3b1e29d6fde6e83f169c13b17f72c8a155fab8c7d296233703a0afdd6e714a63

Analysis

max time kernel
140s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-05-2022 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PianoScrap.exe
Size

83KB
MD5

ad1faa076d04a9595ebb7c7c0034c35e
SHA1

cbe139b2ad2d73b3b82b1d808327cf4538cfc401
SHA256

3b1e29d6fde6e83f169c13b17f72c8a155fab8c7d296233703a0afdd6e714a63
SHA512

4098a3c8e91f2af9ab81424a28d9189b0b28c181c1d3a5a3ce96aa493111a77f584dbd2fcefc27c695669c71f06918059ea1f840d096732a6f74ca65c86dd120

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

iZip_2_0_10_251_tn_1012.exe

pid process

444 iZip_2_0_10_251_tn_1012.exe

pid	process
444	iZip_2_0_10_251_tn_1012.exe

Loads dropped DLL 15 IoCs

Processes:

PianoScrap.exeiZip_2_0_10_251_tn_1012.exe

pid	process
1960	PianoScrap.exe
1960	PianoScrap.exe
1960	PianoScrap.exe
1960	PianoScrap.exe
1960	PianoScrap.exe
1960	PianoScrap.exe
1960	PianoScrap.exe
1960	PianoScrap.exe
1960	PianoScrap.exe
1960	PianoScrap.exe
1960	PianoScrap.exe
1960	PianoScrap.exe
1960	PianoScrap.exe
444	iZip_2_0_10_251_tn_1012.exe
444	iZip_2_0_10_251_tn_1012.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

iZip_2_0_10_251_tn_1012.exe

description	ioc	process
File created	C:\Program Files (x86)\iZip\2.0.10.383\izminiskin\title_icon_image.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\Uninst.exe	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\dialog.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\image_lock.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\min.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\progress_fg_red.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\top_banner.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izminiskin\minipage.ico	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izip_skin\screensaver_skin\btn_002.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\btn_del.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\btn_zip.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\combobox_button.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\progress_bktwo.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\restore.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\view_small_icon.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izminiskin\wait_wording.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izip_skin\screensaver_skin\btn_close_setting.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\btn_compress_now.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\btn_extract.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\mizilogo.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izipExplorer64.dll	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izminiskin\true.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izminiskin\window.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\btn_close_1.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\progress_fg.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\window.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\7z.dll	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izipG.exe	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izipHelperTools.exe	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\checkbox.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\max.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\view_detail_icon.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izip_skin\screensaver_skin\Wallpaper\2.jpg	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\msvcp120.dll	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\UserConfig.ini	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\btn_menu.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\mini_progress_bkg.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izminiskin\btn_close.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\menu_bk.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izip_skin\screensaver_skin\radiobox.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\msvcr120.dll	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\btn_info.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\menu_select_bkg.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\menu_seperator.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\progress_bk.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\top_bkg.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\aboutdlg_bk.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\btn_common.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\btn_compress.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izipminipage.exe	iZip_2_0_10_251_tn_1012.exe
File opened for modification	C:\Program Files (x86)\iZip\2.0.10.383\UserConfig.ini	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izminiskin\btn_min.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izip_skin\screensaver_skin\Wallpaper\4.jpg	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izip.exe	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izip_skin\screensaver_skin\btn_003.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\check_upgrade_image.gif	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\dropdown_up.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izminiskin\btn_close_1.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izip_skin\screensaver_skin\Wallpaper\1.jpg	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\tabs.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izminiskin\line.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\izip_skin\screensaver_skin\bkg_Detail_Window.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\progress_fg_gr.png	iZip_2_0_10_251_tn_1012.exe
File created	C:\Program Files (x86)\iZip\2.0.10.383\iZipSkin\title_icon_image.png	iZip_2_0_10_251_tn_1012.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

iZip_2_0_10_251_tn_1012.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.lzh\DefaultIcon\ = "C:\\Program Files (x86)\\iZip\\2.0.10.383\\iZipSkin\\iZip.ico"	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.z\shell\open\command	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.arj\shell\open\command\ = "\"C:\\Program Files (x86)\\iZip\\2.0.10.383\\izip.exe\" \"%1\""	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.cpio\shell\open\command\ = "\"C:\\Program Files (x86)\\iZip\\2.0.10.383\\izip.exe\" \"%1\""	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dmg\iZipbackup	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.hfs\shell	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.001\ = "iZip 001压缩格式"	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.split\DefaultIcon	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swm\ = "iZip.swm"	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.tar\DefaultIcon	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.gzip\DefaultIcon	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.hfs\ = "iZip hfs压缩格式"	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.tgz	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.rar\shell\open\command\ = "\"C:\\Program Files (x86)\\iZip\\2.0.10.383\\izip.exe\" \"%1\""	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bzip2	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.cab\DefaultIcon	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.deb\iZipbackup	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D731A0B-89E4-44E2-A6A4-3B05C80D562C}	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.7z\shell\open\command	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "iZip.001"	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\iZipbackup = "CABFolder"	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.rar\ = "iZip rar压缩格式"	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.cpio\shell	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.tgz\ = "iZip tgz压缩格式"	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha\iZipbackup	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.z	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.arj	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.gz\shell	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.iso\shell\open\command\ = "\"C:\\Program Files (x86)\\iZip\\2.0.10.383\\izip.exe\" \"%1\""	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.taz\shell	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.bz2\DefaultIcon\ = "C:\\Program Files (x86)\\iZip\\2.0.10.383\\iZipSkin\\iZip.ico"	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.zip\ = "iZip zip压缩格式"	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.001\shell	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.lha\DefaultIcon\ = "C:\\Program Files (x86)\\iZip\\2.0.10.383\\iZipSkin\\iZip.ico"	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\iZip	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.lzh\shell\open\command	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.swm\shell\open	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.tar\ = "iZip tar压缩格式"	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.tgz\DefaultIcon\ = "C:\\Program Files (x86)\\iZip\\2.0.10.383\\iZipSkin\\iZip.ico"	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "iZip.7z"	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.zip\shell\open	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.gzip\shell\open	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.hfs\shell\open\command\ = "\"C:\\Program Files (x86)\\iZip\\2.0.10.383\\izip.exe\" \"%1\""	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.tgz\shell\open\command	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.wim\shell\open\command	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.z\shell\open	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bzip2\iZipbackup	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.gzip	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.iso	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.wim\ = "iZip wim压缩格式"	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.lzma\shell\open\command\ = "\"C:\\Program Files (x86)\\iZip\\2.0.10.383\\izip.exe\" \"%1\""	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.rpm\shell\open\command	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.tpz\DefaultIcon	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bzip2\ = "iZip.bzip2"	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gzip\iZipbackup	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.hfs\shell\open	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.lzh\DefaultIcon	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.lha\shell\open\command	iZip_2_0_10_251_tn_1012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.swm\shell\open\command\ = "\"C:\\Program Files (x86)\\iZip\\2.0.10.383\\izip.exe\" \"%1\""	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.lzma\shell	iZip_2_0_10_251_tn_1012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iZip.split\shell\open\command	iZip_2_0_10_251_tn_1012.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

iZip_2_0_10_251_tn_1012.exe

pid process

444 iZip_2_0_10_251_tn_1012.exe
444 iZip_2_0_10_251_tn_1012.exe
444 iZip_2_0_10_251_tn_1012.exe
444 iZip_2_0_10_251_tn_1012.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

iZip_2_0_10_251_tn_1012.exe

description pid process

Token: SeDebugPrivilege 444 iZip_2_0_10_251_tn_1012.exe
Token: SeDebugPrivilege 444 iZip_2_0_10_251_tn_1012.exe

pid	process
444	iZip_2_0_10_251_tn_1012.exe
444	iZip_2_0_10_251_tn_1012.exe
444	iZip_2_0_10_251_tn_1012.exe
444	iZip_2_0_10_251_tn_1012.exe

description	pid	process
Token: SeDebugPrivilege	444	iZip_2_0_10_251_tn_1012.exe
Token: SeDebugPrivilege	444	iZip_2_0_10_251_tn_1012.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

PianoScrap.exe

description	pid	process	target process
PID 1960 wrote to memory of 444	1960	PianoScrap.exe	iZip_2_0_10_251_tn_1012.exe
PID 1960 wrote to memory of 444	1960	PianoScrap.exe	iZip_2_0_10_251_tn_1012.exe
PID 1960 wrote to memory of 444	1960	PianoScrap.exe	iZip_2_0_10_251_tn_1012.exe

C:\Users\Admin\AppData\Local\Temp\PianoScrap.exe
"C:\Users\Admin\AppData\Local\Temp\PianoScrap.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\iZip_2_0_10_251_tn_1012.exe
"C:\Users\Admin\AppData\Local\Temp\iZip_2_0_10_251_tn_1012.exe" /S
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iZip_2_0_10_251_tn_1012.exe
Filesize
6.5MB

MD5
6b255ee5d747ec08b05527d8bfd32477

SHA1
564dd3b4c472b1e2d8133af1e35cb83064e2a199

SHA256
208597ee1974ef02a2d143f15e09edb91a023f330f0b742e1929b3a99908b732

SHA512
e968bf8a76bfaca6d638ab3081ec9bc4cc4aed69546897bbd718a8d7bc3b3c55af2de8c979c9873e769fd247914861f735cd97b706f75e6f076c41b233e1d44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iZip_2_0_10_251_tn_1012.exe
Filesize
6.5MB

MD5
6b255ee5d747ec08b05527d8bfd32477

SHA1
564dd3b4c472b1e2d8133af1e35cb83064e2a199

SHA256
208597ee1974ef02a2d143f15e09edb91a023f330f0b742e1929b3a99908b732

SHA512
e968bf8a76bfaca6d638ab3081ec9bc4cc4aed69546897bbd718a8d7bc3b3c55af2de8c979c9873e769fd247914861f735cd97b706f75e6f076c41b233e1d44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7210.tmp\System.dll
Filesize
11KB

MD5
33e702960390e2b3dea8493ab459e3e1

SHA1
41d22719f0b6fadbe81e155d834e95eb098b0de0

SHA256
eedac8e302e99ff0e96b906e9ad0e8647aeafb4a662d4c6197abb3c6c6be7d77

SHA512
6e4b964120d1e10772202d301374bc8f9e6f17222d5b89f2784382ad24b2fac376c1573a7033c3bd530386c55da24e19eaf5f1ffc7e2e69af238c8343975b11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7210.tmp\insthelper.dll
Filesize
1.9MB

MD5
76cd8e10e0fbc16e98f5e9e3a7205113

SHA1
e693849c1bc473180e699d1daa0d4e28c49e1535

SHA256
0a43b78adad69db94d7cfa5dc3ad474c3d0e9c39c6751ee1c88a609d5663d6a9

SHA512
47f150922f9d49d2e715e9419be6e3abff9384aa1ce442e6f6c75718ac476c85ee1bd87cb13e8257f7d095dfcb65ef1bf914202fae925d0e5af0761b86c2e5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6008.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6008.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6008.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6008.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6008.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6008.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6008.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6008.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6008.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6008.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6008.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6008.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6008.tmp\NsisCrypt.dll
Filesize
15KB

MD5
2b2ce6a4724773710667d8e892b8d71e

SHA1
bc497b829d52d0bca139e7db9792b58a6c5ccac2

SHA256
393b83eea1a26874e0148e2609438f05fb59cd3172509c6c1a356e25c3b4fb17

SHA512
ee86bb39956733408d9669f28ca04cab5429ddead9e02f889b5e3d1346b7b34df48591acdba364aad8faf434dceee2a12812c7066c61651c6c01a6f27a0ea918

Download Submit
memory/444-143-0x0000000000000000-mapping.dmp

Download