55897dc537d308842906dbf8bffde6eb846cdd6b5e9584d7efcbe7c342d5e699

General

Target

setup-freeripmp3-frp.exe
Size

2.1MB
MD5

99542d7aa14ae19dcb74ff769b783e19
SHA1

a0067dac46a0594e4f77069970953b024ab97232
SHA256

55897dc537d308842906dbf8bffde6eb846cdd6b5e9584d7efcbe7c342d5e699
SHA512

4019087c7537761b477856241c9206d4dd0da39a2fc4486cec0a9a806c5ebaccdbff889d567f1aed712892d78af71055a689f8e79a515c7f448bbcdff4761488

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

Processes:

setup-freeripmp3-frp.exe

pid	process
1744	setup-freeripmp3-frp.exe
1744	setup-freeripmp3-frp.exe
1744	setup-freeripmp3-frp.exe
1744	setup-freeripmp3-frp.exe
1744	setup-freeripmp3-frp.exe
1744	setup-freeripmp3-frp.exe
1744	setup-freeripmp3-frp.exe
1744	setup-freeripmp3-frp.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

Processes:

setup-freeripmp3-frp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup-freeripmp3-frp.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup-freeripmp3-frp.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup-freeripmp3-frp.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup-freeripmp3-frp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

setup-freeripmp3-frp.exe

pid process

1744 setup-freeripmp3-frp.exe

C:\Users\Admin\AppData\Local\Temp\setup-freeripmp3-frp.exe
"C:\Users\Admin\AppData\Local\Temp\setup-freeripmp3-frp.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Security Software Discovery

1

T1063

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsn61B.tmp\NSISHelper.dll

MD5
d559c8897877ac738fafd0bd47bbfb50

SHA1
205f755b226917a4d94300dfb46111cdc4f62861

SHA256
bed9c5fb604b6a40ddd4438ac49a4cab9b27d0e2445c011eb429932e7b4d5150

SHA512
ad78bfd1f0715e6b50a372c21b48827a4948378fd9070df7d5178eef4bbed8707daea9614811fd772bcdbb56d239964fab3318c1340bd6d3d5d3026c32053df3

Download Submit
\Users\Admin\AppData\Local\Temp\nsn61B.tmp\NSISHelper.dll

MD5
d559c8897877ac738fafd0bd47bbfb50

SHA1
205f755b226917a4d94300dfb46111cdc4f62861

SHA256
bed9c5fb604b6a40ddd4438ac49a4cab9b27d0e2445c011eb429932e7b4d5150

SHA512
ad78bfd1f0715e6b50a372c21b48827a4948378fd9070df7d5178eef4bbed8707daea9614811fd772bcdbb56d239964fab3318c1340bd6d3d5d3026c32053df3

Download Submit
\Users\Admin\AppData\Local\Temp\nsn61B.tmp\NSISHelper.dll

MD5
d559c8897877ac738fafd0bd47bbfb50

SHA1
205f755b226917a4d94300dfb46111cdc4f62861

SHA256
bed9c5fb604b6a40ddd4438ac49a4cab9b27d0e2445c011eb429932e7b4d5150

SHA512
ad78bfd1f0715e6b50a372c21b48827a4948378fd9070df7d5178eef4bbed8707daea9614811fd772bcdbb56d239964fab3318c1340bd6d3d5d3026c32053df3

Download Submit
\Users\Admin\AppData\Local\Temp\nsn61B.tmp\System.dll

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nsn61B.tmp\UserInfo.dll

MD5
dc90f96b169dcc9151ee6e93b47446ea

SHA1
61e57bbe333a98d14f48815db7382ddbf90db642

SHA256
afc939ebfd66a6c972d2d6bbcb978559ab3427d1582935e45392f9912ef186ad

SHA512
11658c2342a2a686a012d81c602cd8e50861506dcee9d38c416bc60451cb1d7fc24e964875b8edfc22c9647f06ffe90088f83a60973eeaffa98538294af1d5ba

Download Submit
\Users\Admin\AppData\Local\Temp\nsn61B.tmp\nsDialogs.dll

MD5
ec9640b70e07141febbe2cd4cc42510f

SHA1
64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

SHA256
c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

SHA512
47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsn61B.tmp\nsisdl.dll

MD5
ce1ba5758dc41fe686babcb82d27bae0

SHA1
c6f6ac775573fd9600efb4b9b9ab7ec5572967f5

SHA256
ac2062dd8e27f0eb312f0af68d186e9d70ce3002ab5cc8b058403c860c11265c

SHA512
bbbc72f91e6b8e34d79600d6e285b11048cab6f87c18f449868bdd0ed1d7faeeac74be8a805c9d704af870b9220f1da287acd5c65f829993ca721c9f80aea19f

Download Submit
\Users\Admin\AppData\Local\Temp\nsn61B.tmp\nsisdl.dll

MD5
ce1ba5758dc41fe686babcb82d27bae0

SHA1
c6f6ac775573fd9600efb4b9b9ab7ec5572967f5

SHA256
ac2062dd8e27f0eb312f0af68d186e9d70ce3002ab5cc8b058403c860c11265c

SHA512
bbbc72f91e6b8e34d79600d6e285b11048cab6f87c18f449868bdd0ed1d7faeeac74be8a805c9d704af870b9220f1da287acd5c65f829993ca721c9f80aea19f

Download Submit

Analysis

Sharing