5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2

General

Target

5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
Size

11.5MB
MD5

7a5e0b31ca3759ec4964da0baa7a5579
SHA1

706a124458622ff1a47b9878cb08f2ada2ee5442
SHA256

5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2
SHA512

bd2dac6eafaa62f251a6efdc6e28d41385ac344c446d2b511948a9c84fe53866f4408de173bff0ba6877135ab86f8a8d70aa3181d81a8e270f1966d7fadb06d3
SSDEEP

196608:n2Gtl6DPRKTkNg8h8V2KQqGfyxXIicOExzUx8Bssun3f6B2+FDnVAA/uaeol:2GtA7RKQNg8h8V2KQH6uBsc9cA/xey

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4708	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
File opened (read-only)	\??\F:	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
File opened (read-only)	\??\D:	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
File opened (read-only)	\??\E:	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4296	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
4296	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
4708	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
4708	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 3596	4296	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe	83
PID 4296 wrote to memory of 3596	4296	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe	83
PID 4296 wrote to memory of 3596	4296	5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe	83
PID 3596 wrote to memory of 4708	3596	cmd.exe	85
PID 3596 wrote to memory of 4708	3596	cmd.exe	85
PID 3596 wrote to memory of 4708	3596	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
"C:\Users\Admin\AppData\Local\Temp\5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\90284475AC984E97BD0B173A09AE7D5C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3596
- - F:\996m2\5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
    "F:/996m2/5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of SetWindowsHookEx
    PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\90284475AC984E97BD0B173A09AE7D5C.bat

Filesize
81B

MD5
99c2970ef192ba50f2fdf47f22359e45

SHA1
78727fe381015f6b35299131a08b4570990d36af

SHA256
966a7b11c4a16b7f96ce28473a040f9e97e5a16d25a84596c27f7e3df8b8a22d

SHA512
1d3f3cb5ef2bb0e621b06aaed0c3a46eb148af7a88e7552976a5aa36a8b9c7355cb88343f974898a284f95df54d4f28c91121cae584015ed17b61140bb8d0336

Download Submit
C:\Users\Admin\AppData\Local\Temp\¾Å»Ä¹¥ËÙÈýÖ°Òµ.ini

Filesize
75B

MD5
e3febec7c9d89d6c7dca6f55195ed89f

SHA1
f98fb4c0fd3b7c926e1875fda3566388903f4eef

SHA256
d7e3aaf8d14b12596ce20a82487200fd3daa34db92f06c92703600519f02447c

SHA512
2c034ddf1eea4addc7eca9206e176083a363d5cb69ed8acd87f1fc6ba0c6fa7a7e004550dc7257bcb237d78afe8fb672c695a6b073643cc2c4efb9477321f1bf

Download Submit
F:\996m2\5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe

Filesize
11.5MB

MD5
7a5e0b31ca3759ec4964da0baa7a5579

SHA1
706a124458622ff1a47b9878cb08f2ada2ee5442

SHA256
5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2

SHA512
bd2dac6eafaa62f251a6efdc6e28d41385ac344c446d2b511948a9c84fe53866f4408de173bff0ba6877135ab86f8a8d70aa3181d81a8e270f1966d7fadb06d3

Download Submit
F:\996m2\GameClient73293\Game.exe

Filesize
1.2MB

MD5
e7700da3b37e403cc2fee699d085237d

SHA1
f92ce0ece922168f60f2ee55a81c97519d898c32

SHA256
4a6a1deb1c0cd516e18930873af9738e9e31976eafbeb489bf63d8c4156d0090

SHA512
8897c9c627053b43669f626b9b0f4c1659274299b5982328102073c80cae950697dee31d93ba8d92f4ce4a04d09c6ecb4ad18d418c873a9e835a88a443efaead

Download Submit
F:\996m2\GameClient73293\game.dat

Filesize
126B

MD5
d999e2929339add9cebbef295d1bbeb7

SHA1
5c41bee0fdae4f025c2770c8c902148b375208a3

SHA256
237dce3d880566ed658d08372e355ff743bcb6f32aa4b24a2926b062c56c77c0

SHA512
f98fa001c8846bd2029f1254e8108cb79ddcee2556e864dd699a8066f40e809d9f63faac2125fa697057288785ae3eb94cbecb7dab93553ac57deea07c1262ae

Download Submit
F:\996m2\GameClient73293\mod_fgcq.zip

Filesize
593KB

MD5
e8970d69a1ad6ea688a7cde4c50dc10f

SHA1
5659915b98520ff68ce98baa1ba975eaaa14ca28

SHA256
8e31c2875131c9720bf84784b7df609c4a172b12a9b978887a4b6dc58ad53a24

SHA512
49bf5b9d9a0a98ac25dab0f30766229a2f9769b42d548045a8a09419f5d7b214b38636f86760537d0ac9447b3ef8bacb7eaf029cf8307d6f1a96d09d9729f8f2

Download Submit
memory/4296-0-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/4296-16-0x0000000000400000-0x0000000000F14000-memory.dmp

Filesize
11.1MB

Download
memory/4708-17-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/4708-49-0x0000000000400000-0x0000000000F14000-memory.dmp

Filesize
11.1MB

Download
memory/4708-51-0x0000000000400000-0x0000000000F14000-memory.dmp

Filesize
11.1MB

Download
memory/4708-52-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing