10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
29/10/2023, 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe
Size

5.4MB
MD5

46c0b164fe00ae7ac205708a6e098da6
SHA1

1ff3a0ee285b6f70ee2e2113d8bc97c4c52a1c21
SHA256

10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d
SHA512

1aaf21ec93ef95ed0b52c421bd3b479318b48b2841b23e77c1819260ea47dc4e5262a1c39623a633c290f12f43830e31743de0d2be226364fa473ce210b04ad0
SSDEEP

98304:WM0FSUz4eSmbKFo2kcSrl6WgAPMUk9gNDdpl8wDkXDHnIbY/UeycSkg+PHjkengU:70IZAVaCOgfiDHUY/UrcSF+LFngR771/

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2716	eitrosfkxm.exe
2668	eitrosfkxm.tmp

Loads dropped DLL 6 IoCs

pid	Process
2332	cmd.exe
2716	eitrosfkxm.exe
2668	eitrosfkxm.tmp
2668	eitrosfkxm.tmp
2668	eitrosfkxm.tmp
2668	eitrosfkxm.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2296-0-0x00000000012F0000-0x00000000015A1000-memory.dmp	upx
behavioral1/memory/2296-6-0x00000000012F0000-0x00000000015A1000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MYPGNotes\unins000.dat	eitrosfkxm.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-9CT4Q.tmp	eitrosfkxm.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-0N80O.tmp	eitrosfkxm.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-0H12N.tmp	eitrosfkxm.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-7P9J2.tmp	eitrosfkxm.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-38P2V.tmp	eitrosfkxm.tmp
File opened for modification	C:\Program Files (x86)\MYPGNotes\Qt5Concurrent.dll	eitrosfkxm.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-86JNN.tmp	eitrosfkxm.tmp
File opened for modification	C:\Program Files (x86)\MYPGNotes\unins000.dat	eitrosfkxm.tmp
File opened for modification	C:\Program Files (x86)\MYPGNotes\AppleNote.exe	eitrosfkxm.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2296	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe
2296	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe
2668	eitrosfkxm.tmp
2668	eitrosfkxm.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2668	eitrosfkxm.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2332	2296	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe	28
PID 2296 wrote to memory of 2332	2296	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe	28
PID 2296 wrote to memory of 2332	2296	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe	28
PID 2296 wrote to memory of 2332	2296	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe	28
PID 2332 wrote to memory of 2716	2332	cmd.exe	30
PID 2332 wrote to memory of 2716	2332	cmd.exe	30
PID 2332 wrote to memory of 2716	2332	cmd.exe	30
PID 2332 wrote to memory of 2716	2332	cmd.exe	30
PID 2332 wrote to memory of 2716	2332	cmd.exe	30
PID 2332 wrote to memory of 2716	2332	cmd.exe	30
PID 2332 wrote to memory of 2716	2332	cmd.exe	30
PID 2716 wrote to memory of 2668	2716	eitrosfkxm.exe	31
PID 2716 wrote to memory of 2668	2716	eitrosfkxm.exe	31
PID 2716 wrote to memory of 2668	2716	eitrosfkxm.exe	31
PID 2716 wrote to memory of 2668	2716	eitrosfkxm.exe	31
PID 2716 wrote to memory of 2668	2716	eitrosfkxm.exe	31
PID 2716 wrote to memory of 2668	2716	eitrosfkxm.exe	31
PID 2716 wrote to memory of 2668	2716	eitrosfkxm.exe	31

C:\Users\Admin\AppData\Local\Temp\10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe
"C:\Users\Admin\AppData\Local\Temp\10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\eitrosfkxm.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\eitrosfkxm.exe
    "C:\Users\Admin\AppData\Local\Temp\eitrosfkxm.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\is-P6DTL.tmp\eitrosfkxm.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-P6DTL.tmp\eitrosfkxm.tmp" /SL5="$8011E,232785,54272,C:\Users\Admin\AppData\Local\Temp\eitrosfkxm.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eitrosfkxm.exe

Filesize
526KB

MD5
9beea33ea128fd25ad509ae7ff7bcff3

SHA1
3a87a124b47d68bf8eb1d1a4f9695fb2b2a52660

SHA256
e0634bc21490c472b233aaec047438feae557f0d57ea5b78b3b48260916e2b4e

SHA512
292996177bbb804ea3f6ad51fdb74707f1a1a35d50d8ae7b082d88cbb476bae1a883133c9e1dc4cefce78bc71f8d65276e5cdaeeef03088bc54beb41269dc5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eitrosfkxm.exe

Filesize
526KB

MD5
9beea33ea128fd25ad509ae7ff7bcff3

SHA1
3a87a124b47d68bf8eb1d1a4f9695fb2b2a52660

SHA256
e0634bc21490c472b233aaec047438feae557f0d57ea5b78b3b48260916e2b4e

SHA512
292996177bbb804ea3f6ad51fdb74707f1a1a35d50d8ae7b082d88cbb476bae1a883133c9e1dc4cefce78bc71f8d65276e5cdaeeef03088bc54beb41269dc5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P6DTL.tmp\eitrosfkxm.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P6DTL.tmp\eitrosfkxm.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
\Program Files (x86)\MYPGNotes\AppleNote.exe

Filesize
355KB

MD5
b9f2020458f930f4ca42b1476646eba4

SHA1
9c083e6c51efd1889e9d3022166f8107cd72f2b4

SHA256
3faaf4c99a96bc7d65ed14d2684856e0daf2573541d576d6f4ad4164f888553e

SHA512
034324c4c2f189212ea4002cd3ec7342d665b1cc644268a4b1af78ba7b7893cb8443ffe56909d813756a59dc237c4248467b705667e7a01e7e3912641198995f

Download Submit
\Program Files (x86)\MYPGNotes\unins000.exe

Filesize
907KB

MD5
54be4f878781796c5a7b4635b343c4ef

SHA1
16b9a435221f5f49284f56142a7bbf22c8f0c9f7

SHA256
ec61e41d7aff21b1b473530a6c86f4cafaf24ad6dc659d20283e081e472c51fd

SHA512
48bce9ea6003de2cf3bc273da3e941212f93840608cbb4c114ea0eeeb6616fde8aa448430e2daf8729893a3b4cb8d8c5dc3a6e5316c9ef6bd453ee7b6f14df08

Download Submit
\Users\Admin\AppData\Local\Temp\eitrosfkxm.exe

Filesize
526KB

MD5
9beea33ea128fd25ad509ae7ff7bcff3

SHA1
3a87a124b47d68bf8eb1d1a4f9695fb2b2a52660

SHA256
e0634bc21490c472b233aaec047438feae557f0d57ea5b78b3b48260916e2b4e

SHA512
292996177bbb804ea3f6ad51fdb74707f1a1a35d50d8ae7b082d88cbb476bae1a883133c9e1dc4cefce78bc71f8d65276e5cdaeeef03088bc54beb41269dc5b3

Download Submit
\Users\Admin\AppData\Local\Temp\is-K7MCF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-K7MCF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-P6DTL.tmp\eitrosfkxm.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
memory/2296-0-0x00000000012F0000-0x00000000015A1000-memory.dmp

Filesize
2.7MB

Download
memory/2296-1-0x0000000010000000-0x0000000010298000-memory.dmp

Filesize
2.6MB

Download
memory/2296-6-0x00000000012F0000-0x00000000015A1000-memory.dmp

Filesize
2.7MB

Download
memory/2668-18-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2668-51-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2716-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2716-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download