8054e0023234962f5fd008e2d10f36d900c6abeedb58280612ea0c98d83d53f8

Analysis

max time kernel
15s
max time network
21s
platform
windows10-1703_x64
resource
win10-20230703-es
resource tags

arch:x64arch:x86image:win10-20230703-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
31/08/2023, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IADS_Setup.exe
Size

493KB
MD5

fb7660826ffeebb0cb814c7f6db111f2
SHA1

22b5fa95aba53733f6e18629f6ca7c620609598b
SHA256

8054e0023234962f5fd008e2d10f36d900c6abeedb58280612ea0c98d83d53f8
SHA512

629fcfd0e90b8a1c66938bf31b9fe7c65b673440ab240145d70b1d61c661718e2bd823ea776ad63cffc299cf37b6abcb86b79dcb905170c57bf512b27a5c7130
SSDEEP

6144:M50gUCWTq4uL4JgmeAXC1D9vkPcreN+zNp4xSOQVsIc0fG/hvijPwSstM2ArLKIj:e0g4ZlJdDjc99

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2108	IADS_Setup.exe
2108	IADS_Setup.exe
2108	IADS_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
1096	taskkill.exe
208	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	208	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1096	2108	IADS_Setup.exe	70
PID 2108 wrote to memory of 1096	2108	IADS_Setup.exe	70
PID 2108 wrote to memory of 1096	2108	IADS_Setup.exe	70
PID 2108 wrote to memory of 208	2108	IADS_Setup.exe	73
PID 2108 wrote to memory of 208	2108	IADS_Setup.exe	73
PID 2108 wrote to memory of 208	2108	IADS_Setup.exe	73

C:\Users\Admin\AppData\Local\Temp\IADS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\IADS_Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /im IADSIM.exe /t /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /im iads4.exe /t /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsgEDAD.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgEDAD.tmp\nsisXML.dll

Filesize
12KB

MD5
c5285d861243f3b41648af5c0ffd5678

SHA1
50012e20b898e2f1abad27a4bdca12033e618add

SHA256
35e54b12771f671bd8d9677369eb8216b54de0608a07a92ef17a4c29a841935f

SHA512
92c687319e989199e392a81bbd16c00a551c1df9fc3535e98b2da0604424b148a4c379578837aacfa4e204d494c0f0b0ed4f7638cbf7462bc937b4e198631350

Download Submit
\Users\Admin\AppData\Local\Temp\nsgEDAD.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsgEDAD.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsgEDAD.tmp\nsisXML.dll

Filesize
12KB

MD5
c5285d861243f3b41648af5c0ffd5678

SHA1
50012e20b898e2f1abad27a4bdca12033e618add

SHA256
35e54b12771f671bd8d9677369eb8216b54de0608a07a92ef17a4c29a841935f

SHA512
92c687319e989199e392a81bbd16c00a551c1df9fc3535e98b2da0604424b148a4c379578837aacfa4e204d494c0f0b0ed4f7638cbf7462bc937b4e198631350

Download Submit