25e0928fa6d8392e08c0da5f7ff348d1953ca310f84fcfc0e89b6da0bd9f99f6

Analysis

max time kernel
36s
max time network
36s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/06/2023, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05536299.exe
Size

1.8MB
MD5

0d29e755568b5f8cdc92e8eb8a3a6939
SHA1

5e53441eb0d63691c912808c7c341ae023cb9ad4
SHA256

25e0928fa6d8392e08c0da5f7ff348d1953ca310f84fcfc0e89b6da0bd9f99f6
SHA512

6ae32c7d8aeeef23ed2cbcee108fee8c7f08b3e5a6aa23324ea0b5049d393bc6ec72a7cd7d0ba635c31eb5cc721ae37076d6190053637c62d8723dbbacbca0a0
SSDEEP

49152:LmG+mSjyWGGajZgw1MlvfTSoIgwC2rC3UHHQorvWyadJT:LmrxOWkZgw4SzTC2re6Qor6dt

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
framework.pcsoft.fr
Port:
21
Username:
framework
Password:
framework

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1152	InstallFramework.exe
1624	InstallFramework.exe

Loads dropped DLL 8 IoCs

pid	Process
840	05536299.exe
1152	InstallFramework.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
840	05536299.exe
840	05536299.exe
840	05536299.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
840	05536299.exe
840	05536299.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe
840	05536299.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1152	840	05536299.exe	28
PID 840 wrote to memory of 1152	840	05536299.exe	28
PID 840 wrote to memory of 1152	840	05536299.exe	28
PID 840 wrote to memory of 1152	840	05536299.exe	28
PID 840 wrote to memory of 1152	840	05536299.exe	28
PID 840 wrote to memory of 1152	840	05536299.exe	28
PID 840 wrote to memory of 1152	840	05536299.exe	28
PID 1152 wrote to memory of 1624	1152	InstallFramework.exe	29
PID 1152 wrote to memory of 1624	1152	InstallFramework.exe	29
PID 1152 wrote to memory of 1624	1152	InstallFramework.exe	29
PID 1152 wrote to memory of 1624	1152	InstallFramework.exe	29
PID 1152 wrote to memory of 1624	1152	InstallFramework.exe	29
PID 1152 wrote to memory of 1624	1152	InstallFramework.exe	29
PID 1152 wrote to memory of 1624	1152	InstallFramework.exe	29
PID 840 wrote to memory of 1144	840	05536299.exe	30
PID 840 wrote to memory of 1144	840	05536299.exe	30
PID 840 wrote to memory of 1144	840	05536299.exe	30
PID 840 wrote to memory of 1144	840	05536299.exe	30

C:\Users\Admin\AppData\Local\Temp\05536299.exe
"C:\Users\Admin\AppData\Local\Temp\05536299.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT /RELANCE
    3⤵
    - Executes dropped EXE
    PID:1624
- C:\Windows\SysWOW64\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "840" "972"
  2⤵
  PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CXEE235.tmp.txt

Filesize
2KB

MD5
2f3bc481509a0dd580934bffb52f77b8

SHA1
8f027081adcade04ac830a20707f749dc018036d

SHA256
fa0a1349f32b8718339034e98c93e3016ea49f0739421dc88d671d49a1435bf1

SHA512
d21b98c90e6e77f398698b9a34be0d027d6cd5d8f3d7324993278c8a1d1b3ce00d399bb25e4e8b659d576c494e4abd9e7957a1f2ce0017484c394a6af1adc4ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
40.8MB

MD5
d3cbac41fd95ba13f147b81f3446fd59

SHA1
5b6a3c8d416d6adbe46dedeccd34d25c14af6d9b

SHA256
0999ca1290998861774230ab652fb176d9d143b69bb137e7bc02110f2d949b80

SHA512
a2e2c04048c6c4c339aed099bb62c716b6ddc8a5d73953e0e4c641838bf7868cca46a1f4a1c2891c725d71ac130563660f0115910f49fcc66ada759297895095

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
40.8MB

MD5
d3cbac41fd95ba13f147b81f3446fd59

SHA1
5b6a3c8d416d6adbe46dedeccd34d25c14af6d9b

SHA256
0999ca1290998861774230ab652fb176d9d143b69bb137e7bc02110f2d949b80

SHA512
a2e2c04048c6c4c339aed099bb62c716b6ddc8a5d73953e0e4c641838bf7868cca46a1f4a1c2891c725d71ac130563660f0115910f49fcc66ada759297895095

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
40.8MB

MD5
d3cbac41fd95ba13f147b81f3446fd59

SHA1
5b6a3c8d416d6adbe46dedeccd34d25c14af6d9b

SHA256
0999ca1290998861774230ab652fb176d9d143b69bb137e7bc02110f2d949b80

SHA512
a2e2c04048c6c4c339aed099bb62c716b6ddc8a5d73953e0e4c641838bf7868cca46a1f4a1c2891c725d71ac130563660f0115910f49fcc66ada759297895095

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
40.8MB

MD5
d3cbac41fd95ba13f147b81f3446fd59

SHA1
5b6a3c8d416d6adbe46dedeccd34d25c14af6d9b

SHA256
0999ca1290998861774230ab652fb176d9d143b69bb137e7bc02110f2d949b80

SHA512
a2e2c04048c6c4c339aed099bb62c716b6ddc8a5d73953e0e4c641838bf7868cca46a1f4a1c2891c725d71ac130563660f0115910f49fcc66ada759297895095

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport7135707.txt

Filesize
1KB

MD5
a983303dcc389922e9ea71640014cab7

SHA1
546c89048136274a46b42f9aa66c4ec46ee47acc

SHA256
26c9315159a6b9e131226179b1f36cc569826478273ddcf346838cfa084b2ed4

SHA512
2cf41b863738fa5eb2b6d73948a83f50399190f50d01385f74ee171e782cdb6d7f6e714ea576021d8124ceee9214e6d9f81a75bc1625b3f65990be0e36c32d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd230hf.dll

Filesize
3.8MB

MD5
21d1d58c3f0e1040eb293655a0436937

SHA1
409a1b6a0a86103ee0446f68b6c056daa6c37843

SHA256
59205bc10f1fcba1976862a4508b17bfc22dd87846b960696a4b4e69cb7b8093

SHA512
2fa54db005ae4b71a092da61a4bf1f1d590404bf00799b5508ae3232e9fa89faec5f9bb0c287c9d61ac82697a48ffa1c064ca76f2d9e0db83e4ee891465734f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd230obj.dll

Filesize
9.4MB

MD5
7114770c46cd2a896780d642417bf0d0

SHA1
e3ef6361a02562832bbf70cbd7856d9dccea9e68

SHA256
663099f249e090ad3ad848eb453f656e2c0adf74d4886f4056585ac83d1c0338

SHA512
667936e0759e1e15495806dfbf17d365592f6c7de4d2d90d790a19974c944f0b3b7cd840f161cda1c0d6b3fc8a1a68cf76846757206d4ef840594e5233635f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd230pdf.dll

Filesize
4.6MB

MD5
4f6ec91636771674d3736e306c272fd4

SHA1
8bb96e3f0b040c5c0c2fa5cf52c6eff8e7294ce6

SHA256
59cf5966b4effb1800ab84015bb3c17e0addeee9f1ceeb2bd0020661639f467b

SHA512
b18c5c6c64b1b66fa17789186bfbe19a3a420dfd832aac1681552fdc02982bc2e906458eb2449f650e8a9c8c3a8dbd05b881d4423a31e3d781232836af67a8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd230pnt.dll

Filesize
1.3MB

MD5
96269520a0c25a36e175cbe412b7881f

SHA1
f4b3cce9d819b0bc29001f9c5cbd202cb40a3f01

SHA256
15311986fca94d616a8bb2885623f86be7a8731274f19bc68529e6e35030b5db

SHA512
1390a1bf97a0fcffe7e9b0a7bdc8bf0d5522ada19fc640a3a8f98b0e7a8471b7b158522e93bb672f4058a82688d9deb118f40a61e03de106a3cc3a8976a820f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd230std.dll

Filesize
1.7MB

MD5
312af05337d9d3f50c0196ab8ece424b

SHA1
9e28d88be035d63542fb8dab77168e12258905b5

SHA256
ca5eb824f28cf18f638c3a87a6779575514a3894eef3326446d9151646aa492a

SHA512
abf6e36a45e5223c48d8684aea6ecb35870c41438494edd3b9dd64b1413f6ef749d2c92249789da9b20ee70e8caf0ad44fb4d3a88672137dc5523aaa5a27ee3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd230vm.dll

Filesize
4.0MB

MD5
16ceec3bfb10291fee1f703b1565fc7f

SHA1
6897debaaea64ff57152bd389a79719908b41675

SHA256
1c8ddf7ad5e4b60258d14ccf5db3f8538cc6e14283b255710d147bc5ba012642

SHA512
d9120b2f32a03d0098522d9617efcb6826e7bb0809a64844fd2a51d5df981c77052cc5291ba985982eca0d2c33d8a2648ba38119ef2a6fef8105ea308e6c65a9

Download Submit
\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
40.8MB

MD5
d3cbac41fd95ba13f147b81f3446fd59

SHA1
5b6a3c8d416d6adbe46dedeccd34d25c14af6d9b

SHA256
0999ca1290998861774230ab652fb176d9d143b69bb137e7bc02110f2d949b80

SHA512
a2e2c04048c6c4c339aed099bb62c716b6ddc8a5d73953e0e4c641838bf7868cca46a1f4a1c2891c725d71ac130563660f0115910f49fcc66ada759297895095

Download Submit
\Users\Admin\AppData\Local\Temp\InstallFramework.exe

Filesize
40.8MB

MD5
d3cbac41fd95ba13f147b81f3446fd59

SHA1
5b6a3c8d416d6adbe46dedeccd34d25c14af6d9b

SHA256
0999ca1290998861774230ab652fb176d9d143b69bb137e7bc02110f2d949b80

SHA512
a2e2c04048c6c4c339aed099bb62c716b6ddc8a5d73953e0e4c641838bf7868cca46a1f4a1c2891c725d71ac130563660f0115910f49fcc66ada759297895095

Download Submit
\Users\Admin\AppData\Local\Temp\desobj.dll

Filesize
9.4MB

MD5
7114770c46cd2a896780d642417bf0d0

SHA1
e3ef6361a02562832bbf70cbd7856d9dccea9e68

SHA256
663099f249e090ad3ad848eb453f656e2c0adf74d4886f4056585ac83d1c0338

SHA512
667936e0759e1e15495806dfbf17d365592f6c7de4d2d90d790a19974c944f0b3b7cd840f161cda1c0d6b3fc8a1a68cf76846757206d4ef840594e5233635f7e

Download Submit
\Users\Admin\AppData\Local\Temp\despnt.dll

Filesize
1.3MB

MD5
96269520a0c25a36e175cbe412b7881f

SHA1
f4b3cce9d819b0bc29001f9c5cbd202cb40a3f01

SHA256
15311986fca94d616a8bb2885623f86be7a8731274f19bc68529e6e35030b5db

SHA512
1390a1bf97a0fcffe7e9b0a7bdc8bf0d5522ada19fc640a3a8f98b0e7a8471b7b158522e93bb672f4058a82688d9deb118f40a61e03de106a3cc3a8976a820f1

Download Submit
\Users\Admin\AppData\Local\Temp\desstd.DLL

Filesize
1.7MB

MD5
312af05337d9d3f50c0196ab8ece424b

SHA1
9e28d88be035d63542fb8dab77168e12258905b5

SHA256
ca5eb824f28cf18f638c3a87a6779575514a3894eef3326446d9151646aa492a

SHA512
abf6e36a45e5223c48d8684aea6ecb35870c41438494edd3b9dd64b1413f6ef749d2c92249789da9b20ee70e8caf0ad44fb4d3a88672137dc5523aaa5a27ee3e

Download Submit
\Users\Admin\AppData\Local\Temp\desvm.dll

Filesize
4.0MB

MD5
16ceec3bfb10291fee1f703b1565fc7f

SHA1
6897debaaea64ff57152bd389a79719908b41675

SHA256
1c8ddf7ad5e4b60258d14ccf5db3f8538cc6e14283b255710d147bc5ba012642

SHA512
d9120b2f32a03d0098522d9617efcb6826e7bb0809a64844fd2a51d5df981c77052cc5291ba985982eca0d2c33d8a2648ba38119ef2a6fef8105ea308e6c65a9

Download Submit
\Users\Admin\AppData\Local\Temp\wd230hf.dll

Filesize
3.8MB

MD5
21d1d58c3f0e1040eb293655a0436937

SHA1
409a1b6a0a86103ee0446f68b6c056daa6c37843

SHA256
59205bc10f1fcba1976862a4508b17bfc22dd87846b960696a4b4e69cb7b8093

SHA512
2fa54db005ae4b71a092da61a4bf1f1d590404bf00799b5508ae3232e9fa89faec5f9bb0c287c9d61ac82697a48ffa1c064ca76f2d9e0db83e4ee891465734f8

Download Submit
\Users\Admin\AppData\Local\Temp\wd230pdf.dll

Filesize
4.6MB

MD5
4f6ec91636771674d3736e306c272fd4

SHA1
8bb96e3f0b040c5c0c2fa5cf52c6eff8e7294ce6

SHA256
59cf5966b4effb1800ab84015bb3c17e0addeee9f1ceeb2bd0020661639f467b

SHA512
b18c5c6c64b1b66fa17789186bfbe19a3a420dfd832aac1681552fdc02982bc2e906458eb2449f650e8a9c8c3a8dbd05b881d4423a31e3d781232836af67a8ed

Download Submit
memory/840-165-0x0000000006650000-0x0000000006660000-memory.dmp

Filesize
64KB

Download
memory/840-159-0x0000000003A70000-0x0000000003AB0000-memory.dmp

Filesize
256KB

Download
memory/840-171-0x0000000003A70000-0x0000000003AB0000-memory.dmp

Filesize
256KB

Download