7c77ce3d7fe4b77b2aca617df531d1f1302718ee60c8405c1fc3eab80c7a9084

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-02-2023 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49d84976d32e73b6538ec3988424a120.exe
Size

6.0MB
MD5

49d84976d32e73b6538ec3988424a120
SHA1

9f5c9fdd18f11e321dbd899d454d39850dc0a043
SHA256

7c77ce3d7fe4b77b2aca617df531d1f1302718ee60c8405c1fc3eab80c7a9084
SHA512

72c2b06915d17bcedbca607c5b3b3963e87b835bd3997fe53f85b12ae6003e1a5dad335806e9ef33b2df36915b2564d70ff4635e9a89f82e6d7f1a6bcf88c49e
SSDEEP

196608:2K3cJGUlm5nSdiuLg/TMDh7RW5Yhhdl51NCAu:2K3cJdlm5U5Lg/TMFQ5WlfNCAu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1656	49d84976d32e73b6538ec3988424a120.tmp
1908	DirectTest52.exe
1664	DirectTest52.exe

Loads dropped DLL 5 IoCs

pid	Process
2028	49d84976d32e73b6538ec3988424a120.exe
1656	49d84976d32e73b6538ec3988424a120.tmp
1656	49d84976d32e73b6538ec3988424a120.tmp
1656	49d84976d32e73b6538ec3988424a120.tmp
1656	49d84976d32e73b6538ec3988424a120.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DPFinder52\is-6KEEE.tmp	49d84976d32e73b6538ec3988424a120.tmp
File created	C:\Program Files (x86)\DPFinder52\is-3U9NT.tmp	49d84976d32e73b6538ec3988424a120.tmp
File created	C:\Program Files (x86)\DPFinder52\is-TVG2V.tmp	49d84976d32e73b6538ec3988424a120.tmp
File opened for modification	C:\Program Files (x86)\DPFinder52\unins000.dat	49d84976d32e73b6538ec3988424a120.tmp
File opened for modification	C:\Program Files (x86)\DPFinder52\DirectTest52.exe	49d84976d32e73b6538ec3988424a120.tmp
File created	C:\Program Files (x86)\DPFinder52\unins000.dat	49d84976d32e73b6538ec3988424a120.tmp
File created	C:\Program Files (x86)\DPFinder52\is-TGK90.tmp	49d84976d32e73b6538ec3988424a120.tmp
File created	C:\Program Files (x86)\DPFinder52\is-2VT9F.tmp	49d84976d32e73b6538ec3988424a120.tmp
File created	C:\Program Files (x86)\DPFinder52\is-FNKEG.tmp	49d84976d32e73b6538ec3988424a120.tmp
File created	C:\Program Files (x86)\DPFinder52\is-6DT3N.tmp	49d84976d32e73b6538ec3988424a120.tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1656	2028	49d84976d32e73b6538ec3988424a120.exe	28
PID 2028 wrote to memory of 1656	2028	49d84976d32e73b6538ec3988424a120.exe	28
PID 2028 wrote to memory of 1656	2028	49d84976d32e73b6538ec3988424a120.exe	28
PID 2028 wrote to memory of 1656	2028	49d84976d32e73b6538ec3988424a120.exe	28
PID 2028 wrote to memory of 1656	2028	49d84976d32e73b6538ec3988424a120.exe	28
PID 2028 wrote to memory of 1656	2028	49d84976d32e73b6538ec3988424a120.exe	28
PID 2028 wrote to memory of 1656	2028	49d84976d32e73b6538ec3988424a120.exe	28
PID 1656 wrote to memory of 948	1656	49d84976d32e73b6538ec3988424a120.tmp	29
PID 1656 wrote to memory of 948	1656	49d84976d32e73b6538ec3988424a120.tmp	29
PID 1656 wrote to memory of 948	1656	49d84976d32e73b6538ec3988424a120.tmp	29
PID 1656 wrote to memory of 948	1656	49d84976d32e73b6538ec3988424a120.tmp	29
PID 1656 wrote to memory of 1908	1656	49d84976d32e73b6538ec3988424a120.tmp	31
PID 1656 wrote to memory of 1908	1656	49d84976d32e73b6538ec3988424a120.tmp	31
PID 1656 wrote to memory of 1908	1656	49d84976d32e73b6538ec3988424a120.tmp	31
PID 1656 wrote to memory of 1908	1656	49d84976d32e73b6538ec3988424a120.tmp	31
PID 1656 wrote to memory of 1560	1656	49d84976d32e73b6538ec3988424a120.tmp	32
PID 1656 wrote to memory of 1560	1656	49d84976d32e73b6538ec3988424a120.tmp	32
PID 1656 wrote to memory of 1560	1656	49d84976d32e73b6538ec3988424a120.tmp	32
PID 1656 wrote to memory of 1560	1656	49d84976d32e73b6538ec3988424a120.tmp	32
PID 1656 wrote to memory of 1664	1656	49d84976d32e73b6538ec3988424a120.tmp	33
PID 1656 wrote to memory of 1664	1656	49d84976d32e73b6538ec3988424a120.tmp	33
PID 1656 wrote to memory of 1664	1656	49d84976d32e73b6538ec3988424a120.tmp	33
PID 1656 wrote to memory of 1664	1656	49d84976d32e73b6538ec3988424a120.tmp	33

C:\Users\Admin\AppData\Local\Temp\49d84976d32e73b6538ec3988424a120.exe
"C:\Users\Admin\AppData\Local\Temp\49d84976d32e73b6538ec3988424a120.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\is-9H7G7.tmp\49d84976d32e73b6538ec3988424a120.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9H7G7.tmp\49d84976d32e73b6538ec3988424a120.tmp" /SL5="$70122,6051998,50688,C:\Users\Admin\AppData\Local\Temp\49d84976d32e73b6538ec3988424a120.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:948
- - C:\Program Files (x86)\DPFinder52\DirectTest52.exe
    "C:\Program Files (x86)\DPFinder52\DirectTest52.exe"
    3⤵
    - Executes dropped EXE
    PID:1908
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "DPF-52"
    3⤵
    PID:1560
- - C:\Program Files (x86)\DPFinder52\DirectTest52.exe
    "C:\Program Files (x86)\DPFinder52\DirectTest52.exe" de81cdb3d6312dc49425bb9b5ad9f557
    3⤵
    - Executes dropped EXE
    PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DPFinder52\DirectTest52.exe

Filesize
3.6MB

MD5
b222ef6cf1bc166f3585dc579b89fa28

SHA1
5f2f7e0ec26cd394b53c10fa6ac3c34d2b984581

SHA256
6e2bee76aacc93334e605a4c45145d4f5807228937938d1208e9e1296e1cd270

SHA512
c5b58bf09b1e31afd00297840d7f8dc33f931b71978a8bf2ea9d7b85e7d171f55f5df92f7fd48ca3e1957b62db6ce51b321bf183c46e22954325dc190b88bf9b

Download Submit
C:\Program Files (x86)\DPFinder52\DirectTest52.exe

Filesize
3.6MB

MD5
b222ef6cf1bc166f3585dc579b89fa28

SHA1
5f2f7e0ec26cd394b53c10fa6ac3c34d2b984581

SHA256
6e2bee76aacc93334e605a4c45145d4f5807228937938d1208e9e1296e1cd270

SHA512
c5b58bf09b1e31afd00297840d7f8dc33f931b71978a8bf2ea9d7b85e7d171f55f5df92f7fd48ca3e1957b62db6ce51b321bf183c46e22954325dc190b88bf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9H7G7.tmp\49d84976d32e73b6538ec3988424a120.tmp

Filesize
692KB

MD5
9d259fdac780d7379ca6acf223cc6f11

SHA1
c0b995b631a9122ab8afaca9e8258a4f2e0c9c3a

SHA256
4d6bfd5c3cf037e2a1d1067c06fb073af5634c1b8ac04cfe5d17208b5741b80c

SHA512
8d512a28df68349ca8cd1338968002d34113765b71bad6b5fc5b7e307130ad83c6ce77633d42f2e9449485450651121ca8609f2a15ca4a8d81ccb44db548f04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9H7G7.tmp\49d84976d32e73b6538ec3988424a120.tmp

Filesize
692KB

MD5
9d259fdac780d7379ca6acf223cc6f11

SHA1
c0b995b631a9122ab8afaca9e8258a4f2e0c9c3a

SHA256
4d6bfd5c3cf037e2a1d1067c06fb073af5634c1b8ac04cfe5d17208b5741b80c

SHA512
8d512a28df68349ca8cd1338968002d34113765b71bad6b5fc5b7e307130ad83c6ce77633d42f2e9449485450651121ca8609f2a15ca4a8d81ccb44db548f04a

Download Submit
\Program Files (x86)\DPFinder52\DirectTest52.exe

Filesize
3.6MB

MD5
b222ef6cf1bc166f3585dc579b89fa28

SHA1
5f2f7e0ec26cd394b53c10fa6ac3c34d2b984581

SHA256
6e2bee76aacc93334e605a4c45145d4f5807228937938d1208e9e1296e1cd270

SHA512
c5b58bf09b1e31afd00297840d7f8dc33f931b71978a8bf2ea9d7b85e7d171f55f5df92f7fd48ca3e1957b62db6ce51b321bf183c46e22954325dc190b88bf9b

Download Submit
\Users\Admin\AppData\Local\Temp\is-2MFMI.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-2MFMI.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-2MFMI.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-9H7G7.tmp\49d84976d32e73b6538ec3988424a120.tmp

Filesize
692KB

MD5
9d259fdac780d7379ca6acf223cc6f11

SHA1
c0b995b631a9122ab8afaca9e8258a4f2e0c9c3a

SHA256
4d6bfd5c3cf037e2a1d1067c06fb073af5634c1b8ac04cfe5d17208b5741b80c

SHA512
8d512a28df68349ca8cd1338968002d34113765b71bad6b5fc5b7e307130ad83c6ce77633d42f2e9449485450651121ca8609f2a15ca4a8d81ccb44db548f04a

Download Submit
memory/1656-70-0x00000000035E0000-0x0000000004779000-memory.dmp

Filesize
17.6MB

Download
memory/1656-81-0x00000000035E0000-0x0000000004779000-memory.dmp

Filesize
17.6MB

Download
memory/1664-83-0x0000000000400000-0x0000000001599000-memory.dmp

Filesize
17.6MB

Download
memory/1664-82-0x0000000000400000-0x0000000001599000-memory.dmp

Filesize
17.6MB

Download
memory/1664-80-0x0000000000400000-0x0000000001599000-memory.dmp

Filesize
17.6MB

Download
memory/1664-78-0x0000000000400000-0x0000000001599000-memory.dmp

Filesize
17.6MB

Download
memory/1908-73-0x0000000000400000-0x0000000001599000-memory.dmp

Filesize
17.6MB

Download
memory/1908-72-0x0000000000400000-0x0000000001599000-memory.dmp

Filesize
17.6MB

Download
memory/1908-71-0x0000000000400000-0x0000000001599000-memory.dmp

Filesize
17.6MB

Download
memory/2028-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2028-54-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/2028-64-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download