8dbbe3e8657d87e842026b7051a7b0680d3838749773997df91f123034a7566d

General

Target

run_848a9.exe
Size

1.7MB
MD5

67c86865ba800ab9f761356d4cc5c08c
SHA1

1f3dcc460c3fb02704e69cd8509445a92ac3600d
SHA256

8dbbe3e8657d87e842026b7051a7b0680d3838749773997df91f123034a7566d
SHA512

328c47921cfa939403736e63d0a5f5659dce3a916a44e6d0b0434ae4672bf96530a86cb19c2709a67914381fd8fc1c40b6e12209a35735743a8988a6166b50ff

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

run_848a9.tmpsetup.exesetup.tmp

pid process

1320 run_848a9.tmp
2440 setup.exe
2860 setup.tmp
Loads dropped DLL 1 IoCs

Processes:

setup.tmp

pid process

2860 setup.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1320	run_848a9.tmp
2440	setup.exe
2860	setup.tmp

pid	process
2860	setup.tmp

Drops file in Program Files directory 3 IoCs

Processes:

run_848a9.tmp

description	ioc	process
File created	C:\Program Files (x86)\run_848a9\unins000.dat	run_848a9.tmp
File created	C:\Program Files (x86)\run_848a9\is-60EC8.tmp	run_848a9.tmp
File opened for modification	C:\Program Files (x86)\run_848a9\unins000.dat	run_848a9.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

run_848a9.tmp

pid process

1320 run_848a9.tmp
1320 run_848a9.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

run_848a9.tmp

pid process

1320 run_848a9.tmp

pid	process
1320	run_848a9.tmp
1320	run_848a9.tmp

pid	process
1320	run_848a9.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

run_848a9.exerun_848a9.tmpsetup.exe

description	pid	process	target process
PID 3220 wrote to memory of 1320	3220	run_848a9.exe	run_848a9.tmp
PID 3220 wrote to memory of 1320	3220	run_848a9.exe	run_848a9.tmp
PID 3220 wrote to memory of 1320	3220	run_848a9.exe	run_848a9.tmp
PID 1320 wrote to memory of 2440	1320	run_848a9.tmp	setup.exe
PID 1320 wrote to memory of 2440	1320	run_848a9.tmp	setup.exe
PID 1320 wrote to memory of 2440	1320	run_848a9.tmp	setup.exe
PID 2440 wrote to memory of 2860	2440	setup.exe	setup.tmp
PID 2440 wrote to memory of 2860	2440	setup.exe	setup.tmp
PID 2440 wrote to memory of 2860	2440	setup.exe	setup.tmp

C:\Users\Admin\AppData\Local\Temp\run_848a9.exe
"C:\Users\Admin\AppData\Local\Temp\run_848a9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\is-KSM1P.tmp\run_848a9.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KSM1P.tmp\run_848a9.tmp" /SL5="$30116,986812,780800,C:\Users\Admin\AppData\Local\Temp\run_848a9.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\is-1DESN.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-1DESN.tmp\setup.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\is-CCPKB.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CCPKB.tmp\setup.tmp" /SL5="$101F8,921114,831488,C:\Users\Admin\AppData\Local\Temp\is-1DESN.tmp\setup.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1DESN.tmp\setup.exe
MD5
af5770a146da7de3837f95f622c150e5

SHA1
83edfc1970dcec10ac1a3fad0281486b8fc23810

SHA256
864a35c54d0d9aa563d4e300bd003c83502f45df8736c2f6bbb0edf74870a2e7

SHA512
15f40a0d8af86b809768ff6ee87633be59ab06d2db2b6281c30bd2e81a9b10fefb9f9737e9a770e9b084997086c45e6d3d9a2ce70ec29b0b94eab04157a2d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1DESN.tmp\setup.exe
MD5
af5770a146da7de3837f95f622c150e5

SHA1
83edfc1970dcec10ac1a3fad0281486b8fc23810

SHA256
864a35c54d0d9aa563d4e300bd003c83502f45df8736c2f6bbb0edf74870a2e7

SHA512
15f40a0d8af86b809768ff6ee87633be59ab06d2db2b6281c30bd2e81a9b10fefb9f9737e9a770e9b084997086c45e6d3d9a2ce70ec29b0b94eab04157a2d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CCPKB.tmp\setup.tmp
MD5
38e9177040663abdf7cb42d237b03d9d

SHA1
0b95b3694406d9d86aa3e4953f42d471977ff03d

SHA256
2a322dbda4ac86aed04ab99f9f2c277c2f84b6046e234c3ae55ceec53883b594

SHA512
78db4c72b2e10d665775e7f306d926060c95ba47610e809e0a21006280f9f0280fa572168b9c9ee00e2121090db9a20dc524677d961fea4292c41c44ba3cb30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KSM1P.tmp\run_848a9.tmp
MD5
172be78472394107d27ae2337ad8bf58

SHA1
530b852a568698a51fb11e137f8c5da54c21a29c

SHA256
b45d8b87c446af32aaead1b658bb10b22ba951cba63d432f665cd8c0150a576b

SHA512
903f4f3846627e03593163e89c2cd06c43a76cccbadd7eb345fd851433d290cc95737255f12d961106b43bc0a3012ea577fca0246dd7ead4665786654f122a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KSM1P.tmp\run_848a9.tmp
MD5
172be78472394107d27ae2337ad8bf58

SHA1
530b852a568698a51fb11e137f8c5da54c21a29c

SHA256
b45d8b87c446af32aaead1b658bb10b22ba951cba63d432f665cd8c0150a576b

SHA512
903f4f3846627e03593163e89c2cd06c43a76cccbadd7eb345fd851433d290cc95737255f12d961106b43bc0a3012ea577fca0246dd7ead4665786654f122a22

Download Submit
\Users\Admin\AppData\Local\Temp\is-EQPOQ.tmp\idp.dll
MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
memory/1320-120-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/1320-118-0x0000000000000000-mapping.dmp

Download
memory/2440-122-0x0000000000000000-mapping.dmp

Download
memory/2440-130-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2860-127-0x0000000000000000-mapping.dmp

Download
memory/2860-131-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3220-117-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Resubmissions

Analysis

Sharing