0a556cae58e0ffc02ebfe7be0e913dd9220639b175e36b0371cbace2cea4d72c

Analysis

max time kernel
143s
max time network
154s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
03-11-2023 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a556cae58e0ffc02ebfe7be0e913dd9220639b175e36b0371cbace2cea4d72c.exe
Size

5.4MB
MD5

0487a0d8198048dbbeb0bf9793f02aef
SHA1

1fe039fbcd319a4296924cfa16f1dd9a0d621e9c
SHA256

0a556cae58e0ffc02ebfe7be0e913dd9220639b175e36b0371cbace2cea4d72c
SHA512

b86ef84947e0394b27bb8460021a2e08d218514bcff94b92f9aab64f66663a98c5d9ef4fa7ed089dccd1a917fab9d1cfc2a5c0e2e78e79246e2a240ccf9d6734
SSDEEP

98304:pd5QnY1PB46ww2V2niT/qZofuIu8otdOpcQ/fTX/e4P8bVy2ZS3YfURpbXEheZ7e:75AY1PB46iLHvu82dOpcQ/7XG4P8bU2R

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
772	is-MLUOS.tmp
3628	IBuster.exe
2844	IBuster.exe

Loads dropped DLL 1 IoCs

pid	Process
772	is-MLUOS.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.159.66.125

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IBuster\Lang\is-V9PMH.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Online\is-9JTVL.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Online\is-0QKCD.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-JLG4J.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-T5U64.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-9P6J0.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-7K637.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Plugins\is-JPBK0.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Plugins\is-76ML5.tmp	is-MLUOS.tmp
File opened for modification	C:\Program Files (x86)\IBuster\IBuster.exe	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-TRGV8.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-CF5H0.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-1TBTJ.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Plugins\is-S2C87.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-IIBRQ.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-6RE92.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-4KB4U.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-O086S.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-GT7GB.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\unins000.dat	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-LC3DN.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-VIQII.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-N09GS.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-E2M4B.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Help\is-9EADH.tmp	is-MLUOS.tmp
File opened for modification	C:\Program Files (x86)\IBuster\unins000.dat	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\is-9434F.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-G6SEN.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-16KLQ.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-CCKSP.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-U5FIT.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Lang\is-LC5HT.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\Plugins\is-MKUPD.tmp	is-MLUOS.tmp
File created	C:\Program Files (x86)\IBuster\is-6UO9O.tmp	is-MLUOS.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 772	4516	0a556cae58e0ffc02ebfe7be0e913dd9220639b175e36b0371cbace2cea4d72c.exe	70
PID 4516 wrote to memory of 772	4516	0a556cae58e0ffc02ebfe7be0e913dd9220639b175e36b0371cbace2cea4d72c.exe	70
PID 4516 wrote to memory of 772	4516	0a556cae58e0ffc02ebfe7be0e913dd9220639b175e36b0371cbace2cea4d72c.exe	70
PID 772 wrote to memory of 696	772	is-MLUOS.tmp	71
PID 772 wrote to memory of 696	772	is-MLUOS.tmp	71
PID 772 wrote to memory of 696	772	is-MLUOS.tmp	71
PID 772 wrote to memory of 3628	772	is-MLUOS.tmp	73
PID 772 wrote to memory of 3628	772	is-MLUOS.tmp	73
PID 772 wrote to memory of 3628	772	is-MLUOS.tmp	73
PID 696 wrote to memory of 3440	696	net.exe	74
PID 696 wrote to memory of 3440	696	net.exe	74
PID 696 wrote to memory of 3440	696	net.exe	74
PID 772 wrote to memory of 2844	772	is-MLUOS.tmp	75
PID 772 wrote to memory of 2844	772	is-MLUOS.tmp	75
PID 772 wrote to memory of 2844	772	is-MLUOS.tmp	75

C:\Users\Admin\AppData\Local\Temp\0a556cae58e0ffc02ebfe7be0e913dd9220639b175e36b0371cbace2cea4d72c.exe
"C:\Users\Admin\AppData\Local\Temp\0a556cae58e0ffc02ebfe7be0e913dd9220639b175e36b0371cbace2cea4d72c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Local\Temp\is-SMKG9.tmp\is-MLUOS.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SMKG9.tmp\is-MLUOS.tmp" /SL4 $8021C "C:\Users\Admin\AppData\Local\Temp\0a556cae58e0ffc02ebfe7be0e913dd9220639b175e36b0371cbace2cea4d72c.exe" 5313934 114176
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 3
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 3
      4⤵
      PID:3440
- - C:\Program Files (x86)\IBuster\IBuster.exe
    "C:\Program Files (x86)\IBuster\IBuster.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3628
- - C:\Program Files (x86)\IBuster\IBuster.exe
    "C:\Program Files (x86)\IBuster\IBuster.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IBuster\IBuster.exe

Filesize
4.0MB

MD5
0f8d634e00fc0d28a834a397b249bf8a

SHA1
8918916495816f46414b4e211ecb9c238dbb53c1

SHA256
64d670859f59fed76758ac9e838ed079eb67558517b251652885423424044098

SHA512
22de97b0b48dd823aef1f33a954145acc35426509a40a1281b3ee3abe78104cdf050c2d30c323eca0a78e46490492631f3e882a815091550e969508e6ffae495

Download Submit
C:\Program Files (x86)\IBuster\IBuster.exe

Filesize
4.0MB

MD5
0f8d634e00fc0d28a834a397b249bf8a

SHA1
8918916495816f46414b4e211ecb9c238dbb53c1

SHA256
64d670859f59fed76758ac9e838ed079eb67558517b251652885423424044098

SHA512
22de97b0b48dd823aef1f33a954145acc35426509a40a1281b3ee3abe78104cdf050c2d30c323eca0a78e46490492631f3e882a815091550e969508e6ffae495

Download Submit
C:\Program Files (x86)\IBuster\IBuster.exe

Filesize
4.0MB

MD5
0f8d634e00fc0d28a834a397b249bf8a

SHA1
8918916495816f46414b4e211ecb9c238dbb53c1

SHA256
64d670859f59fed76758ac9e838ed079eb67558517b251652885423424044098

SHA512
22de97b0b48dd823aef1f33a954145acc35426509a40a1281b3ee3abe78104cdf050c2d30c323eca0a78e46490492631f3e882a815091550e969508e6ffae495

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SMKG9.tmp\is-MLUOS.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SMKG9.tmp\is-MLUOS.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
\Users\Admin\AppData\Local\Temp\is-L48UF.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/772-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/772-95-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/772-93-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2844-113-0x0000000000AA0000-0x0000000000B4D000-memory.dmp

Filesize
692KB

Download
memory/2844-124-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-140-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-90-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-91-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-137-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-133-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-130-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-96-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-99-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-102-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-105-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-108-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-111-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-112-0x0000000000AA0000-0x0000000000B4D000-memory.dmp

Filesize
692KB

Download
memory/2844-127-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-117-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2844-118-0x0000000000AA0000-0x0000000000B4D000-memory.dmp

Filesize
692KB

Download
memory/2844-121-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/3628-86-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/3628-82-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/3628-84-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/3628-87-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/4516-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4516-92-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download