92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af

General

Target

92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.exe
Size

600KB
MD5

693ac408458bff6719ad3800700e96c2
SHA1

67c44891a7cc1f72ee06f43542988722c2748aaf
SHA256

92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af
SHA512

a8d34f9b77bd86a2f6695688d57493fb1d55bfe9b6df7f4090b739da89b0717f296bd31df8fed1e76657fa959ff9215094522394048d80ffe65c4e64d71bd962
SSDEEP

12288:aqhP6pCcEFlPxG8odvoy7c2e7tN7ainFc6Ivj0k2e8RqpWYS3d0/Ddl338:auPTLsDINvawFc6IwXeaqpWYS3a/Zt38

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
904	92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.tmp

Loads dropped DLL 3 IoCs

pid	Process
1120	92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.exe
904	92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.tmp
904	92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.tmp

Kills process with taskkill 1 IoCs

evasion

pid	Process
1116	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
904	92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 904	1120	92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.exe	28
PID 1120 wrote to memory of 904	1120	92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.exe	28
PID 1120 wrote to memory of 904	1120	92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.exe	28
PID 1120 wrote to memory of 904	1120	92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.exe	28
PID 904 wrote to memory of 516	904	92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.tmp	29
PID 904 wrote to memory of 516	904	92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.tmp	29
PID 904 wrote to memory of 516	904	92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.tmp	29
PID 904 wrote to memory of 516	904	92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.tmp	29
PID 516 wrote to memory of 1116	516	cmd.exe	31
PID 516 wrote to memory of 1116	516	cmd.exe	31
PID 516 wrote to memory of 1116	516	cmd.exe	31
PID 516 wrote to memory of 1116	516	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.exe
"C:\Users\Admin\AppData\Local\Temp\92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\is-H19Q1.tmp\92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-H19Q1.tmp\92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.tmp" /SL5="$70124,362930,52224,C:\Users\Admin\AppData\Local\Temp\92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c"taskkill /im iexplore.exe /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im iexplore.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-H19Q1.tmp\92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.tmp

Filesize
699KB

MD5
3c01afb860055a9c132e202674c4f155

SHA1
e60b6721917b7ea4c2cb455ba1f4a4b5a2075482

SHA256
525f4dad705a0a916da9c91a8a5f3d6ec670ab9594c0fe90c599971431aa1818

SHA512
8dd3cd1a527f816bdc495c0c6af3b65b8bf2dae16da025f27794c3313bc86843a66012502606958d397ccc82138f3935d5fb72750640c2701d524cc935cf5d4e

Download Submit
\Users\Admin\AppData\Local\Temp\is-H19Q1.tmp\92339d4c8142cfa98b1d98d371d187edaa9a8f95bfa801eb401387ca237795af.tmp

Filesize
699KB

MD5
3c01afb860055a9c132e202674c4f155

SHA1
e60b6721917b7ea4c2cb455ba1f4a4b5a2075482

SHA256
525f4dad705a0a916da9c91a8a5f3d6ec670ab9594c0fe90c599971431aa1818

SHA512
8dd3cd1a527f816bdc495c0c6af3b65b8bf2dae16da025f27794c3313bc86843a66012502606958d397ccc82138f3935d5fb72750640c2701d524cc935cf5d4e

Download Submit
\Users\Admin\AppData\Local\Temp\is-SFDDS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-SFDDS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1120-54-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1120-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1120-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1120-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing