498421bc4c78ba9bf7c9d669bd9958cf2c0c1cc89e94288800fe004400821ef3

General

Target

aea21ab88cca720a34ec1c9c4794f82a.exe
Size

749KB
MD5

aea21ab88cca720a34ec1c9c4794f82a
SHA1

5241d6fd4013ec8251df46e231665471a8ca70db
SHA256

498421bc4c78ba9bf7c9d669bd9958cf2c0c1cc89e94288800fe004400821ef3
SHA512

9503ec3b595db2edee075254da608284a0ffbe33b4f86e3e703293f49c73ef7e5069454608ee23a9f3b3062ef3325e9bed0b4d9b6e8a7e3239942033eb400f38

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

aea21ab88cca720a34ec1c9c4794f82a.tmp7((_8888YTR(.exe

pid process

3972 aea21ab88cca720a34ec1c9c4794f82a.tmp
3548 7((_8888YTR(.exe
Loads dropped DLL 1 IoCs

Processes:

aea21ab88cca720a34ec1c9c4794f82a.tmp

pid process

3972 aea21ab88cca720a34ec1c9c4794f82a.tmp

pid	process
3972	aea21ab88cca720a34ec1c9c4794f82a.tmp
3548	7((_8888YTR(.exe

pid	process
3972	aea21ab88cca720a34ec1c9c4794f82a.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotification.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotification.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MusNotification.exe

description pid process

Token: SeShutdownPrivilege 208 MusNotification.exe
Token: SeCreatePagefilePrivilege 208 MusNotification.exe

description	pid	process
Token: SeShutdownPrivilege	208	MusNotification.exe
Token: SeCreatePagefilePrivilege	208	MusNotification.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

aea21ab88cca720a34ec1c9c4794f82a.exeaea21ab88cca720a34ec1c9c4794f82a.tmp7((_8888YTR(.exe

description	pid	process	target process
PID 388 wrote to memory of 3972	388	aea21ab88cca720a34ec1c9c4794f82a.exe	aea21ab88cca720a34ec1c9c4794f82a.tmp
PID 388 wrote to memory of 3972	388	aea21ab88cca720a34ec1c9c4794f82a.exe	aea21ab88cca720a34ec1c9c4794f82a.tmp
PID 388 wrote to memory of 3972	388	aea21ab88cca720a34ec1c9c4794f82a.exe	aea21ab88cca720a34ec1c9c4794f82a.tmp
PID 3972 wrote to memory of 3548	3972	aea21ab88cca720a34ec1c9c4794f82a.tmp	7((_8888YTR(.exe
PID 3972 wrote to memory of 3548	3972	aea21ab88cca720a34ec1c9c4794f82a.tmp	7((_8888YTR(.exe
PID 3548 wrote to memory of 3500	3548	7((_8888YTR(.exe	fondue.exe
PID 3548 wrote to memory of 3500	3548	7((_8888YTR(.exe	fondue.exe

C:\Users\Admin\AppData\Local\Temp\aea21ab88cca720a34ec1c9c4794f82a.exe
"C:\Users\Admin\AppData\Local\Temp\aea21ab88cca720a34ec1c9c4794f82a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\is-6VMFR.tmp\aea21ab88cca720a34ec1c9c4794f82a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6VMFR.tmp\aea21ab88cca720a34ec1c9c4794f82a.tmp" /SL5="$10011A,506086,422400,C:\Users\Admin\AppData\Local\Temp\aea21ab88cca720a34ec1c9c4794f82a.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Local\Temp\is-S8JTM.tmp\7((_8888YTR(.exe
"C:\Users\Admin\AppData\Local\Temp\is-S8JTM.tmp\7((_8888YTR(.exe" /S /UID=rec7
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
PID:3500

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-6VMFR.tmp\aea21ab88cca720a34ec1c9c4794f82a.tmp
MD5
91d64d52451891441d23398dd3a6e05e

SHA1
48acbb102a9f4a15398a93f290994fe306431b92

SHA256
86c6f7b0b4ea6b716351b45b1b8809a56ac3efcd0e02859ae2d113c3ef2e088b

SHA512
ce7024c1e497da18708afdedfca6c0e95a012d3173b9d659cf5c4e58cde670d6b53bc95beedf86ec0995db341c165992a29a238798f81d425671a3229b8184e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S8JTM.tmp\7((_8888YTR(.exe
MD5
f97d18bae067594234dc3ea8e06d10a1

SHA1
fbc62c900d9a2e05d0fb5d544dbb0f4ae5119261

SHA256
2f19b526f1f1dc0d9d4d771f6138e74bf778b4caa042b9f6699dad287b03e8ab

SHA512
4e124fba18766da2630f3c6edc1e576a06ec263978335431e17ecf4d362c83be20c6bd29d451cd38985f2ba41f4ae4a4cd2db89cfc56726f01b31e5c5b143e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S8JTM.tmp\7((_8888YTR(.exe
MD5
f97d18bae067594234dc3ea8e06d10a1

SHA1
fbc62c900d9a2e05d0fb5d544dbb0f4ae5119261

SHA256
2f19b526f1f1dc0d9d4d771f6138e74bf778b4caa042b9f6699dad287b03e8ab

SHA512
4e124fba18766da2630f3c6edc1e576a06ec263978335431e17ecf4d362c83be20c6bd29d451cd38985f2ba41f4ae4a4cd2db89cfc56726f01b31e5c5b143e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S8JTM.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/388-132-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3500-140-0x0000000000000000-mapping.dmp

Download
memory/3548-137-0x0000000000000000-mapping.dmp

Download
memory/3972-133-0x0000000000000000-mapping.dmp

Download
memory/3972-135-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing