115eca0aca2d0924dd44670664d0c16477684a8df508b3da463467c7a3aad78f

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

115eca0aca2d0924dd44670664d0c16477684a8df508b3da463467c7a3aad78f.exe
Size

4.2MB
MD5

e7594393b0d05364a09208769d079128
SHA1

e35cdbd397096500f9dd333570dc5badee98b19c
SHA256

115eca0aca2d0924dd44670664d0c16477684a8df508b3da463467c7a3aad78f
SHA512

3521f436dbd020f24c90c95b359c7ee71775904e730900810d3e66deed3273496c9662f181cf9ef171a469dca8c386583f141d8ed1e9314f7d302e5a54da4fd6
SSDEEP

98304:NdW1hSKF/Z+teULItGlhCXEotnUnjoacZfKOJAeN53o:e7SE/oXvo5LacZfqK4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2396	File-Search-Library.exe

Loads dropped DLL 2 IoCs

pid	Process
2396	File-Search-Library.exe
2396	File-Search-Library.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\115eca0aca2d0924dd44670664d0c16477684a8df508b3da463467c7a3aad78f.exe	115eca0aca2d0924dd44670664d0c16477684a8df508b3da463467c7a3aad78f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\115eca0aca2d0924dd44670664d0c16477684a8df508b3da463467c7a3aad78f.exe\IsHostApp	115eca0aca2d0924dd44670664d0c16477684a8df508b3da463467c7a3aad78f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\File-Search-Library.exe	File-Search-Library.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\File-Search-Library.exe\IsHostApp	File-Search-Library.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	File-Search-Library.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	File-Search-Library.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2396	File-Search-Library.exe
Token: SeSecurityPrivilege	2396	File-Search-Library.exe
Token: SeTakeOwnershipPrivilege	2396	File-Search-Library.exe
Token: SeLoadDriverPrivilege	2396	File-Search-Library.exe
Token: SeSystemProfilePrivilege	2396	File-Search-Library.exe
Token: SeSystemtimePrivilege	2396	File-Search-Library.exe
Token: SeProfSingleProcessPrivilege	2396	File-Search-Library.exe
Token: SeIncBasePriorityPrivilege	2396	File-Search-Library.exe
Token: SeCreatePagefilePrivilege	2396	File-Search-Library.exe
Token: SeBackupPrivilege	2396	File-Search-Library.exe
Token: SeRestorePrivilege	2396	File-Search-Library.exe
Token: SeShutdownPrivilege	2396	File-Search-Library.exe
Token: SeDebugPrivilege	2396	File-Search-Library.exe
Token: SeSystemEnvironmentPrivilege	2396	File-Search-Library.exe
Token: SeRemoteShutdownPrivilege	2396	File-Search-Library.exe
Token: SeUndockPrivilege	2396	File-Search-Library.exe
Token: SeManageVolumePrivilege	2396	File-Search-Library.exe
Token: 33	2396	File-Search-Library.exe
Token: 34	2396	File-Search-Library.exe
Token: 35	2396	File-Search-Library.exe
Token: 36	2396	File-Search-Library.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
704	115eca0aca2d0924dd44670664d0c16477684a8df508b3da463467c7a3aad78f.exe
2396	File-Search-Library.exe
2396	File-Search-Library.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2396	File-Search-Library.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 2396	704	115eca0aca2d0924dd44670664d0c16477684a8df508b3da463467c7a3aad78f.exe	84
PID 704 wrote to memory of 2396	704	115eca0aca2d0924dd44670664d0c16477684a8df508b3da463467c7a3aad78f.exe	84
PID 704 wrote to memory of 2396	704	115eca0aca2d0924dd44670664d0c16477684a8df508b3da463467c7a3aad78f.exe	84

C:\Users\Admin\AppData\Local\Temp\115eca0aca2d0924dd44670664d0c16477684a8df508b3da463467c7a3aad78f.exe
"C:\Users\Admin\AppData\Local\Temp\115eca0aca2d0924dd44670664d0c16477684a8df508b3da463467c7a3aad78f.exe"
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:704
- C:\ProgramData\miaE0AB.tmp\File-Search-Library.exe
  .\File-Search-Library.exe /m="C:\Users\Admin\AppData\Local\Temp\115ECA~1.EXE" /k=""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\miaE0AB.tmp\File-Search-Library.exe

Filesize
5.3MB

MD5
5d77b620b9614f402985eb132507bcc1

SHA1
74e675489f855731e356b84da6b54d679cbd0a04

SHA256
a8527b99369f4b6a45adeeb132d07287e20fbaf24aa5a5b3d6039897516a5201

SHA512
e732c04297644d943c3157d5ad72af2e4039a5d93aa9cf8ad9fa19bd119402f94d01a4771143dc4408f8aa93ace8256d0f0a9a34beeffc70b99905ca959c11b6

Download Submit
C:\ProgramData\miaE0AB.tmp\File-Search-Library.exe

Filesize
5.3MB

MD5
5d77b620b9614f402985eb132507bcc1

SHA1
74e675489f855731e356b84da6b54d679cbd0a04

SHA256
a8527b99369f4b6a45adeeb132d07287e20fbaf24aa5a5b3d6039897516a5201

SHA512
e732c04297644d943c3157d5ad72af2e4039a5d93aa9cf8ad9fa19bd119402f94d01a4771143dc4408f8aa93ace8256d0f0a9a34beeffc70b99905ca959c11b6

Download Submit
C:\ProgramData\miaE0AB.tmp\File-Search-Library.msi

Filesize
780KB

MD5
21e3a7cfb5fd0d0d9d48ee51305c65a3

SHA1
1f41ab6764d259d4ee7f47be6d9c5cd22aeb0563

SHA256
7c98749687da9d22865d2d5a4be86bdd0f5b4336ef1de2e1ee099285ffdab3b1

SHA512
6f25306f144d355ce1d8dadc84f5f125ff93006a6305d4e77ac9788109dab6e89adeb57452773a3bc97428e43aaac332213b2c663e2dafe90401a9ab10ba2696

Download Submit
C:\ProgramData\miaE0AB.tmp\File-Search-Library.res

Filesize
7.9MB

MD5
343995e82061833060236b313e155eda

SHA1
3d134197250e70c749a1f626e43122fe221bc75e

SHA256
3ebdf4634acff9bf8753eec970fa43f27a08e27bb9d083119c40bc5abcaabd09

SHA512
36501a5417b7967718a797b24ab902a692d5caef8fe2b14181eab86f1c77edc6b00cdc181129a5be7dc7f88a580cf7be13c7e114a171f0f0c40c6f512663e153

Download Submit
C:\ProgramData\miaE0AB.tmp\data\OFFLINE\41BA8512\4520BDCA\KellermanSoftware.File-Search-Library.xml

Filesize
147KB

MD5
d70d7e24b91d1c024b843bb52d593870

SHA1
13afb6d7871df2e82b22cbd8d7888608a43e8c03

SHA256
90157a6d74013a5d2d0febbbbcf843c4fbcbbd3103e84f8fd317435595ce2043

SHA512
2ba9ca1a87285391d3a1ac282de53d4679750ac98be2b8b6928c60178bc7dbeeb45e481dfba2c82c1394e808e33dde030b27d061a129c3d7d60c5451912775f9

Download Submit
C:\ProgramData\miaE0AB.tmp\data\OFFLINE\41BA8512\4520BDCA\LZ4.dll

Filesize
142KB

MD5
e45aea3b68b87c62b5784114beb312be

SHA1
4041a7410598c46d7657ceb94b0af4ebbc7a9c0a

SHA256
6d37baeb841bcf6c4935a54f29df049d405df48345014cc12852b814d279d86e

SHA512
1a5f57e54e3fc22624db577a616e88aa487d5ac60eb9a293d098bcc0614ba6bfd85dd4c0a0389fa4a6da58d09986e56066374399b29dd40070090b470f4980b1

Download Submit
C:\ProgramData\miaE0AB.tmp\data\OFFLINE\41BA8512\4520BDCA\protobuf-net.dll

Filesize
269KB

MD5
4a4756e227c10623d81228bc4bc49c1d

SHA1
964014f538918d85f6eb6a7b4023b304067b28f7

SHA256
042b8c1c1e0eb7648b164ee48c95168c48324f1fb439cabd5f2e41db0938d807

SHA512
93d2c6f47c618dc9493f5a538cbfb5a32c1e3bb35a623b51561057245f2fa557c452ee18ae274182c3e0440b77353c5490d196f16eda142b6129e8d1108e5a04

Download Submit
C:\ProgramData\miaE0AB.tmp\mia.lib

Filesize
592KB

MD5
6017c5f8ea6382684def62597535b277

SHA1
1ed79b319b3b0e47bd3b08c194b4cfe1a06f12a8

SHA256
f4bb9cf2e03832f23b407d4bdef1d44d4dfd6a510f2fdc1a6be263241914b55b

SHA512
65a0e4505294c621c031f64051017c9bee36ef4b5f793c39010a516e84443cd85dbf092a1b4d6526abefd499994739326e0b55b2480523de7c8189b6dd3ff0f6

Download Submit
C:\ProgramData\miaE0AB.tmp\mia.lib

Filesize
592KB

MD5
6017c5f8ea6382684def62597535b277

SHA1
1ed79b319b3b0e47bd3b08c194b4cfe1a06f12a8

SHA256
f4bb9cf2e03832f23b407d4bdef1d44d4dfd6a510f2fdc1a6be263241914b55b

SHA512
65a0e4505294c621c031f64051017c9bee36ef4b5f793c39010a516e84443cd85dbf092a1b4d6526abefd499994739326e0b55b2480523de7c8189b6dd3ff0f6

Download Submit
C:\ProgramData\miaE0AB.tmp\setup.bmp

Filesize
398KB

MD5
dbf620113b3a58da1497ee47f8c13781

SHA1
7dd3f902ca98179e3191e1da4da609a0affaa73a

SHA256
e070f68c3b00294c61e2e860d15c127153be5542e9c1139cd8393e2320e1ef88

SHA512
5470ba2f000cb3b5593e17205e47b2c305fa60fbdcf29add7eccae80493078c1f68c992a07a69ed203774d291e11297ad7c4bbebb6bd45b99cec3256c840e69e

Download Submit
C:\ProgramData\miaE0AB.tmp\setup.bmp

Filesize
398KB

MD5
dbf620113b3a58da1497ee47f8c13781

SHA1
7dd3f902ca98179e3191e1da4da609a0affaa73a

SHA256
e070f68c3b00294c61e2e860d15c127153be5542e9c1139cd8393e2320e1ef88

SHA512
5470ba2f000cb3b5593e17205e47b2c305fa60fbdcf29add7eccae80493078c1f68c992a07a69ed203774d291e11297ad7c4bbebb6bd45b99cec3256c840e69e

Download Submit
C:\Users\Admin\AppData\Local\IIIQF\7z.dll

Filesize
170KB

MD5
31cad6a3edd1c32981ad6b565cbeac94

SHA1
9338978c85a9423ee2a38cba027f79192d684f1b

SHA256
b8521abda09ec17ddad36528c1bc50395dc8c5f7c11c026a5b3ff23110c54182

SHA512
02e198b8ef192de55db35ae00a16a80b3309a9373a596c20d617b43dd7159a635bc303f371859e704375521a1242d02754807e2e9dfef63ffd06993b24c17d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\File-Search-Library.msi

Filesize
780KB

MD5
21e3a7cfb5fd0d0d9d48ee51305c65a3

SHA1
1f41ab6764d259d4ee7f47be6d9c5cd22aeb0563

SHA256
7c98749687da9d22865d2d5a4be86bdd0f5b4336ef1de2e1ee099285ffdab3b1

SHA512
6f25306f144d355ce1d8dadc84f5f125ff93006a6305d4e77ac9788109dab6e89adeb57452773a3bc97428e43aaac332213b2c663e2dafe90401a9ab10ba2696

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\swoosh.avi

Filesize
8KB

MD5
92e21000679929513646a3072e0abbf7

SHA1
ea14b9b584056ad0eabf055bc67b4512f5e847a1

SHA256
0da2d63004c11b6e530e9df6054064a2fab9eda60fe33f6a3a779c16f578d3cc

SHA512
1b88604fa05b4ced94edac3eac0a7dbd89bcaaa6339a9d2e970e6d59838ee9bccd1c6282823ea22c9319498602e0014abc8f7879499a9e08f492611328499a00

Download Submit
memory/2396-136-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/2396-245-0x0000000000400000-0x0000000000999000-memory.dmp

Filesize
5.6MB

Download
memory/2396-246-0x0000000000400000-0x0000000000999000-memory.dmp

Filesize
5.6MB

Download
memory/2396-247-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/2396-250-0x0000000000400000-0x0000000000999000-memory.dmp

Filesize
5.6MB

Download
memory/2396-253-0x0000000000400000-0x0000000000999000-memory.dmp

Filesize
5.6MB

Download