40b0e42431ac639ad4bc2d3be4bcc0e8b19f6cf1abd192ae7981d8fc9a272231

General

Target

xiibEOQw27sQBt.exe
Size

1.8MB
MD5

7f5cf5761313ae5b1ab05e9e8ff1c7e0
SHA1

028f92ee92e881089c7d08989d53604c1448d78d
SHA256

40b0e42431ac639ad4bc2d3be4bcc0e8b19f6cf1abd192ae7981d8fc9a272231
SHA512

bd739aea9dd976aa527a0d3f3077bdb52d69b7c9945a139dd620e2d7301633313fe965f6bb3dc645a2ba0e82d251e1e72ca59d2421454c6a21e9710cacd57297
SSDEEP

49152:iiSmxHP5b+2p9m4Zvb7j1Hgh9Rl4m6s8wuA:iiXxHPg2p9m4v949Rl11t

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1912	is-LVGIE.tmp
644	SyncBackupShell.exe

Loads dropped DLL 1 IoCs

pid	Process
1912	is-LVGIE.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EAngBackup\is-FS5KJ.tmp	is-LVGIE.tmp
File created	C:\Program Files (x86)\EAngBackup\Help\images\is-EFOB0.tmp	is-LVGIE.tmp
File created	C:\Program Files (x86)\EAngBackup\Help\images\is-0GDUK.tmp	is-LVGIE.tmp
File opened for modification	C:\Program Files (x86)\EAngBackup\unins000.dat	is-LVGIE.tmp
File created	C:\Program Files (x86)\clFlow	SyncBackupShell.exe
File created	C:\Program Files (x86)\EAngBackup\unins000.dat	is-LVGIE.tmp
File created	C:\Program Files (x86)\EAngBackup\is-BIPUE.tmp	is-LVGIE.tmp
File created	C:\Program Files (x86)\EAngBackup\is-OB7MK.tmp	is-LVGIE.tmp
File created	C:\Program Files (x86)\EAngBackup\is-PKC0J.tmp	is-LVGIE.tmp
File created	C:\Program Files (x86)\EAngBackup\Help\is-7G1GI.tmp	is-LVGIE.tmp
File created	C:\Program Files (x86)\EAngBackup\Help\is-A3356.tmp	is-LVGIE.tmp
File created	C:\Program Files (x86)\EAngBackup\Help\images\is-OJOP0.tmp	is-LVGIE.tmp
File created	C:\Program Files (x86)\EAngBackup\Languages\is-QCSML.tmp	is-LVGIE.tmp
File opened for modification	C:\Program Files (x86)\EAngBackup\SyncBackupShell.exe	is-LVGIE.tmp
File created	C:\Program Files (x86)\EAngBackup\is-JT1MR.tmp	is-LVGIE.tmp
File created	C:\Program Files (x86)\EAngBackup\is-H34K3.tmp	is-LVGIE.tmp
File created	C:\Program Files (x86)\EAngBackup\is-PT7BS.tmp	is-LVGIE.tmp
File created	C:\Program Files (x86)\EAngBackup\Help\images\is-TAV54.tmp	is-LVGIE.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1912	2924	xiibEOQw27sQBt.exe	82
PID 2924 wrote to memory of 1912	2924	xiibEOQw27sQBt.exe	82
PID 2924 wrote to memory of 1912	2924	xiibEOQw27sQBt.exe	82
PID 1912 wrote to memory of 644	1912	is-LVGIE.tmp	83
PID 1912 wrote to memory of 644	1912	is-LVGIE.tmp	83
PID 1912 wrote to memory of 644	1912	is-LVGIE.tmp	83

C:\Users\Admin\AppData\Local\Temp\xiibEOQw27sQBt.exe
"C:\Users\Admin\AppData\Local\Temp\xiibEOQw27sQBt.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\is-75GDB.tmp\is-LVGIE.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-75GDB.tmp\is-LVGIE.tmp" /SL4 $8003E "C:\Users\Admin\AppData\Local\Temp\xiibEOQw27sQBt.exe" 1601190 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Program Files (x86)\EAngBackup\SyncBackupShell.exe
    "C:\Program Files (x86)\EAngBackup\SyncBackupShell.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EAngBackup\SyncBackupShell.exe

Filesize
3.8MB

MD5
1634be73de99e1dd06e7a8499b5c770b

SHA1
ee2e5befc1c3b33424841c857c284b7a9a92ebb7

SHA256
d8ad5a0c2afa065383e238f6d4d3b2c44cc6f3d6776200546d1ed91e3cd8a6b8

SHA512
b47566bd6041b68de5f5cf64984752a1de27d231b3b4db2eeabed65bb9ef9542fcb449e83480602dc7cd7a3562acd3cf50c313a5f6c5c2792259c848f7b0cd8f

Download Submit
C:\Program Files (x86)\EAngBackup\SyncBackupShell.exe

Filesize
3.8MB

MD5
1634be73de99e1dd06e7a8499b5c770b

SHA1
ee2e5befc1c3b33424841c857c284b7a9a92ebb7

SHA256
d8ad5a0c2afa065383e238f6d4d3b2c44cc6f3d6776200546d1ed91e3cd8a6b8

SHA512
b47566bd6041b68de5f5cf64984752a1de27d231b3b4db2eeabed65bb9ef9542fcb449e83480602dc7cd7a3562acd3cf50c313a5f6c5c2792259c848f7b0cd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-75GDB.tmp\is-LVGIE.tmp

Filesize
644KB

MD5
1f2bc482c99f55a713cf6ca3c1ff04f8

SHA1
852bacef61b885aa31afc7f615de6c6af0f715f4

SHA256
0a0d0b1916549cf997e2110a768d5bd088f5d1390960c22cb9609fe722779dcf

SHA512
a0ece5740fadbdb08f8a9efdb5e72b56198cfb35981835e03dafd2ad09d61bc592e602887d7cf65c58fc19b26caea653c1b5e5d4f35a85ebdc784300aa6948e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-75GDB.tmp\is-LVGIE.tmp

Filesize
644KB

MD5
1f2bc482c99f55a713cf6ca3c1ff04f8

SHA1
852bacef61b885aa31afc7f615de6c6af0f715f4

SHA256
0a0d0b1916549cf997e2110a768d5bd088f5d1390960c22cb9609fe722779dcf

SHA512
a0ece5740fadbdb08f8a9efdb5e72b56198cfb35981835e03dafd2ad09d61bc592e602887d7cf65c58fc19b26caea653c1b5e5d4f35a85ebdc784300aa6948e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VRLBJ.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/644-180-0x0000000000400000-0x00000000013DF000-memory.dmp

Filesize
15.9MB

Download
memory/644-184-0x0000000000400000-0x00000000013DF000-memory.dmp

Filesize
15.9MB

Download
memory/644-183-0x0000000000400000-0x00000000013DF000-memory.dmp

Filesize
15.9MB

Download
memory/1912-159-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/1912-185-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2924-133-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2924-186-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing