6dc019e0032046918d2e07a1563f18cc13fac24b8b66631d5b2ec17064e85c1b

Analysis

max time kernel
3s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dc019e0032046918d2e07a1563f18cc13fac24b8b66631d5b2ec17064e85c1b.exe
Size

5.6MB
MD5

cf0f1bef0203200a8624b8e9ed2a382b
SHA1

dfed5abb4e9673dfdaa31be64f5be1905bc694de
SHA256

6dc019e0032046918d2e07a1563f18cc13fac24b8b66631d5b2ec17064e85c1b
SHA512

43914868ba83b24a9bcc665198611957c062643a28186ee459b6885a1473f2071c770d41b5cf0015e5fdbca4fb0b1dd656ced4449513069145eac656ac18d872
SSDEEP

98304:+iRmxZFsM4kxzDcT+GcY437KvDwEHuujlsaSzsC0p43MpQdZ9nc+fsCb+oSBAON6:LRm1syxacY48eda2TMpQdZ9nc+fyhNjG

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4912	is-THI57.tmp

Loads dropped DLL 1 IoCs

pid	Process
4912	is-THI57.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-VS3QC.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Help\is-3SU5D.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-M1N8A.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\is-LN2Q9.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\is-0RDO5.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-49D0N.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-28C8F.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Plugins\is-CDPBI.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-D9BSI.tmp	is-THI57.tmp
File opened for modification	C:\Program Files (x86)\Smart Projects\IsoBuster\unins000.dat	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-B66D1.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-8JE40.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-L7QMM.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-QH1FU.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\unins000.dat	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-286E5.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-DMT5K.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-QA4H6.tmp	is-THI57.tmp
File opened for modification	C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1121.exe	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-21RFI.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-O0T0P.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-8U6TH.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-72UPI.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Online\is-VI77J.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-H9SQH.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-RUNQP.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-IDH7P.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-6LG6C.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-PCO9G.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Online\is-RHT1S.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-Q8SP2.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-GJL4I.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-ASVLJ.tmp	is-THI57.tmp
File created	C:\Program Files (x86)\Smart Projects\IsoBuster\Lang\is-0S7IS.tmp	is-THI57.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 4912	4336	6dc019e0032046918d2e07a1563f18cc13fac24b8b66631d5b2ec17064e85c1b.exe	87
PID 4336 wrote to memory of 4912	4336	6dc019e0032046918d2e07a1563f18cc13fac24b8b66631d5b2ec17064e85c1b.exe	87
PID 4336 wrote to memory of 4912	4336	6dc019e0032046918d2e07a1563f18cc13fac24b8b66631d5b2ec17064e85c1b.exe	87
PID 4912 wrote to memory of 3308	4912	is-THI57.tmp	90
PID 4912 wrote to memory of 3308	4912	is-THI57.tmp	90
PID 4912 wrote to memory of 3308	4912	is-THI57.tmp	90
PID 4912 wrote to memory of 5052	4912	is-THI57.tmp	92
PID 4912 wrote to memory of 5052	4912	is-THI57.tmp	92
PID 4912 wrote to memory of 5052	4912	is-THI57.tmp	92

C:\Users\Admin\AppData\Local\Temp\6dc019e0032046918d2e07a1563f18cc13fac24b8b66631d5b2ec17064e85c1b.exe
"C:\Users\Admin\AppData\Local\Temp\6dc019e0032046918d2e07a1563f18cc13fac24b8b66631d5b2ec17064e85c1b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\is-Q7IPO.tmp\is-THI57.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q7IPO.tmp\is-THI57.tmp" /SL4 $401E8 "C:\Users\Admin\AppData\Local\Temp\6dc019e0032046918d2e07a1563f18cc13fac24b8b66631d5b2ec17064e85c1b.exe" 5597940 141824
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 2
    3⤵
    PID:3308
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 2
      4⤵
      PID:2068
- - C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1121.exe
    "C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1121.exe" -i
    3⤵
    PID:5052
- - C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1121.exe
    "C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1121.exe" -s
    3⤵
    PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1121.exe

Filesize
2.8MB

MD5
9e4defd1bad3172e601bf2828c0770c1

SHA1
e0de6ef2a00eb2210f934819eab0bbeeba9d35a7

SHA256
b24cecfcd14991860905b477ced1c58809fd66632040d1a7d5d6bb74b70c4964

SHA512
14fa5fe7047f00b44bb22db8347738c32ca4a2f10806a212a6f17f1602a73c328ecf1eaee55128b60929ba4b4c2f122386fc3765b0bca9844114a3d5b891c6d8

Download Submit
C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1121.exe

Filesize
1.1MB

MD5
70e034dd3e83c4ba6d4aa46e293c1e70

SHA1
807bcc9911bff2506cdf7fe7d2a5b621a4f025b3

SHA256
a21dbbdd94cfde180d07199f7aed27bf0337c1ef596e878c79be7cb3f8f7d416

SHA512
2c34e96e7df2b3f03426388b9c4a49bdc3b30692b356c3bb99e703e9ee41003a8c74b9857e2481118d4aabd57ee7531bdf3b1691b1fb40584a03ec2524e1803a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FIFV6.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q7IPO.tmp\is-THI57.tmp

Filesize
642KB

MD5
e57693101a63b1f934f462bc7a2ef093

SHA1
2748ea8c66b980f14c9ce36c1c3061e690cf3ce7

SHA256
71267ff94c9fc72cbffaeed3bc2f33cef1eeb1887c29c574d7f26595d1a6235f

SHA512
3dcda686a85b19a9c7b4c96d132e90ed43c7df13ce9456beb2b88c278d8068cc3abcbfe25b1607c7b8281d276efb24809730f352927b326254f3208cbdf54a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q7IPO.tmp\is-THI57.tmp

Filesize
642KB

MD5
e57693101a63b1f934f462bc7a2ef093

SHA1
2748ea8c66b980f14c9ce36c1c3061e690cf3ce7

SHA256
71267ff94c9fc72cbffaeed3bc2f33cef1eeb1887c29c574d7f26595d1a6235f

SHA512
3dcda686a85b19a9c7b4c96d132e90ed43c7df13ce9456beb2b88c278d8068cc3abcbfe25b1607c7b8281d276efb24809730f352927b326254f3208cbdf54a3e

Download Submit
memory/4336-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4912-7-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/5052-82-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/5052-84-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/5052-87-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download