946dd2e10e81f049c25cb5e7849b5a2d89f534eac36be1267119ea09f415193f

Analysis

max time kernel
9s
max time network
16s
platform
windows7_x64
resource
win7v20201028
submitted
05-11-2020 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Surge Staffing LLC.bin.exe
Size

10.0MB
MD5

71381062fe8ab532ac9721acd43a4d9a
SHA1

29e1fecf2b3a9cefa568f353b88c70bc2f5524cb
SHA256

714f22cb790097d7445691f1b48c8bb0336f0c3cf1d4a3acda0607caa7097a75
SHA512

9c824200bf0b129470b6f0a0c68004b36e40acbc848d41957ed369869a99614a9eb4eced54eaad31516b985c64f9ec24225e1bbbd32496f1f9d0890dc06c0c2b

Score

8^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

FMAOnsiteSetup.exeirsetup.exe

pid process

1968 FMAOnsiteSetup.exe
1336 irsetup.exe

pid	process
1968	FMAOnsiteSetup.exe
1336	irsetup.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx

Loads dropped DLL 7 IoCs

Processes:

FMAOnsiteSetup.exeirsetup.exe

pid process

1968 FMAOnsiteSetup.exe
1968 FMAOnsiteSetup.exe
1968 FMAOnsiteSetup.exe
1968 FMAOnsiteSetup.exe
1336 irsetup.exe
1336 irsetup.exe
1336 irsetup.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1968	FMAOnsiteSetup.exe
1968	FMAOnsiteSetup.exe
1968	FMAOnsiteSetup.exe
1968	FMAOnsiteSetup.exe
1336	irsetup.exe
1336	irsetup.exe
1336	irsetup.exe

Drops file in Program Files directory 2 IoCs

Processes:

irsetup.exe

description	ioc	process
File created	C:\Program Files (x86)\FMAuditOnsite\Setup Log.txt	irsetup.exe
File opened for modification	C:\Program Files (x86)\FMAuditOnsite\Setup Log.txt	irsetup.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

FMAOnsiteSetup.exe

pid process

1968 FMAOnsiteSetup.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

irsetup.exe

pid process

1336 irsetup.exe
1336 irsetup.exe
1336 irsetup.exe

pid	process
1968	FMAOnsiteSetup.exe

pid	process
1336	irsetup.exe
1336	irsetup.exe
1336	irsetup.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Surge Staffing LLC.bin.execmd.exeFMAOnsiteSetup.exe

description	pid	process	target process
PID 1756 wrote to memory of 1992	1756	Surge Staffing LLC.bin.exe	cmd.exe
PID 1756 wrote to memory of 1992	1756	Surge Staffing LLC.bin.exe	cmd.exe
PID 1756 wrote to memory of 1992	1756	Surge Staffing LLC.bin.exe	cmd.exe
PID 1756 wrote to memory of 1992	1756	Surge Staffing LLC.bin.exe	cmd.exe
PID 1756 wrote to memory of 1992	1756	Surge Staffing LLC.bin.exe	cmd.exe
PID 1992 wrote to memory of 1968	1992	cmd.exe	FMAOnsiteSetup.exe
PID 1992 wrote to memory of 1968	1992	cmd.exe	FMAOnsiteSetup.exe
PID 1992 wrote to memory of 1968	1992	cmd.exe	FMAOnsiteSetup.exe
PID 1992 wrote to memory of 1968	1992	cmd.exe	FMAOnsiteSetup.exe
PID 1992 wrote to memory of 1968	1992	cmd.exe	FMAOnsiteSetup.exe
PID 1992 wrote to memory of 1968	1992	cmd.exe	FMAOnsiteSetup.exe
PID 1992 wrote to memory of 1968	1992	cmd.exe	FMAOnsiteSetup.exe
PID 1968 wrote to memory of 1336	1968	FMAOnsiteSetup.exe	irsetup.exe
PID 1968 wrote to memory of 1336	1968	FMAOnsiteSetup.exe	irsetup.exe
PID 1968 wrote to memory of 1336	1968	FMAOnsiteSetup.exe	irsetup.exe
PID 1968 wrote to memory of 1336	1968	FMAOnsiteSetup.exe	irsetup.exe
PID 1968 wrote to memory of 1336	1968	FMAOnsiteSetup.exe	irsetup.exe
PID 1968 wrote to memory of 1336	1968	FMAOnsiteSetup.exe	irsetup.exe
PID 1968 wrote to memory of 1336	1968	FMAOnsiteSetup.exe	irsetup.exe

C:\Users\Admin\AppData\Local\Temp\Surge Staffing LLC.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Surge Staffing LLC.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\install_1937799342.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\FMAOnsiteSetup.exe
FMAOnsiteSetup.exe /is=OnsiteInitialSettings_1937799342.xml
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" /is=OnsiteInitialSettings_1937799342.xml __IRAOFF:1765890 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\FMAOnsiteSetup.exe" "__IRCT:3" "__IRTSS:10136233" "__IRSID:S-1-5-21-3825035466-2522850611-591511364-1000"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1336

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\FMAOnsiteSetup.exe
MD5
2757eabd8b205e5db4e0e273beb4f02d

SHA1
4aef3c62a7407983b6c4a12627225507ac0347a8

SHA256
a3102f9276d73639aa5ec1b5dec49e3cdb6801f8e480a48ba06f8e4f51602e6f

SHA512
b4fb168f55aae0cd0a959cf02e6d7994ba1c4d0cef7ad562fb58f23ea2663805b13540501e6f675c68af241e6d7fff067846b245fdfb95b43b1905b1a2edba1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\FMAOnsiteSetup.exe
MD5
2757eabd8b205e5db4e0e273beb4f02d

SHA1
4aef3c62a7407983b6c4a12627225507ac0347a8

SHA256
a3102f9276d73639aa5ec1b5dec49e3cdb6801f8e480a48ba06f8e4f51602e6f

SHA512
b4fb168f55aae0cd0a959cf02e6d7994ba1c4d0cef7ad562fb58f23ea2663805b13540501e6f675c68af241e6d7fff067846b245fdfb95b43b1905b1a2edba1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\OnsiteInitialSettings_1937799342.xml
MD5
59272589898584142855d46e128dd37e

SHA1
eebd03d78a32eadce8b448068ecdbb913baa3d3f

SHA256
395563e2f93499d3e1d68dafbca4ea0354b3fe09a01a6d4bec3c0b1e7f6d5b16

SHA512
06a55f6ca5c85b6697f03e7c003ac0124d74d72871b6a0d32314bd2c6211a28073ab3df7326421dcc275661efd5a8c35b8ba181570fb0c6b8f49d7bc7b9c42b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\install_1937799342.cmd
MD5
19b300401e3c8695bea0d01027cf8b1f

SHA1
f0b40195fd33b5d0fb83c0e40218369a3cf30320

SHA256
33250fd11aa3585bc3e1e9590e984f4cfc677e62086f3d5561349a9aa680c103

SHA512
438860ab68d280f673fd5c05d62ce50847e60c4bf8c35acc667a3d9157e839648d6b6bad0ba94cc516010a5032f170077d8a87ebe7a1bf5d75b3fbec6242e2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
1d5608ec4a8253e89f52b343e3a9158d

SHA1
f28ff6fb8797fb6fb8b60bf7f4a699c6c2e74765

SHA256
6690085bcdd9cce7854a9186895848496169a0958e5e452a8deb84bd8d42e17d

SHA512
29e63c3eef3b19515e32ebdff0881705c64720c0f4b5dfbf5eb8cdc43c54fe1076e22dc9f77d463ae15501f3dea599295887988745a7ccb1c9700a062e3ebaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
1d5608ec4a8253e89f52b343e3a9158d

SHA1
f28ff6fb8797fb6fb8b60bf7f4a699c6c2e74765

SHA256
6690085bcdd9cce7854a9186895848496169a0958e5e452a8deb84bd8d42e17d

SHA512
29e63c3eef3b19515e32ebdff0881705c64720c0f4b5dfbf5eb8cdc43c54fe1076e22dc9f77d463ae15501f3dea599295887988745a7ccb1c9700a062e3ebaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
MD5
56e2cb184a24aedb473880462197cac4

SHA1
91aa64464fa96fb5de4c45718ecff507a3ab3fb3

SHA256
1dee56b3376f69bf440ab1ac363bdb5a1b7860620306b48a6632c2c3c9f59d59

SHA512
d51579ce41f128b2fd76fd1a047d7a7824238845a6abe459b55da76b5dde085cdeb9d3ee6408d4eda5579b550db8af05b87644a55cda2f436beb6ef3486debc5

Download Submit
\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\FMAOnsiteSetup.exe
MD5
2757eabd8b205e5db4e0e273beb4f02d

SHA1
4aef3c62a7407983b6c4a12627225507ac0347a8

SHA256
a3102f9276d73639aa5ec1b5dec49e3cdb6801f8e480a48ba06f8e4f51602e6f

SHA512
b4fb168f55aae0cd0a959cf02e6d7994ba1c4d0cef7ad562fb58f23ea2663805b13540501e6f675c68af241e6d7fff067846b245fdfb95b43b1905b1a2edba1f

Download Submit
\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\FMAOnsiteSetup.exe
MD5
2757eabd8b205e5db4e0e273beb4f02d

SHA1
4aef3c62a7407983b6c4a12627225507ac0347a8

SHA256
a3102f9276d73639aa5ec1b5dec49e3cdb6801f8e480a48ba06f8e4f51602e6f

SHA512
b4fb168f55aae0cd0a959cf02e6d7994ba1c4d0cef7ad562fb58f23ea2663805b13540501e6f675c68af241e6d7fff067846b245fdfb95b43b1905b1a2edba1f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
1d5608ec4a8253e89f52b343e3a9158d

SHA1
f28ff6fb8797fb6fb8b60bf7f4a699c6c2e74765

SHA256
6690085bcdd9cce7854a9186895848496169a0958e5e452a8deb84bd8d42e17d

SHA512
29e63c3eef3b19515e32ebdff0881705c64720c0f4b5dfbf5eb8cdc43c54fe1076e22dc9f77d463ae15501f3dea599295887988745a7ccb1c9700a062e3ebaba

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
1d5608ec4a8253e89f52b343e3a9158d

SHA1
f28ff6fb8797fb6fb8b60bf7f4a699c6c2e74765

SHA256
6690085bcdd9cce7854a9186895848496169a0958e5e452a8deb84bd8d42e17d

SHA512
29e63c3eef3b19515e32ebdff0881705c64720c0f4b5dfbf5eb8cdc43c54fe1076e22dc9f77d463ae15501f3dea599295887988745a7ccb1c9700a062e3ebaba

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
1d5608ec4a8253e89f52b343e3a9158d

SHA1
f28ff6fb8797fb6fb8b60bf7f4a699c6c2e74765

SHA256
6690085bcdd9cce7854a9186895848496169a0958e5e452a8deb84bd8d42e17d

SHA512
29e63c3eef3b19515e32ebdff0881705c64720c0f4b5dfbf5eb8cdc43c54fe1076e22dc9f77d463ae15501f3dea599295887988745a7ccb1c9700a062e3ebaba

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
1d5608ec4a8253e89f52b343e3a9158d

SHA1
f28ff6fb8797fb6fb8b60bf7f4a699c6c2e74765

SHA256
6690085bcdd9cce7854a9186895848496169a0958e5e452a8deb84bd8d42e17d

SHA512
29e63c3eef3b19515e32ebdff0881705c64720c0f4b5dfbf5eb8cdc43c54fe1076e22dc9f77d463ae15501f3dea599295887988745a7ccb1c9700a062e3ebaba

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
MD5
56e2cb184a24aedb473880462197cac4

SHA1
91aa64464fa96fb5de4c45718ecff507a3ab3fb3

SHA256
1dee56b3376f69bf440ab1ac363bdb5a1b7860620306b48a6632c2c3c9f59d59

SHA512
d51579ce41f128b2fd76fd1a047d7a7824238845a6abe459b55da76b5dde085cdeb9d3ee6408d4eda5579b550db8af05b87644a55cda2f436beb6ef3486debc5

Download Submit
memory/1336-13-0x0000000000000000-mapping.dmp

Download
memory/1756-3-0x0000000000DC0000-0x0000000000E25000-memory.dmp

Filesize
404KB

Download
memory/1756-0-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/1756-1-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/1968-7-0x0000000000000000-mapping.dmp

Download
memory/1992-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads