02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344

General

Target

02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344.exe
Size

4.0MB
MD5

e0200372ab084cee7c02519fa32a5b0e
SHA1

baf75851368121a6e0e2598b8cefea5a9023284a
SHA256

02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344
SHA512

8b78c779811119e5bca214cacc2e0607fa20da4c05fa82b7e897b64585b7d0684ee6d7a5b9cf6e489dd8662055a36093efd59d3f483238472e790c1743dfcc3d
SSDEEP

98304:HdL9xWLs1Esvx3VRy2XOwnqoQyVHXoblgL74+7e:9zwM5S2X9qM3oqLU+7e

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
868	is-B8MBD.tmp
1712	ZxingPDF.exe
2036	ZxingPDF.exe

Loads dropped DLL 1 IoCs

pid	Process
868	is-B8MBD.tmp

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.159.66.125
Destination IP	151.80.38.159
Destination IP	217.23.6.51
Destination IP	217.23.9.168

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-92DKI.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Help\is-7AQOS.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\is-6LQPA.tmp	is-B8MBD.tmp
File opened for modification	C:\Program Files (x86)\ZxingPDF\unins000.dat	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-UGCEU.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-ML21L.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Plugins\is-A32DA.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Plugins\is-125PA.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-32PCM.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-DH54U.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Plugins\is-C0UVP.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\unins000.dat	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-5O1D4.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-LI9E2.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Online\is-O8L2F.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\is-40L0A.tmp	is-B8MBD.tmp
File opened for modification	C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-AVRQQ.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-IT0N5.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-9RSK9.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-M9LIQ.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Online\is-6ABNR.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-PTM0E.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-GAA3G.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-VK04O.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-MFDN4.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Plugins\is-C87B9.tmp	is-B8MBD.tmp
File created	C:\Program Files (x86)\ZxingPDF\Lang\is-ME3HA.tmp	is-B8MBD.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 868	5040	02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344.exe	83
PID 5040 wrote to memory of 868	5040	02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344.exe	83
PID 5040 wrote to memory of 868	5040	02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344.exe	83
PID 868 wrote to memory of 1672	868	is-B8MBD.tmp	87
PID 868 wrote to memory of 1672	868	is-B8MBD.tmp	87
PID 868 wrote to memory of 1672	868	is-B8MBD.tmp	87
PID 868 wrote to memory of 1712	868	is-B8MBD.tmp	88
PID 868 wrote to memory of 1712	868	is-B8MBD.tmp	88
PID 868 wrote to memory of 1712	868	is-B8MBD.tmp	88
PID 868 wrote to memory of 2036	868	is-B8MBD.tmp	90
PID 868 wrote to memory of 2036	868	is-B8MBD.tmp	90
PID 868 wrote to memory of 2036	868	is-B8MBD.tmp	90

C:\Users\Admin\AppData\Local\Temp\02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344.exe
"C:\Users\Admin\AppData\Local\Temp\02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\is-S4PDG.tmp\is-B8MBD.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S4PDG.tmp\is-B8MBD.tmp" /SL4 $50116 "C:\Users\Admin\AppData\Local\Temp\02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344.exe" 3876134 242176
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:1672
- - C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe
    "C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1712
- - C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe
    "C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe

Filesize
2.0MB

MD5
330c3f73c995dbc18c9211269fc579ee

SHA1
32596c55cfc47c80a8c21dbb28538836cecec40d

SHA256
c558e1a93895386068de911f2f92b9e7680b7e3b3649894ccae8f7b12d56849d

SHA512
13e095500ad5a57637a7d53ca88deae73921388a0959298fbb8a127f08bec7b108d00405063e6138d1b572b19da9a16ee48564a6ed43880f2a83bdb5428756ca

Download Submit
C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe

Filesize
2.0MB

MD5
330c3f73c995dbc18c9211269fc579ee

SHA1
32596c55cfc47c80a8c21dbb28538836cecec40d

SHA256
c558e1a93895386068de911f2f92b9e7680b7e3b3649894ccae8f7b12d56849d

SHA512
13e095500ad5a57637a7d53ca88deae73921388a0959298fbb8a127f08bec7b108d00405063e6138d1b572b19da9a16ee48564a6ed43880f2a83bdb5428756ca

Download Submit
C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe

Filesize
2.0MB

MD5
330c3f73c995dbc18c9211269fc579ee

SHA1
32596c55cfc47c80a8c21dbb28538836cecec40d

SHA256
c558e1a93895386068de911f2f92b9e7680b7e3b3649894ccae8f7b12d56849d

SHA512
13e095500ad5a57637a7d53ca88deae73921388a0959298fbb8a127f08bec7b108d00405063e6138d1b572b19da9a16ee48564a6ed43880f2a83bdb5428756ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LE9RS.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S4PDG.tmp\is-B8MBD.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S4PDG.tmp\is-B8MBD.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
memory/868-81-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/868-83-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/868-7-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1712-72-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/1712-74-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/1712-75-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/1712-70-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-90-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-99-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-127-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-124-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-82-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-78-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-86-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-87-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-121-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-93-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-96-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-79-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-101-0x0000000000750000-0x00000000007FA000-memory.dmp

Filesize
680KB

Download
memory/2036-105-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-108-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-109-0x0000000000750000-0x00000000007FA000-memory.dmp

Filesize
680KB

Download
memory/2036-112-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-115-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/2036-118-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/5040-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5040-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5040-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing