731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b

General

Target

731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.exe
Size

1.3MB
MD5

3caa50a40a05f0eb19a45878c7a24941
SHA1

f911fb67394573a4eec08b4b5244b979f7abaa9b
SHA256

731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b
SHA512

2389df2daaadcbacd8d73832637c4c08c07b9b2013644a0c42fa3a2ea7fac4ad58aae61580f7ede755980aef59e3ee2a1303a6746288de94494af1cdb236f525
SSDEEP

24576:WMjhgLVjXz1CKToZ1mO9Or8y5rnwp6FIZOdOtuWJyB8wnt/Hg:1a0KTouOErli1ZyauWA8wna

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1912	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp

Loads dropped DLL 4 IoCs

pid	Process
1948	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.exe
1912	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp
1912	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp
1912	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1912	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp
1912	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp
1912	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp
1912	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp
1912	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp
1912	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp
1912	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1912	1948	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.exe	28
PID 1948 wrote to memory of 1912	1948	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.exe	28
PID 1948 wrote to memory of 1912	1948	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.exe	28
PID 1948 wrote to memory of 1912	1948	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.exe	28
PID 1948 wrote to memory of 1912	1948	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.exe	28
PID 1948 wrote to memory of 1912	1948	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.exe	28
PID 1948 wrote to memory of 1912	1948	731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.exe	28

C:\Users\Admin\AppData\Local\Temp\731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.exe
"C:\Users\Admin\AppData\Local\Temp\731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\is-UO6N7.tmp\731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UO6N7.tmp\731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp" /SL5="$60120,784420,244224,C:\Users\Admin\AppData\Local\Temp\731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-UO6N7.tmp\731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp

Filesize
1.2MB

MD5
5669016e7646de20b4d9fd9f569c5f56

SHA1
df2952190f78a4a1e02e7e65c1765adf756ccd5c

SHA256
79980154f582659e52503a67390954d0272f114855ba92f3b0a00c695a0a74dd

SHA512
b3e83badf084cc3d1b9996bfee8853a0dd429058087a06482ddbd796217af2ff5b475e7a0acb79925853c95115649880d860623a764f8571cd3aa87637d430da

Download Submit
\Users\Admin\AppData\Local\Temp\is-KNQFE.tmp\InstallerExtensions.dll

Filesize
108KB

MD5
9cf3dadfdf68f33b4fd252b23102b48f

SHA1
eb9f3ed6e377a6a263dc069e18c8df00d59d38c8

SHA256
d6b4b3cbdf2d4feae0ab495640b5a27ea3f98df304b8b0639d64253a2521b6ad

SHA512
b98f72522d5169c89dc47af37a3737c67a070da1d9c2b384d6f19031c9b860b88a1bd21c991c0238b3322d914dc0808ffb603de1392c65a64d9a8ab360f91e9a

Download Submit
\Users\Admin\AppData\Local\Temp\is-KNQFE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KNQFE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-UO6N7.tmp\731d6f5efd196199baa548398a29093b87d4affd686ad0a937f7c89f44b8068b.tmp

Filesize
1.2MB

MD5
5669016e7646de20b4d9fd9f569c5f56

SHA1
df2952190f78a4a1e02e7e65c1765adf756ccd5c

SHA256
79980154f582659e52503a67390954d0272f114855ba92f3b0a00c695a0a74dd

SHA512
b3e83badf084cc3d1b9996bfee8853a0dd429058087a06482ddbd796217af2ff5b475e7a0acb79925853c95115649880d860623a764f8571cd3aa87637d430da

Download Submit
memory/1948-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1948-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1948-64-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing