a86edf061b514b22ec2a82f098f714e90ef2d666356b1a98b03d68913c10fdba

General

Target

8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.exe
Size

25.6MB
MD5

98be153d60aa51f5c8f447f689d74c69
SHA1

946f62d0ff65e3fba5b3e26dbbb5fcc1f62cb016
SHA256

8806af5fa34a00c0794a648b59c710c269708e61892e14fa897a102cc56ace69
SHA512

29f696f7bd27a6832e717b60615169c9846a9a35ace479eabc1c29503c159d3d97302df3ca31e25a436abe0b5eaaf3fa7035deee31bc031bac03bae7da801c32

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.tmpSetup.exe

pid process

3996 8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.tmp
1784 Setup.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exe

pid process

1784 Setup.exe
1784 Setup.exe
1784 Setup.exe
1784 Setup.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Setup.exe

pid process

1784 Setup.exe
1784 Setup.exe
1784 Setup.exe

pid	process
3996	8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.tmp
1784	Setup.exe

pid	process
1784	Setup.exe
1784	Setup.exe
1784	Setup.exe
1784	Setup.exe

pid	process
1784	Setup.exe
1784	Setup.exe
1784	Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.exe8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.tmp

description	pid	process	target process
PID 3656 wrote to memory of 3996	3656	8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.exe	8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.tmp
PID 3656 wrote to memory of 3996	3656	8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.exe	8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.tmp
PID 3656 wrote to memory of 3996	3656	8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.exe	8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.tmp
PID 3996 wrote to memory of 1784	3996	8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.tmp	Setup.exe
PID 3996 wrote to memory of 1784	3996	8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.tmp	Setup.exe
PID 3996 wrote to memory of 1784	3996	8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.tmp	Setup.exe

C:\Users\Admin\AppData\Local\Temp\8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.exe
"C:\Users\Admin\AppData\Local\Temp\8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3656

C:\Users\Admin\AppData\Local\Temp\is-SBMTV.tmp\8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SBMTV.tmp\8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.tmp" /SL5="$3011A,26250086,139264,C:\Users\Admin\AppData\Local\Temp\8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\is-T8GVU.tmp\IUInstaller\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-T8GVU.tmp\IUInstaller\Setup.exe" /setup "C:\Users\Admin\AppData\Local\Temp\8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.exe" "" "/Ver=11.1.0.16"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-SBMTV.tmp\8806AF5FA34A00C0794A648B59C710C269708E61892E14FA897A102CC56ACE69.tmp
MD5
b25f095c085e1bc475a31d5b7e89aa21

SHA1
92e5e17188c4671b714bbb5e8993abe8450673ce

SHA256
32df1f1ecdcfb6c620a1f563235920f026994138dc32c4e2e4a1bf84640ea1f4

SHA512
30389bb0a8ab64bfb6251d225990a1d3c21267f43885479be5bae39e531d2b1ee42b9dfa780e7d95ecf7161e3931bcff337def1f8c3de0dda2794e4de009307b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T8GVU.tmp\IUInstaller\Setup.exe
MD5
3a7cffd1b470049dba90374463a1114b

SHA1
72124c648388ec29c62946f492b6c03a083713d4

SHA256
2dd70f2c6d70456c9022728b36d3c478099b85fe9b6d7aac3deded813214952a

SHA512
a6d81fac75143c29c4cecb8fdd5b647803af33b06a6a1be6678e54626a4f3f3efcad2a1eeecd627932116ea2707bfa3a52a493454a363e40d326958104d27010

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T8GVU.tmp\IUInstaller\Setup.exe
MD5
3a7cffd1b470049dba90374463a1114b

SHA1
72124c648388ec29c62946f492b6c03a083713d4

SHA256
2dd70f2c6d70456c9022728b36d3c478099b85fe9b6d7aac3deded813214952a

SHA512
a6d81fac75143c29c4cecb8fdd5b647803af33b06a6a1be6678e54626a4f3f3efcad2a1eeecd627932116ea2707bfa3a52a493454a363e40d326958104d27010

Download Submit
memory/1784-121-0x0000000000000000-mapping.dmp

Download
memory/1784-124-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1784-125-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/1784-126-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/1784-127-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/3656-117-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3996-118-0x0000000000000000-mapping.dmp

Download
memory/3996-120-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing