2ce263cd843426febc9df739dab122cbda0d0846884d9f68df683524383ebafd

General

Target

2d5e67a538870c7a1555c1bbbd1ca000N.exe
Size

1.7MB
MD5

2d5e67a538870c7a1555c1bbbd1ca000
SHA1

4a863c367c0f2babd990423bd99f72be7ca8a6b6
SHA256

2ce263cd843426febc9df739dab122cbda0d0846884d9f68df683524383ebafd
SHA512

6f690a42428644adefe6d919138badd87b5e3e912eb7ec163c310acdb998f5f3644e9bab8d4d919bc1b8ed01fa554e98cba92b54a13b9fab3153a24d50304d99
SSDEEP

24576:OXdVtTj2i64T+jdxQCfgOFD3WSwd2QtBBw6xxhVxQtmibjOhZaiRu/4oMaop0UNJ:mbTChxKCnFnQXBbrtgb/iQvu0UHOK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
700	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2104	WdExt.exe

Loads dropped DLL 4 IoCs

pid	Process
2720	2d5e67a538870c7a1555c1bbbd1ca000N.exe
1164	cmd.exe
1164	cmd.exe
2104	WdExt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2720	2d5e67a538870c7a1555c1bbbd1ca000N.exe
2104	WdExt.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 1164	2720	2d5e67a538870c7a1555c1bbbd1ca000N.exe	30
PID 2720 wrote to memory of 1164	2720	2d5e67a538870c7a1555c1bbbd1ca000N.exe	30
PID 2720 wrote to memory of 1164	2720	2d5e67a538870c7a1555c1bbbd1ca000N.exe	30
PID 2720 wrote to memory of 1164	2720	2d5e67a538870c7a1555c1bbbd1ca000N.exe	30
PID 2720 wrote to memory of 700	2720	2d5e67a538870c7a1555c1bbbd1ca000N.exe	32
PID 2720 wrote to memory of 700	2720	2d5e67a538870c7a1555c1bbbd1ca000N.exe	32
PID 2720 wrote to memory of 700	2720	2d5e67a538870c7a1555c1bbbd1ca000N.exe	32
PID 2720 wrote to memory of 700	2720	2d5e67a538870c7a1555c1bbbd1ca000N.exe	32
PID 1164 wrote to memory of 2104	1164	cmd.exe	34
PID 1164 wrote to memory of 2104	1164	cmd.exe	34
PID 1164 wrote to memory of 2104	1164	cmd.exe	34
PID 1164 wrote to memory of 2104	1164	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\2d5e67a538870c7a1555c1bbbd1ca000N.exe
"C:\Users\Admin\AppData\Local\Temp\2d5e67a538870c7a1555c1bbbd1ca000N.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
  2⤵
  - Deletes itself
  PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp753F.tmp

Filesize
1.0MB

MD5
df2c63605573c2398d796370c11cb26c

SHA1
efba97e2184ba3941edb008fcc61d8873b2b1653

SHA256
07ffcde2097d0af67464907fec6a4079b92da11583013bae7d3313fa32312fe8

SHA512
d9726e33fcfa96415cc906bdb1b0e53eba674eaf30ed77d41d245c1c59aa53e222246f691d82fa3a45f049fbf23d441768f9da21370e489232770ad5ae91d32f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
2d5e67a538870c7a1555c1bbbd1ca000

SHA1
4a863c367c0f2babd990423bd99f72be7ca8a6b6

SHA256
2ce263cd843426febc9df739dab122cbda0d0846884d9f68df683524383ebafd

SHA512
6f690a42428644adefe6d919138badd87b5e3e912eb7ec163c310acdb998f5f3644e9bab8d4d919bc1b8ed01fa554e98cba92b54a13b9fab3153a24d50304d99

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
240B

MD5
a498e64a26b1155d928b395baa4f4c0a

SHA1
79920dbb7411c94e0e3bf0c8328286fd1a5d433b

SHA256
d814096abb7c200e382aabff2f1e061e4a6fefa8cc2b11141e31ddf3a481c01b

SHA512
b3b6d0bc3758563c3cf5f0179c12aa94745846010710b34888642b9f9c75c7153eb29647a6d9de839d470959be058a203c468877a5334754961d6a74d540a955

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
859a210d2d478c457d7f3e0bd934b251

SHA1
770042c3b32bdef5cd829a6c1c7cdcc43af24b7c

SHA256
66faff871284e6338f64b85b2728fecd52dbdc53e5e2fae171d6a53aa76f54a2

SHA512
4202d05a07119f17edaa7c8ec8ccaf32c58451dd3667ee8e2e89e95cdd535033f2912b1ae655f86094f9ff12df738364625ff792eb1a43fb722489f3776ddc02

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/2720-0-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing