342bed82de355f704367cff7fd77d75da5e0d9eb870436adbc132c20c67298d6

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 15:08

Target

Update Bypass/FiddlerSetup.exe
Size

6.5MB
MD5

7fd1119b5f29e4094228dabf57e65a9d
SHA1

1a4e248bfe07f8c65ce68b4f29013442be6ef7c7
SHA256

5c92f0738c290eac319d4ac3006b5725f1d2163fbfe68dbb2047e07920f4d5e8
SHA512

20d22e16f5c285bd6ffdf3620762c340ffb97cc51c5080717b87442f29a14271644351b082392d9fb2fd1ce40a1fe56a4e6592a290d67f5c587e8e9eb2f33787
SSDEEP

196608:Q962sDwuahkk8ZaQd9NCMbw4fO0ADH6Op:Q5uAkk8ZBCuXfjADH6s

Score

4^/10

Executes dropped EXE 1 IoCs

Processes:

FiddlerSetup.exe

pid process

3208 FiddlerSetup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3208	FiddlerSetup.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsoB509.tmp\FiddlerSetup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsoB509.tmp\FiddlerSetup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nsoB509.tmp\FiddlerSetup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsoB509.tmp\FiddlerSetup.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

FiddlerSetup.exe

description	pid	process	target process
PID 1624 wrote to memory of 3208	1624	FiddlerSetup.exe	FiddlerSetup.exe
PID 1624 wrote to memory of 3208	1624	FiddlerSetup.exe	FiddlerSetup.exe
PID 1624 wrote to memory of 3208	1624	FiddlerSetup.exe	FiddlerSetup.exe

C:\Users\Admin\AppData\Local\Temp\Update Bypass\FiddlerSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Update Bypass\FiddlerSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\nsoB509.tmp\FiddlerSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\nsoB509.tmp\FiddlerSetup.exe" /D=
  2⤵
  - Executes dropped EXE
  PID:3208

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\nsoB509.tmp\FiddlerSetup.exe

Filesize
3.2MB

MD5
092879b4ec0b7a59be6273035da99e27

SHA1
282f2602469017d4d8401e84e248a6c138b7de97

SHA256
87d5fd5bfadffa31f6b72923be4d4a46335b3e32a4f6e306f90d04d4aed49c50

SHA512
dde4050f6a26dc0feecb7a7f2563f33db5615c15c0dd1f3e6bf8ff8aa3a4ced68a53ae66c179f56dda5a50185b5053460e63c5a0489b141d11372aacfcea4cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB509.tmp\FiddlerSetup.exe

Filesize
3.2MB

MD5
092879b4ec0b7a59be6273035da99e27

SHA1
282f2602469017d4d8401e84e248a6c138b7de97

SHA256
87d5fd5bfadffa31f6b72923be4d4a46335b3e32a4f6e306f90d04d4aed49c50

SHA512
dde4050f6a26dc0feecb7a7f2563f33db5615c15c0dd1f3e6bf8ff8aa3a4ced68a53ae66c179f56dda5a50185b5053460e63c5a0489b141d11372aacfcea4cf9

Download Submit