dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1

General

Target

dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe
Size

411KB
MD5

ddb1ceb266455f58e6eba0c2ac95ce99
SHA1

159015591d226a5620d5a5f742307eb4ea603d27
SHA256

dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1
SHA512

a57a58190d107991374ef7421ba5644a5de862ca0375e666e1429196b0de7edaac0a375477cd1f5b0042cb23f76c9064b7478600003bc61602b39b76eef6bd49
SSDEEP

12288:CQiG+jL8+iDYVi/xDI+MBTlPadSfXioRcpMXVJoT:CQi3n8FDjMBTlP0QjcpMXVJoT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
940	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp

Loads dropped DLL 4 IoCs

pid	Process
1696	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe
940	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp
940	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp
940	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
560	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 940	1696	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe	27
PID 1696 wrote to memory of 940	1696	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe	27
PID 1696 wrote to memory of 940	1696	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe	27
PID 1696 wrote to memory of 940	1696	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe	27
PID 1696 wrote to memory of 940	1696	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe	27
PID 1696 wrote to memory of 940	1696	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe	27
PID 1696 wrote to memory of 940	1696	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe	27
PID 940 wrote to memory of 676	940	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp	28
PID 940 wrote to memory of 676	940	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp	28
PID 940 wrote to memory of 676	940	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp	28
PID 940 wrote to memory of 676	940	dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp	28
PID 676 wrote to memory of 560	676	cmd.exe	30
PID 676 wrote to memory of 560	676	cmd.exe	30
PID 676 wrote to memory of 560	676	cmd.exe	30
PID 676 wrote to memory of 560	676	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe
"C:\Users\Admin\AppData\Local\Temp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\is-A3M0E.tmp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-A3M0E.tmp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp" /SL5="$70124,138489,56832,C:\Users\Admin\AppData\Local\Temp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-DEH1B.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-A3M0E.tmp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DEH1B.tmp\av.txt

Filesize
24B

MD5
f8f8258012893e0a2c957d226bdd7587

SHA1
ed482b5f912ef2d31e2b231df6b6e3b64967390c

SHA256
c341965a331692b4f79eed856a7da98c550d74fdef27d1241893284f1b51c3d2

SHA512
6e563814e4347ffa1da1d4d26ab45430987d5224c22278e1ee41b207700eb263aaab1e69088a5eeb267fdd385f36a61c0c66415f5df0887162eefbcbec9d19d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DEH1B.tmp\ex.bat

Filesize
786B

MD5
0718f62eb039aae23671efe339ee5049

SHA1
4b2894cd9e6cade906eb3cc82fe35a1b37c903cc

SHA256
eb24924cbedca54c8d4ed1881da44feee1d24f37355e2582cebfaa2db3b30aaf

SHA512
f772c8dfecf3daf0600053b3abf5e4954e7d1eaa181c8f2f2c65a50f498ad4d80e6763868df529c70461e53112107a77f061f5228a1745fd8527ebc6c77523bf

Download Submit
\Users\Admin\AppData\Local\Temp\is-A3M0E.tmp\dd3dece99dbc0d56d08e5fe303c7b398e49c22ef57cc4ee122fb66883e1af1f1.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\is-DEH1B.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-DEH1B.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-DEH1B.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/560-70-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/560-71-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/940-64-0x0000000003420000-0x000000000345C000-memory.dmp

Filesize
240KB

Download
memory/1696-65-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing