ffbd19a654aff07f288136b0e2cda34d

SHA512
15f19fc34e0de91223188020a1f763519fcff912fb39493ae3b527720dc4cf485cfa54ac7378ccae3c25b00ee73a827ee3f223b2b115ac8ad129a98672da2f6e

Download Submit

Analysis

Sharing