fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e

General

Target

fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.exe
Size

1.4MB
MD5

dced196a0e7c959dfcd2a43b9790d564
SHA1

1a2a9ae4a3293276fa7e21f6c1d2ae0288dec6ae
SHA256

fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e
SHA512

895ad9c75b21ff223d802992c11acfc3948cc84f097adc6eea7439c7ec5b68b392adc7eaa5ee397144e507666e3bdfbbeffaa0f875f40fe7b35947931009f584

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmpvlsongs.exe

pid process

4092 fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
508 vlsongs.exe
Loads dropped DLL 1 IoCs

Processes:

fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp

pid process

4092 fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 36 IoCs

Processes:

fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\Yandex.Metrica.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\System.Net.Http.Primitives.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-TIGMC.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\vlsongs.exe	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\GalaSoft.MvvmLight.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\is-8IHN8.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-QK8HQ.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-GCE8I.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-PUK58.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\Newtonsoft.Json.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\is-632L5.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\PortableRest.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\System.Net.Http.Extensions.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\is-1G3VV.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-KPLJP.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-9HDDU.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-3EHSA.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\MahApps.Metro.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\System.Windows.Interactivity.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\unins000.dat	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-5N492.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-6KDM7.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-3EDTQ.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\GalaSoft.MvvmLight.Platform.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\Xbox.Music.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-UE1HS.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\Microsoft.Threading.Tasks.Extensions.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\Zlib.Portable.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-IBHUH.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\GalaSoft.MvvmLight.Extras.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\Microsoft.Threading.Tasks.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-EBJPV.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-1OH70.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\unins000.dat	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File opened for modification	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\Microsoft.Practices.ServiceLocation.dll	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
File created	C:\Program Files (x86)\vmSongs\5.0.0.2\libraries\is-GL1BJ.tmp	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp

pid	process
4092	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
4092	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp

pid process

4092 fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.exefd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp

description	pid	process	target process
PID 728 wrote to memory of 4092	728	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.exe	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
PID 728 wrote to memory of 4092	728	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.exe	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
PID 728 wrote to memory of 4092	728	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.exe	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
PID 4092 wrote to memory of 508	4092	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp	vlsongs.exe
PID 4092 wrote to memory of 508	4092	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp	vlsongs.exe
PID 4092 wrote to memory of 508	4092	fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp	vlsongs.exe

C:\Users\Admin\AppData\Local\Temp\fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.exe
"C:\Users\Admin\AppData\Local\Temp\fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:728

C:\Users\Admin\AppData\Local\Temp\is-UG5TQ.tmp\fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UG5TQ.tmp\fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp" /SL5="$2010E,1267582,56320,C:\Users\Admin\AppData\Local\Temp\fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4092

C:\Program Files (x86)\vmSongs\5.0.0.2\vlsongs.exe
"C:\Program Files (x86)\vmSongs\5.0.0.2\vlsongs.exe"
3⤵
- Executes dropped EXE
PID:508

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\vmSongs\5.0.0.2\vlsongs.exe
MD5
22fc29c786ac565d520c36bc41a98294

SHA1
cb85d118eda159da8982f556df3a55b0c9732cce

SHA256
588b6d0666bcd5ec353297230a24fbdf5c37fd8505e50339d0c8fec4bf8c28b9

SHA512
df6f2d9eff7142ceadf620395e9f3d79e9ab37c91c3f6ebbae753d75a1963f8bace8df44b4e206c97b7873cdf8d5797d0c82e9abaf83f7e473af514acac1b09f

Download Submit
C:\Program Files (x86)\vmSongs\5.0.0.2\vlsongs.exe
MD5
22fc29c786ac565d520c36bc41a98294

SHA1
cb85d118eda159da8982f556df3a55b0c9732cce

SHA256
588b6d0666bcd5ec353297230a24fbdf5c37fd8505e50339d0c8fec4bf8c28b9

SHA512
df6f2d9eff7142ceadf620395e9f3d79e9ab37c91c3f6ebbae753d75a1963f8bace8df44b4e206c97b7873cdf8d5797d0c82e9abaf83f7e473af514acac1b09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UG5TQ.tmp\fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
MD5
59ab2369451dd76b21f6689021538902

SHA1
4682a9adebc54745f371476216ed9f41e27d373b

SHA256
06d6198366f36d347188e968eeb31d0b0c171c913422d7ded9bb0b14ae3c073c

SHA512
feb53f203f988ca517ad438d086c8ce236bb33dfa005d2558c5ca2f9647849261497762f4bc3eb8a73ede38d3bc4c2c5efeaad03fe810137778e9fe0c88a8a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UG5TQ.tmp\fd5f96d463acd6c0db1f3b3de2fd4bb00c823e25a45de3284cd7ed5a97f4cf2e.tmp
MD5
59ab2369451dd76b21f6689021538902

SHA1
4682a9adebc54745f371476216ed9f41e27d373b

SHA256
06d6198366f36d347188e968eeb31d0b0c171c913422d7ded9bb0b14ae3c073c

SHA512
feb53f203f988ca517ad438d086c8ce236bb33dfa005d2558c5ca2f9647849261497762f4bc3eb8a73ede38d3bc4c2c5efeaad03fe810137778e9fe0c88a8a0b

Download Submit
\Users\Admin\AppData\Local\Temp\is-CCVPE.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/508-4-0x0000000000000000-mapping.dmp

Download
memory/4092-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads