a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899

General

Target

a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe
Size

15.4MB
MD5

776d151df59df7a7d0ed00b0a7dafb05
SHA1

e465ba8a5c73f646375e88d255d66db5f7b3d84b
SHA256

a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899
SHA512

94eacabe3a42bcc45c28e6bc1ce35e0b5a6e32e2f24c9ed39b75a9737ee87eae74c19111c86cfcd3e48a6b7dab6797f8f703d8aaf0780e94e7650c2d752219c7
SSDEEP

393216:Ga3YWs8A1eHuNPWWXNJNg4m4ld6bS82KlGMJmAeqn:oKuNPnXDPkG8xl7EOn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1476	cmd.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2644-36-0x000000013F890000-0x00000001415BA000-memory.dmp	vmprotect
behavioral1/memory/2644-39-0x000000013F890000-0x00000001415BA000-memory.dmp	vmprotect
behavioral1/memory/2644-96-0x000000013F890000-0x00000001415BA000-memory.dmp	vmprotect

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 2676	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2676	PATHPING.exe
1476	cmd.exe
1860	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1860	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe
2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe
2676	PATHPING.exe
2676	PATHPING.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe
Token: SeDebugPrivilege	2676	PATHPING.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2676	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe	31
PID 2644 wrote to memory of 2676	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe	31
PID 2644 wrote to memory of 2676	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe	31
PID 2644 wrote to memory of 2676	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe	31
PID 2644 wrote to memory of 2676	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe	31
PID 2644 wrote to memory of 2676	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe	31
PID 2644 wrote to memory of 2676	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe	31
PID 2644 wrote to memory of 2676	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe	31
PID 2644 wrote to memory of 2676	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe	31
PID 2644 wrote to memory of 1476	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe	33
PID 2644 wrote to memory of 1476	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe	33
PID 2644 wrote to memory of 1476	2644	a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe	33
PID 2676 wrote to memory of 2068	2676	PATHPING.exe	34
PID 2676 wrote to memory of 2068	2676	PATHPING.exe	34
PID 2676 wrote to memory of 2068	2676	PATHPING.exe	34
PID 1476 wrote to memory of 1860	1476	cmd.exe	36
PID 1476 wrote to memory of 1860	1476	cmd.exe	36
PID 1476 wrote to memory of 1860	1476	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe
"C:\Users\Admin\AppData\Local\Temp\a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\System32\PATHPING.exe
  "C:\Windows\System32\PATHPING.exe" panel.owswan.co -p 6553599660000 -w 6553599660000 -q 100 -h 200
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2676 -s 228
    3⤵
    PID:2068
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\a7a0c537858e5cb89052d554b03682bbf3982bb49e92ce2ac8ce06448990c899.exe"
  2⤵
  - Deletes itself
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2644-31-0x0000000077C40000-0x0000000077C42000-memory.dmp

Filesize
8KB

Download
memory/2644-5-0x0000000077C10000-0x0000000077C12000-memory.dmp

Filesize
8KB

Download
memory/2644-20-0x0000000077C30000-0x0000000077C32000-memory.dmp

Filesize
8KB

Download
memory/2644-25-0x000007FEFDB20000-0x000007FEFDB22000-memory.dmp

Filesize
8KB

Download
memory/2644-16-0x0000000077C30000-0x0000000077C32000-memory.dmp

Filesize
8KB

Download
memory/2644-15-0x000000013F8BC000-0x0000000140648000-memory.dmp

Filesize
13.5MB

Download
memory/2644-14-0x0000000077C20000-0x0000000077C22000-memory.dmp

Filesize
8KB

Download
memory/2644-12-0x0000000077C20000-0x0000000077C22000-memory.dmp

Filesize
8KB

Download
memory/2644-10-0x0000000077C20000-0x0000000077C22000-memory.dmp

Filesize
8KB

Download
memory/2644-9-0x0000000077C10000-0x0000000077C12000-memory.dmp

Filesize
8KB

Download
memory/2644-7-0x0000000077C10000-0x0000000077C12000-memory.dmp

Filesize
8KB

Download
memory/2644-96-0x000000013F890000-0x00000001415BA000-memory.dmp

Filesize
29.2MB

Download
memory/2644-4-0x0000000077C00000-0x0000000077C02000-memory.dmp

Filesize
8KB

Download
memory/2644-2-0x0000000077C00000-0x0000000077C02000-memory.dmp

Filesize
8KB

Download
memory/2644-0-0x0000000077C00000-0x0000000077C02000-memory.dmp

Filesize
8KB

Download
memory/2644-28-0x000007FEFDB30000-0x000007FEFDB32000-memory.dmp

Filesize
8KB

Download
memory/2644-30-0x000007FEFDB30000-0x000007FEFDB32000-memory.dmp

Filesize
8KB

Download
memory/2644-33-0x0000000077C40000-0x0000000077C42000-memory.dmp

Filesize
8KB

Download
memory/2644-18-0x0000000077C30000-0x0000000077C32000-memory.dmp

Filesize
8KB

Download
memory/2644-23-0x000007FEFDB20000-0x000007FEFDB22000-memory.dmp

Filesize
8KB

Download
memory/2644-39-0x000000013F890000-0x00000001415BA000-memory.dmp

Filesize
29.2MB

Download
memory/2644-36-0x000000013F890000-0x00000001415BA000-memory.dmp

Filesize
29.2MB

Download
memory/2644-35-0x0000000077C40000-0x0000000077C42000-memory.dmp

Filesize
8KB

Download
memory/2644-95-0x000000013F8BC000-0x0000000140648000-memory.dmp

Filesize
13.5MB

Download
memory/2676-97-0x00000000001F0000-0x0000000001489000-memory.dmp

Filesize
18.6MB

Download
memory/2676-49-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2676-58-0x00000000001F0000-0x0000000001489000-memory.dmp

Filesize
18.6MB

Download
memory/2676-55-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2676-48-0x00000000001F0000-0x0000000001489000-memory.dmp

Filesize
18.6MB

Download
memory/2676-66-0x0000000077C20000-0x0000000077C22000-memory.dmp

Filesize
8KB

Download
memory/2676-64-0x0000000077C20000-0x0000000077C22000-memory.dmp

Filesize
8KB

Download
memory/2676-63-0x0000000077C00000-0x0000000077C02000-memory.dmp

Filesize
8KB

Download
memory/2676-47-0x00000000001F0000-0x0000000001489000-memory.dmp

Filesize
18.6MB

Download
memory/2676-43-0x00000000001F0000-0x0000000001489000-memory.dmp

Filesize
18.6MB

Download
memory/2676-94-0x0000000000348000-0x0000000000AF6000-memory.dmp

Filesize
7.7MB

Download
memory/2676-40-0x00000000001F0000-0x0000000001489000-memory.dmp

Filesize
18.6MB

Download
memory/2676-98-0x0000000000348000-0x0000000000AF6000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing