Analysis
-
max time kernel
17s -
max time network
72s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-11-2020 04:07
Static task
static1
Behavioral task
behavioral1
Sample
Surge Staffing LLC.bin.exe
Resource
win7v20201028
General
-
Target
Surge Staffing LLC.bin.exe
-
Size
10.0MB
-
MD5
71381062fe8ab532ac9721acd43a4d9a
-
SHA1
29e1fecf2b3a9cefa568f353b88c70bc2f5524cb
-
SHA256
714f22cb790097d7445691f1b48c8bb0336f0c3cf1d4a3acda0607caa7097a75
-
SHA512
9c824200bf0b129470b6f0a0c68004b36e40acbc848d41957ed369869a99614a9eb4eced54eaad31516b985c64f9ec24225e1bbbd32496f1f9d0890dc06c0c2b
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
FMAOnsiteSetup.exeirsetup.exepid process 2888 FMAOnsiteSetup.exe 4016 irsetup.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx -
Loads dropped DLL 1 IoCs
Processes:
irsetup.exepid process 4016 irsetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 2 IoCs
Processes:
irsetup.exedescription ioc process File created C:\Program Files (x86)\FMAuditOnsite\Setup Log.txt irsetup.exe File opened for modification C:\Program Files (x86)\FMAuditOnsite\Setup Log.txt irsetup.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
irsetup.exepid process 4016 irsetup.exe 4016 irsetup.exe 4016 irsetup.exe 4016 irsetup.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Surge Staffing LLC.bin.execmd.exeFMAOnsiteSetup.exedescription pid process target process PID 640 wrote to memory of 3372 640 Surge Staffing LLC.bin.exe cmd.exe PID 640 wrote to memory of 3372 640 Surge Staffing LLC.bin.exe cmd.exe PID 3372 wrote to memory of 2888 3372 cmd.exe FMAOnsiteSetup.exe PID 3372 wrote to memory of 2888 3372 cmd.exe FMAOnsiteSetup.exe PID 3372 wrote to memory of 2888 3372 cmd.exe FMAOnsiteSetup.exe PID 2888 wrote to memory of 4016 2888 FMAOnsiteSetup.exe irsetup.exe PID 2888 wrote to memory of 4016 2888 FMAOnsiteSetup.exe irsetup.exe PID 2888 wrote to memory of 4016 2888 FMAOnsiteSetup.exe irsetup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Surge Staffing LLC.bin.exe"C:\Users\Admin\AppData\Local\Temp\Surge Staffing LLC.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\install_1937799342.cmd" "2⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\FMAOnsiteSetup.exeFMAOnsiteSetup.exe /is=OnsiteInitialSettings_1937799342.xml3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" /is=OnsiteInitialSettings_1937799342.xml __IRAOFF:1765890 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\FMAOnsiteSetup.exe" "__IRCT:3" "__IRTSS:10136233" "__IRSID:S-1-5-21-1985363256-3005190890-1182679451-1000"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\FMAOnsiteSetup.exeMD5
2757eabd8b205e5db4e0e273beb4f02d
SHA14aef3c62a7407983b6c4a12627225507ac0347a8
SHA256a3102f9276d73639aa5ec1b5dec49e3cdb6801f8e480a48ba06f8e4f51602e6f
SHA512b4fb168f55aae0cd0a959cf02e6d7994ba1c4d0cef7ad562fb58f23ea2663805b13540501e6f675c68af241e6d7fff067846b245fdfb95b43b1905b1a2edba1f
-
C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\FMAOnsiteSetup.exeMD5
2757eabd8b205e5db4e0e273beb4f02d
SHA14aef3c62a7407983b6c4a12627225507ac0347a8
SHA256a3102f9276d73639aa5ec1b5dec49e3cdb6801f8e480a48ba06f8e4f51602e6f
SHA512b4fb168f55aae0cd0a959cf02e6d7994ba1c4d0cef7ad562fb58f23ea2663805b13540501e6f675c68af241e6d7fff067846b245fdfb95b43b1905b1a2edba1f
-
C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\OnsiteInitialSettings_1937799342.xmlMD5
59272589898584142855d46e128dd37e
SHA1eebd03d78a32eadce8b448068ecdbb913baa3d3f
SHA256395563e2f93499d3e1d68dafbca4ea0354b3fe09a01a6d4bec3c0b1e7f6d5b16
SHA51206a55f6ca5c85b6697f03e7c003ac0124d74d72871b6a0d32314bd2c6211a28073ab3df7326421dcc275661efd5a8c35b8ba181570fb0c6b8f49d7bc7b9c42b9
-
C:\Users\Admin\AppData\Local\Temp\FMAudit.Installer_1937799342\install_1937799342.cmdMD5
19b300401e3c8695bea0d01027cf8b1f
SHA1f0b40195fd33b5d0fb83c0e40218369a3cf30320
SHA25633250fd11aa3585bc3e1e9590e984f4cfc677e62086f3d5561349a9aa680c103
SHA512438860ab68d280f673fd5c05d62ce50847e60c4bf8c35acc667a3d9157e839648d6b6bad0ba94cc516010a5032f170077d8a87ebe7a1bf5d75b3fbec6242e2d9
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeMD5
1d5608ec4a8253e89f52b343e3a9158d
SHA1f28ff6fb8797fb6fb8b60bf7f4a699c6c2e74765
SHA2566690085bcdd9cce7854a9186895848496169a0958e5e452a8deb84bd8d42e17d
SHA51229e63c3eef3b19515e32ebdff0881705c64720c0f4b5dfbf5eb8cdc43c54fe1076e22dc9f77d463ae15501f3dea599295887988745a7ccb1c9700a062e3ebaba
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeMD5
1d5608ec4a8253e89f52b343e3a9158d
SHA1f28ff6fb8797fb6fb8b60bf7f4a699c6c2e74765
SHA2566690085bcdd9cce7854a9186895848496169a0958e5e452a8deb84bd8d42e17d
SHA51229e63c3eef3b19515e32ebdff0881705c64720c0f4b5dfbf5eb8cdc43c54fe1076e22dc9f77d463ae15501f3dea599295887988745a7ccb1c9700a062e3ebaba
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllMD5
56e2cb184a24aedb473880462197cac4
SHA191aa64464fa96fb5de4c45718ecff507a3ab3fb3
SHA2561dee56b3376f69bf440ab1ac363bdb5a1b7860620306b48a6632c2c3c9f59d59
SHA512d51579ce41f128b2fd76fd1a047d7a7824238845a6abe459b55da76b5dde085cdeb9d3ee6408d4eda5579b550db8af05b87644a55cda2f436beb6ef3486debc5
-
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllMD5
56e2cb184a24aedb473880462197cac4
SHA191aa64464fa96fb5de4c45718ecff507a3ab3fb3
SHA2561dee56b3376f69bf440ab1ac363bdb5a1b7860620306b48a6632c2c3c9f59d59
SHA512d51579ce41f128b2fd76fd1a047d7a7824238845a6abe459b55da76b5dde085cdeb9d3ee6408d4eda5579b550db8af05b87644a55cda2f436beb6ef3486debc5
-
memory/640-3-0x000000001B590000-0x000000001B5F5000-memory.dmpFilesize
404KB
-
memory/640-0-0x00007FF9EA100000-0x00007FF9EAAEC000-memory.dmpFilesize
9.9MB
-
memory/640-1-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/2888-6-0x0000000000000000-mapping.dmp
-
memory/3372-4-0x0000000000000000-mapping.dmp
-
memory/4016-9-0x0000000000000000-mapping.dmp
-
memory/4016-12-0x00000000745E0000-0x0000000074673000-memory.dmpFilesize
588KB