e64b88e64954b01b43964a3913adab7f0b6e1605492da920e1ad300a7158c423

General

Target

Ez Dork Gen DELUXE.exe
Size

1.2MB
MD5

89fffdc32e34b6239d4dcc7ddd8f8fc2
SHA1

a33a1787b8a8768c421ba454b266925128f37818
SHA256

e64b88e64954b01b43964a3913adab7f0b6e1605492da920e1ad300a7158c423
SHA512

ed7fd226cd2e0eabcbc16408d996a84e16d8ed03f97833c56c9939db2512e115806e8027dfd67323b72af3b9058a08c9efee3f9f3b44cc888c348e379c00e40c

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

TempSetup.exe~Ez_Dork_Gen_DELUXE.exeSetup.exe

pid process

2004 TempSetup.exe
2032 ~Ez_Dork_Gen_DELUXE.exe
1980 Setup.exe
Loads dropped DLL 1 IoCs

Processes:

TempSetup.exe

pid process

2004 TempSetup.exe

pid	process
2004	TempSetup.exe
2032	~Ez_Dork_Gen_DELUXE.exe
1980	Setup.exe

pid	process
2004	TempSetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel(R) Common Networking System = "C:\\Users\\Admin\\AppData\\Roaming\\Intel Corporation\\Intel(R) Common User Interface\\8.1.1.7900\\svchost.exe"	Setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Ez Dork Gen DELUXE.exeTempSetup.exeSetup.exe

description	pid	process	target process
PID 684 wrote to memory of 2004	684	Ez Dork Gen DELUXE.exe	TempSetup.exe
PID 684 wrote to memory of 2004	684	Ez Dork Gen DELUXE.exe	TempSetup.exe
PID 684 wrote to memory of 2004	684	Ez Dork Gen DELUXE.exe	TempSetup.exe
PID 684 wrote to memory of 2004	684	Ez Dork Gen DELUXE.exe	TempSetup.exe
PID 684 wrote to memory of 2004	684	Ez Dork Gen DELUXE.exe	TempSetup.exe
PID 684 wrote to memory of 2004	684	Ez Dork Gen DELUXE.exe	TempSetup.exe
PID 684 wrote to memory of 2004	684	Ez Dork Gen DELUXE.exe	TempSetup.exe
PID 684 wrote to memory of 2032	684	Ez Dork Gen DELUXE.exe	~Ez_Dork_Gen_DELUXE.exe
PID 684 wrote to memory of 2032	684	Ez Dork Gen DELUXE.exe	~Ez_Dork_Gen_DELUXE.exe
PID 684 wrote to memory of 2032	684	Ez Dork Gen DELUXE.exe	~Ez_Dork_Gen_DELUXE.exe
PID 2004 wrote to memory of 1980	2004	TempSetup.exe	Setup.exe
PID 2004 wrote to memory of 1980	2004	TempSetup.exe	Setup.exe
PID 2004 wrote to memory of 1980	2004	TempSetup.exe	Setup.exe
PID 2004 wrote to memory of 1980	2004	TempSetup.exe	Setup.exe
PID 1980 wrote to memory of 1352	1980	Setup.exe	svchost.exe
PID 1980 wrote to memory of 1352	1980	Setup.exe	svchost.exe
PID 1980 wrote to memory of 1352	1980	Setup.exe	svchost.exe
PID 1980 wrote to memory of 1352	1980	Setup.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Ez Dork Gen DELUXE.exe
"C:\Users\Admin\AppData\Local\Temp\Ez Dork Gen DELUXE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\TempSetup.exe
"C:\Users\Admin\AppData\Local\TempSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\Setup.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\Setup.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe
"C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe"
4⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\~Ez_Dork_Gen_DELUXE.exe
"C:\Users\Admin\AppData\Local\Temp\~Ez_Dork_Gen_DELUXE.exe"
2⤵
- Executes dropped EXE
PID:2032

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempSetup.exe
MD5
8cda5c66b6f92209c94ae927be3d895f

SHA1
beb062bbdaeb180c8438f0762eddfeb59609fc02

SHA256
71520637e17ca9034beec82a6c5fe21a0907e2fa8cdb376213e80535f41de6e4

SHA512
c1b71e46c5a52c037a055aa7de1d16e6542e86d75751d2e26fc248875086745934493aa7a06c6faeed378006f5db13e62377ff6dfa85e9d1e215f5a6ab600436

Download Submit
C:\Users\Admin\AppData\Local\TempSetup.exe
MD5
8cda5c66b6f92209c94ae927be3d895f

SHA1
beb062bbdaeb180c8438f0762eddfeb59609fc02

SHA256
71520637e17ca9034beec82a6c5fe21a0907e2fa8cdb376213e80535f41de6e4

SHA512
c1b71e46c5a52c037a055aa7de1d16e6542e86d75751d2e26fc248875086745934493aa7a06c6faeed378006f5db13e62377ff6dfa85e9d1e215f5a6ab600436

Download Submit
C:\Users\Admin\AppData\Local\Temp\~Ez_Dork_Gen_DELUXE.exe
MD5
804cc6ded884925885f409a88e7244d0

SHA1
ff29d809529b139c142fff0bc52c42bac4929e72

SHA256
a60187fe7b2c794a2bc26d6eb86c4f292d2ed4c09871e14f661d8853eaa19ac4

SHA512
f394e50fded112f90b8d771acd0d7cb8e82a2dc40fff1f6745cda00d955147830d2fb2de23e4dd131875ca7a7c0284779d8c2925f29ebab3c3eb1a49d5c57953

Download Submit
C:\Users\Admin\AppData\Local\Temp\~Ez_Dork_Gen_DELUXE.exe
MD5
804cc6ded884925885f409a88e7244d0

SHA1
ff29d809529b139c142fff0bc52c42bac4929e72

SHA256
a60187fe7b2c794a2bc26d6eb86c4f292d2ed4c09871e14f661d8853eaa19ac4

SHA512
f394e50fded112f90b8d771acd0d7cb8e82a2dc40fff1f6745cda00d955147830d2fb2de23e4dd131875ca7a7c0284779d8c2925f29ebab3c3eb1a49d5c57953

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\Setup.exe
MD5
f64b69094e9cc63e63acec2be76bee4a

SHA1
186733004af7ce6770883c9f8a1d658cdff67804

SHA256
9c7ddac49954d267fe6ab5653bc1020c1058c216b6bcab6b6298333c8940988c

SHA512
2872845d0a6a13895daac078b6f76413fd1f3ce68cade3de7d04d89168136153df28cc75bdea147d8f6cb29ecf82d255fd3f13cab14fb821a0b5549128660922

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\Setup.exe
MD5
f64b69094e9cc63e63acec2be76bee4a

SHA1
186733004af7ce6770883c9f8a1d658cdff67804

SHA256
9c7ddac49954d267fe6ab5653bc1020c1058c216b6bcab6b6298333c8940988c

SHA512
2872845d0a6a13895daac078b6f76413fd1f3ce68cade3de7d04d89168136153df28cc75bdea147d8f6cb29ecf82d255fd3f13cab14fb821a0b5549128660922

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\Setup.exe
MD5
f64b69094e9cc63e63acec2be76bee4a

SHA1
186733004af7ce6770883c9f8a1d658cdff67804

SHA256
9c7ddac49954d267fe6ab5653bc1020c1058c216b6bcab6b6298333c8940988c

SHA512
2872845d0a6a13895daac078b6f76413fd1f3ce68cade3de7d04d89168136153df28cc75bdea147d8f6cb29ecf82d255fd3f13cab14fb821a0b5549128660922

Download Submit
memory/684-1-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/684-0-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/1352-16-0x0000000000000000-mapping.dmp

Download
memory/1980-11-0x0000000000000000-mapping.dmp

Download
memory/1980-14-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/1980-15-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/2004-2-0x0000000000000000-mapping.dmp

Download
memory/2032-4-0x0000000000000000-mapping.dmp

Download
memory/2032-7-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/2032-9-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing