f980e92af3341650819ca6c985294ebe0aa78d38bdfe249536d7ec7f2efc6ecf

General

Target

0f29445baa824f6729cbda3d90b15cec.exe
Size

2.8MB
MD5

0f29445baa824f6729cbda3d90b15cec
SHA1

572195b4193529d842653e678eeec7dc3544ee2f
SHA256

f980e92af3341650819ca6c985294ebe0aa78d38bdfe249536d7ec7f2efc6ecf
SHA512

a05bb0cb18d3c7e0ce5795397beeaee90078c272afccf5211d911eae4bc39078bed7da22c528e77ed4daea1c1b4e736c2f361cdb6e525e4132ba4793e433cc81
SSDEEP

49152:9qe3f6PUk/4g+H98AHaCfu6rtWBu1SSmqOIzDamifOL9T9vEXv:MSiPUk/XE9vBugtL1SNaRLh9vEXv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4320	0f29445baa824f6729cbda3d90b15cec.tmp

Loads dropped DLL 3 IoCs

pid	Process
4320	0f29445baa824f6729cbda3d90b15cec.tmp
4320	0f29445baa824f6729cbda3d90b15cec.tmp
4320	0f29445baa824f6729cbda3d90b15cec.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0f29445baa824f6729cbda3d90b15cec.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	0f29445baa824f6729cbda3d90b15cec.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4320	0f29445baa824f6729cbda3d90b15cec.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 4320	868	0f29445baa824f6729cbda3d90b15cec.exe	83
PID 868 wrote to memory of 4320	868	0f29445baa824f6729cbda3d90b15cec.exe	83
PID 868 wrote to memory of 4320	868	0f29445baa824f6729cbda3d90b15cec.exe	83

C:\Users\Admin\AppData\Local\Temp\0f29445baa824f6729cbda3d90b15cec.exe
"C:\Users\Admin\AppData\Local\Temp\0f29445baa824f6729cbda3d90b15cec.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\is-49FC4.tmp\0f29445baa824f6729cbda3d90b15cec.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-49FC4.tmp\0f29445baa824f6729cbda3d90b15cec.tmp" /SL5="$100040,1907617,1111552,C:\Users\Admin\AppData\Local\Temp\0f29445baa824f6729cbda3d90b15cec.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-49FC4.tmp\0f29445baa824f6729cbda3d90b15cec.tmp

Filesize
3.2MB

MD5
aadc16c8ad4312196df3aa1d9f6386d3

SHA1
ff4d78923e0d957e6a66b3c06efecc435c396c7a

SHA256
04fade43204ecbbb378114a023b3db4a3aebe8258ff3b3846156e80a9c5cf4a3

SHA512
51621ec71d530d75e4a537381edf03bc48b234dd861547c950573febf5709a1716ee797368854512edf1950a4e1f4f8bbe292417a0dd238600338a39e2454e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4FF82.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4FF82.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4FF82.tmp\loader.gif

Filesize
10KB

MD5
f23a523b82ad9103a9ac1dcc33eca72f

SHA1
5363bb6b51923441ef56638576307cc252f05a71

SHA256
59853c413b0813ded6f1e557959768d6662f010f49884d36b62c13038fac739c

SHA512
514ec63f7ed80d0708f7e2355fad8a558b4dcf2d0122ff98fe7c3ca1f40e7cd04e8869ca7a3b95622c0848c0d99306d7e791b86ca69b9e240beae959ca6285be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4FF82.tmp\logo.png

Filesize
9KB

MD5
2c050a55ade91ca10c94c41fdceaa8cb

SHA1
178fd0ee1c184fe681d89bff0ff8b89392723a67

SHA256
43262c9cc6328d67007b97a8eb36c924d05d45a383349e61b067f35677e1ad6e

SHA512
425825cbe2a417f10832c37fc0e571ca3e3f9b940f93f9f8ec8fcff2df896a52ff753386c30e03836d588b6bf355323dbea2e3a0cbf756f8f3c7065335cbfeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4FF82.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
e1f18a22199c6f6aa5d87b24e5b39ef1

SHA1
0dcd8f90b575f6f1d10d6789fe769fa26daafd0e

SHA256
62c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d

SHA512
5a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190

Download Submit
memory/868-1-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/868-36-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4320-29-0x0000000003960000-0x000000000396F000-memory.dmp

Filesize
60KB

Download
memory/4320-6-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/4320-37-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/4320-38-0x0000000003960000-0x000000000396F000-memory.dmp

Filesize
60KB

Download
memory/4320-39-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing