6e027b8d745ea9ef349493f65d12347d090b2a6ae7b0162b4f8c9c801a82b7f9

General

Target

KoalageddonInstaller.exe
Size

2.9MB
MD5

238691250a5960beb04574bbb4ba069c
SHA1

f4f3b5fa7e0edd6aa99587aedfe9dd89a3b582f0
SHA256

6e027b8d745ea9ef349493f65d12347d090b2a6ae7b0162b4f8c9c801a82b7f9
SHA512

941ed390d9fd374c15c26e3027609567f217d0069b8a248c1ae649d5516fd2bf2e6be2ba7547526bd215c727e31ec0c83068d138b585b2b408c157930a3bfb3e
SSDEEP

49152:Nqe3f6lOhceD/FPTOVZjVaopG+HzPiicUf+DidXvh6dS/04OOR5Qv2U:cSilkJ/FKZvpG+H++f+DidXvh6d204Ot

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1092	KoalageddonInstaller.tmp
3224	IntegrationWizard32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2636	1072	WerFault.exe	99

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1092	KoalageddonInstaller.tmp
1092	KoalageddonInstaller.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	3224	IntegrationWizard32.exe
Token: SeTakeOwnershipPrivilege	3224	IntegrationWizard32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1092	KoalageddonInstaller.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3224	IntegrationWizard32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 1092	5020	KoalageddonInstaller.exe	86
PID 5020 wrote to memory of 1092	5020	KoalageddonInstaller.exe	86
PID 5020 wrote to memory of 1092	5020	KoalageddonInstaller.exe	86

C:\Users\Admin\AppData\Local\Temp\KoalageddonInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\KoalageddonInstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\is-LVNQ5.tmp\KoalageddonInstaller.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LVNQ5.tmp\KoalageddonInstaller.tmp" /SL5="$60162,2244670,780800,C:\Users\Admin\AppData\Local\Temp\KoalageddonInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 1072 -ip 1072
1⤵
PID:4984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1072 -s 1972
1⤵
- Program crash
PID:2636

C:\Users\Admin\AppData\Local\Programs\Koalageddon\IntegrationWizard32.exe
"C:\Users\Admin\AppData\Local\Programs\Koalageddon\IntegrationWizard32.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\Koalageddon\IntegrationWizard32.exe

Filesize
614KB

MD5
8d188050b9e4c0a5f0f24fcea65b1133

SHA1
3b1d04ee1adec2cd53d8721aee45fc112b5700da

SHA256
6c2e59b3ecc0e453a141e7229e25cafeb286ebe27c0c68096c18bfb3ce97b50a

SHA512
e220c535bd4bcc6897eb892e5731ad6e78ffb6d642dffb2ae104e8b5d642cdb53bd2a8e3e90ca62c7b199f85559467f2af0ebee62c1e75b3ca5e2e90c1b53ba8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Koalageddon\IntegrationWizard32.exe

Filesize
614KB

MD5
8d188050b9e4c0a5f0f24fcea65b1133

SHA1
3b1d04ee1adec2cd53d8721aee45fc112b5700da

SHA256
6c2e59b3ecc0e453a141e7229e25cafeb286ebe27c0c68096c18bfb3ce97b50a

SHA512
e220c535bd4bcc6897eb892e5731ad6e78ffb6d642dffb2ae104e8b5d642cdb53bd2a8e3e90ca62c7b199f85559467f2af0ebee62c1e75b3ca5e2e90c1b53ba8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Koalageddon\IntegrationWizard32.exe

Filesize
614KB

MD5
8d188050b9e4c0a5f0f24fcea65b1133

SHA1
3b1d04ee1adec2cd53d8721aee45fc112b5700da

SHA256
6c2e59b3ecc0e453a141e7229e25cafeb286ebe27c0c68096c18bfb3ce97b50a

SHA512
e220c535bd4bcc6897eb892e5731ad6e78ffb6d642dffb2ae104e8b5d642cdb53bd2a8e3e90ca62c7b199f85559467f2af0ebee62c1e75b3ca5e2e90c1b53ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LVNQ5.tmp\KoalageddonInstaller.tmp

Filesize
2.9MB

MD5
094deb38ab94632c639192a61a62e820

SHA1
aeb88d8bf73632dd17dec410054cc7e3bd9ac6f3

SHA256
47feec7d162557b5b989280d6f57bbd44c976d24063d5fe01a68bb4c230cc610

SHA512
8795268aef7c405ed05c522b63cd80519098207fca5ba02281d9a79082ae4b34b5ee8b8648ac1a9782e7f63c53fbdf561f434ec8c97b3f6bb0cd33cc4b96b8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LVNQ5.tmp\KoalageddonInstaller.tmp

Filesize
2.9MB

MD5
094deb38ab94632c639192a61a62e820

SHA1
aeb88d8bf73632dd17dec410054cc7e3bd9ac6f3

SHA256
47feec7d162557b5b989280d6f57bbd44c976d24063d5fe01a68bb4c230cc610

SHA512
8795268aef7c405ed05c522b63cd80519098207fca5ba02281d9a79082ae4b34b5ee8b8648ac1a9782e7f63c53fbdf561f434ec8c97b3f6bb0cd33cc4b96b8ea

Download Submit
memory/1092-176-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1092-143-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1092-167-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1092-142-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1092-139-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/5020-134-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5020-177-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5020-140-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing