33d92d63e2031bcde9fd355b5a9cb725e9203773cc05f1ceb87de2c08f042ac8

General

Target

eagleget_setup.exe
Size

10.0MB
MD5

69f26e335a173717a64cd3b5458b9897
SHA1

7c5f488dd4da20ab7f98ef5308a358ba5a28dc6d
SHA256

33d92d63e2031bcde9fd355b5a9cb725e9203773cc05f1ceb87de2c08f042ac8
SHA512

4d2bc1dcbd77546d9fbdce56cbc14d776cd3b6c3f0ea4b15978058521d5ca8c7601e1cdfb493493ba4879287931e2b5325996ff10de2e0924c1a090deac0a712

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

eagleget_setup.tmp

pid process

4092 eagleget_setup.tmp
Loads dropped DLL 4 IoCs

Processes:

eagleget_setup.tmp

pid process

4092 eagleget_setup.tmp
4092 eagleget_setup.tmp
4092 eagleget_setup.tmp
4092 eagleget_setup.tmp
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3024 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 3024 taskkill.exe

pid	process
4092	eagleget_setup.tmp

pid	process
4092	eagleget_setup.tmp
4092	eagleget_setup.tmp
4092	eagleget_setup.tmp
4092	eagleget_setup.tmp

pid	process
3024	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	3024	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

eagleget_setup.exeeagleget_setup.tmp

description	pid	process	target process
PID 2592 wrote to memory of 4092	2592	eagleget_setup.exe	eagleget_setup.tmp
PID 2592 wrote to memory of 4092	2592	eagleget_setup.exe	eagleget_setup.tmp
PID 2592 wrote to memory of 4092	2592	eagleget_setup.exe	eagleget_setup.tmp
PID 4092 wrote to memory of 3024	4092	eagleget_setup.tmp	taskkill.exe
PID 4092 wrote to memory of 3024	4092	eagleget_setup.tmp	taskkill.exe
PID 4092 wrote to memory of 3024	4092	eagleget_setup.tmp	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\eagleget_setup.exe
"C:\Users\Admin\AppData\Local\Temp\eagleget_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Local\Temp\is-9PFUK.tmp\eagleget_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9PFUK.tmp\eagleget_setup.tmp" /SL5="$200F8,10028740,175104,C:\Users\Admin\AppData\Local\Temp\eagleget_setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "net_updater32.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3024

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9PFUK.tmp\eagleget_setup.tmp
MD5
eb42e5720e09cd014694a22c86929f5e

SHA1
b619dccd5e1deb090d8eae6c6bac5e5dae91fdfb

SHA256
4dc2d414277e497490d2009f370051298bccaa649d0a335b064269a0bb9bbbf3

SHA512
4f5ea3e32f7da75799b8067351a860f6c840dba8108c92d34d4be7d6b811140e6b2dd161ba4bd90df77dff41b74e1e85b536b3776cadb656018a1914acc3ee2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9PFUK.tmp\eagleget_setup.tmp
MD5
eb42e5720e09cd014694a22c86929f5e

SHA1
b619dccd5e1deb090d8eae6c6bac5e5dae91fdfb

SHA256
4dc2d414277e497490d2009f370051298bccaa649d0a335b064269a0bb9bbbf3

SHA512
4f5ea3e32f7da75799b8067351a860f6c840dba8108c92d34d4be7d6b811140e6b2dd161ba4bd90df77dff41b74e1e85b536b3776cadb656018a1914acc3ee2f

Download Submit
\Users\Admin\AppData\Local\Temp\is-AH7N6.tmp\CallbackCtrl.dll
MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
\Users\Admin\AppData\Local\Temp\is-AH7N6.tmp\botva2.dll
MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
\Users\Admin\AppData\Local\Temp\is-AH7N6.tmp\botva2.dll
MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
\Users\Admin\AppData\Local\Temp\is-AH7N6.tmp\util.dll
MD5
ff4feaf7b5a9ac2f170be9100e3d545d

SHA1
1ec232776aab63dbc6c5e60f78956bbf08ce5d46

SHA256
98e42f53f795c03b180e2750d14c1a77bfd9078f7663d35886af91b92d5487a2

SHA512
93d3efa7f6fbbfa474e4172f7e422a6aa349efba280db593ac61a2d298607f2e1dc716b3c04ab5809de2bf36f6f4dab2449332f80a26cdb09ffe9015325859e9

Download Submit
memory/2592-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4092-119-0x0000000000550000-0x00000000005FE000-memory.dmp

Filesize
696KB

Download
memory/4092-123-0x0000000003500000-0x000000000350E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads