5cd9259a1d532e2a2e17e76a15cddf6e454b521809eb57bf7a728f340ef0610a

General

Target

5cd9259a1d532e2a2e17e76a15cddf6e454b521809eb57bf7a728f340ef0610a.exe
Size

4.0MB
MD5

d01f7a994737144e0a1eca5883c21f23
SHA1

33797bea71f57da682d27f3a4e20ab7c49358aa8
SHA256

5cd9259a1d532e2a2e17e76a15cddf6e454b521809eb57bf7a728f340ef0610a
SHA512

0b42b5abe366f92b92e27cd28600d8e1346c870bf681173cb73818d138bb5f39d94ffb59118051fa653dd307893534bfaf8247e583bb704ec0ea79e6040baf2b
SSDEEP

98304:wdZzTT+hPu8wDHcM7MQv7rz0stjXDWZuWZFTVxndTsxwXq7e:wZzTyhPuJ7MQv7rAsJXSZJPVxnfXq7e

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2488	is-FUJA4.tmp
4556	PhotoSnap.exe
916	PhotoSnap.exe

Loads dropped DLL 1 IoCs

pid	Process
2488	is-FUJA4.tmp

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	217.23.6.51
Destination IP	217.23.9.168
Destination IP	37.187.122.227
Destination IP	151.80.38.159
Destination IP	51.159.66.125

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PhotoSnap\unins000.dat	is-FUJA4.tmp
File opened for modification	C:\Program Files (x86)\PhotoSnap\PhotoSnap.exe	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-SKE50.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-RSFQK.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-4OCRK.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-NOFUT.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-J68I9.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Plugins\is-D84O0.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-7SI8J.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-JN84V.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-OTIJ0.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Plugins\is-SJMFD.tmp	is-FUJA4.tmp
File opened for modification	C:\Program Files (x86)\PhotoSnap\unins000.dat	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\is-6314O.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-7OD2V.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-K13A8.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-JBRAM.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Online\is-P7A79.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-80R9V.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-Q5C23.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-SK5SA.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-GD6EG.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Help\is-5OBSQ.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\is-20UAL.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Lang\is-LQMPS.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Online\is-RA2QD.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Plugins\is-T5BIN.tmp	is-FUJA4.tmp
File created	C:\Program Files (x86)\PhotoSnap\Plugins\is-JF6JI.tmp	is-FUJA4.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 2488	4412	5cd9259a1d532e2a2e17e76a15cddf6e454b521809eb57bf7a728f340ef0610a.exe	71
PID 4412 wrote to memory of 2488	4412	5cd9259a1d532e2a2e17e76a15cddf6e454b521809eb57bf7a728f340ef0610a.exe	71
PID 4412 wrote to memory of 2488	4412	5cd9259a1d532e2a2e17e76a15cddf6e454b521809eb57bf7a728f340ef0610a.exe	71
PID 2488 wrote to memory of 3508	2488	is-FUJA4.tmp	72
PID 2488 wrote to memory of 3508	2488	is-FUJA4.tmp	72
PID 2488 wrote to memory of 3508	2488	is-FUJA4.tmp	72
PID 2488 wrote to memory of 4556	2488	is-FUJA4.tmp	74
PID 2488 wrote to memory of 4556	2488	is-FUJA4.tmp	74
PID 2488 wrote to memory of 4556	2488	is-FUJA4.tmp	74
PID 2488 wrote to memory of 916	2488	is-FUJA4.tmp	75
PID 2488 wrote to memory of 916	2488	is-FUJA4.tmp	75
PID 2488 wrote to memory of 916	2488	is-FUJA4.tmp	75

C:\Users\Admin\AppData\Local\Temp\5cd9259a1d532e2a2e17e76a15cddf6e454b521809eb57bf7a728f340ef0610a.exe
"C:\Users\Admin\AppData\Local\Temp\5cd9259a1d532e2a2e17e76a15cddf6e454b521809eb57bf7a728f340ef0610a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Local\Temp\is-ASQOJ.tmp\is-FUJA4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ASQOJ.tmp\is-FUJA4.tmp" /SL4 $701FC "C:\Users\Admin\AppData\Local\Temp\5cd9259a1d532e2a2e17e76a15cddf6e454b521809eb57bf7a728f340ef0610a.exe" 3944057 270848
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:3508
- - C:\Program Files (x86)\PhotoSnap\PhotoSnap.exe
    "C:\Program Files (x86)\PhotoSnap\PhotoSnap.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4556
- - C:\Program Files (x86)\PhotoSnap\PhotoSnap.exe
    "C:\Program Files (x86)\PhotoSnap\PhotoSnap.exe" -s
    3⤵
    - Executes dropped EXE
    PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PhotoSnap\PhotoSnap.exe

Filesize
2.1MB

MD5
becfdb9f166dd14d61eb3a0951cb5077

SHA1
73d8718f7cfd668059fa0ca6ad9176bcefafafaf

SHA256
72b9ef6801b50284c6a3b9f1c6dae427da7681a32193084b6b9060afa87fd75a

SHA512
bcdfc7179c887b9bbb759fa83e883853fa89939b40fa4f54170a6b35be00f4ad1cd56534f9179c6682dc88e1a6a131e8bd01828292b1664df6f5bdb6cb0d2554

Download Submit
C:\Program Files (x86)\PhotoSnap\PhotoSnap.exe

Filesize
2.1MB

MD5
becfdb9f166dd14d61eb3a0951cb5077

SHA1
73d8718f7cfd668059fa0ca6ad9176bcefafafaf

SHA256
72b9ef6801b50284c6a3b9f1c6dae427da7681a32193084b6b9060afa87fd75a

SHA512
bcdfc7179c887b9bbb759fa83e883853fa89939b40fa4f54170a6b35be00f4ad1cd56534f9179c6682dc88e1a6a131e8bd01828292b1664df6f5bdb6cb0d2554

Download Submit
C:\Program Files (x86)\PhotoSnap\PhotoSnap.exe

Filesize
2.1MB

MD5
becfdb9f166dd14d61eb3a0951cb5077

SHA1
73d8718f7cfd668059fa0ca6ad9176bcefafafaf

SHA256
72b9ef6801b50284c6a3b9f1c6dae427da7681a32193084b6b9060afa87fd75a

SHA512
bcdfc7179c887b9bbb759fa83e883853fa89939b40fa4f54170a6b35be00f4ad1cd56534f9179c6682dc88e1a6a131e8bd01828292b1664df6f5bdb6cb0d2554

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ASQOJ.tmp\is-FUJA4.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ASQOJ.tmp\is-FUJA4.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
\Users\Admin\AppData\Local\Temp\is-M07BD.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/916-103-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-106-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-125-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-122-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-119-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-77-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-116-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-113-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-80-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-110-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-84-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-85-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-88-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-91-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-94-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-97-0x00000000008A0000-0x000000000094A000-memory.dmp

Filesize
680KB

Download
memory/916-98-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/916-99-0x00000000008A0000-0x000000000094A000-memory.dmp

Filesize
680KB

Download
memory/916-107-0x00000000008A0000-0x000000000094A000-memory.dmp

Filesize
680KB

Download
memory/2488-81-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2488-79-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2488-7-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4412-1-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4412-78-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4556-70-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4556-74-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4556-72-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing