Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows10-1703_x64
  • resource
    win10-20231129-en
  • resource tags

    arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11-12-2023 11:29

General

  • Target

    098a5d47bfc632f3b7972896eef8fdc1835d042473d51e721757f33070d836f5.exe

  • Size

    6.9MB

  • MD5

    56115d810f84fe49443ee37d0b711925

  • SHA1

    d5a6231d59d33f9e1de2c0cea8c82f97807170d8

  • SHA256

    098a5d47bfc632f3b7972896eef8fdc1835d042473d51e721757f33070d836f5

  • SHA512

    81f534c5549ba30b9c66d84976340353610388d94931621079c28ba793882be09d00a6594d280c7efb839248d82fef3cd945def4ef6c700323d97fd163e6e9d0

  • SSDEEP

    196608:lyD4UUAnfcrSuleVp+jatZRGrrC/sF5wvACzj:A4Uvfc2RGatZcXF5uzj

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 63 IoCs
  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\098a5d47bfc632f3b7972896eef8fdc1835d042473d51e721757f33070d836f5.exe
    "C:\Users\Admin\AppData\Local\Temp\098a5d47bfc632f3b7972896eef8fdc1835d042473d51e721757f33070d836f5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Users\Admin\AppData\Local\Temp\is-AOE5V.tmp\098a5d47bfc632f3b7972896eef8fdc1835d042473d51e721757f33070d836f5.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-AOE5V.tmp\098a5d47bfc632f3b7972896eef8fdc1835d042473d51e721757f33070d836f5.tmp" /SL5="$801F4,6986290,68096,C:\Users\Admin\AppData\Local\Temp\098a5d47bfc632f3b7972896eef8fdc1835d042473d51e721757f33070d836f5.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3992
      • C:\Program Files (x86)\WMAFormat\wmaformat.exe
        "C:\Program Files (x86)\WMAFormat\wmaformat.exe" -i
        3⤵
        • Executes dropped EXE
        PID:2840
      • C:\Program Files (x86)\WMAFormat\wmaformat.exe
        "C:\Program Files (x86)\WMAFormat\wmaformat.exe" -s
        3⤵
        • Executes dropped EXE
        PID:4540
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\system32\net.exe" helpmsg 11
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2868
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Query
        3⤵
          PID:808
    • C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 11
      1⤵
        PID:5108

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\WMAFormat\wmaformat.exe

        Filesize

        155KB

        MD5

        c75276b27f022e1c21a8e3581dc7cb01

        SHA1

        e3d867a0f0461ffacdecbfbee9dfd49123943d06

        SHA256

        b01a1981a219bd6909f2d3cb3de8eca60c947468b577199d0a1d328bc621ef82

        SHA512

        038495f783ca533316af3da186458892d7f607f768959f97daefebf0c5124223b8080d6844710a9921b0bdfbced3563c97dc7e1560a5e28ee7e7e61cc819acd4

      • C:\Program Files (x86)\WMAFormat\wmaformat.exe

        Filesize

        95KB

        MD5

        aa166bc9b6bf438c5d731fc267e72ed3

        SHA1

        aacd739bb1bc2217ef97e310941a4f369b5bc761

        SHA256

        f71a54b46cb0e19ccb1aca125aacc5f4e63df2242c83e30aa19dfcab0a7d2da3

        SHA512

        2a588d6e509b571bfc082ba2d6254962fe2f3814a3c195d9fb8f80fb55882eaa9569b9a6d438c16a8b8bd73419271710cef0915cb0f7b505842f56565cbc5e8a

      • C:\Program Files (x86)\WMAFormat\wmaformat.exe

        Filesize

        114KB

        MD5

        42e0bddf02d2028832040c231896c921

        SHA1

        5dcb7f6bce504d50d77052ea556a454bc44421eb

        SHA256

        1a17481fa814beffb3818c227f9479bf9f97ab86aa84bcc5657d86acf76cae43

        SHA512

        7d48f950f20fd6f0efb7223f6eb7bedf5b088d8b3c48ca4833c3fe406020834ef7dde3d7c2d544d77165ba49c9221628ad9515f982ea95be7ec039c497b0d7b1

      • C:\Users\Admin\AppData\Local\Temp\is-AOE5V.tmp\098a5d47bfc632f3b7972896eef8fdc1835d042473d51e721757f33070d836f5.tmp

        Filesize

        295KB

        MD5

        b0e6f876b6891b068e4dee0da4bf32a0

        SHA1

        b2f9bf6d9394565000ef5e9ec72a110e85748ff5

        SHA256

        168af5e2164eccd7cc0708f6d05f8613d0d729f935a6ad3a2c06b6a36f3625cf

        SHA512

        ac9bc44fd515e7c78630f147c16f4c64ce563fad3b9ec5144880f9b2fe95f708f0a2e5aa8405f971e4913ce251f6f80b39b0f5bd500a83ce3d190e70ce7c9268

      • C:\Users\Admin\AppData\Local\Temp\is-AOE5V.tmp\098a5d47bfc632f3b7972896eef8fdc1835d042473d51e721757f33070d836f5.tmp

        Filesize

        381KB

        MD5

        93d5dd9792023897e52b08803b2e9f62

        SHA1

        6bc63e4cfbfcba6214f99c7255517f1901811e04

        SHA256

        f82bf0947d8b80948d27b6b4e98027885ebff80579e68cceea419814c255ef89

        SHA512

        637c491c5ba2482e6a3b174d5aa9c40180ab5566eac321b8868eebc26f47acb33fe41526d4cedabe530a70de3a8fa55ee23de66962b1fc812f9dac70d61fcd09

      • \Users\Admin\AppData\Local\Temp\is-P2Q9I.tmp\_isetup\_iscrypt.dll

        Filesize

        2KB

        MD5

        a69559718ab506675e907fe49deb71e9

        SHA1

        bc8f404ffdb1960b50c12ff9413c893b56f2e36f

        SHA256

        2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

        SHA512

        e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

      • \Users\Admin\AppData\Local\Temp\is-P2Q9I.tmp\_isetup\_isdecmp.dll

        Filesize

        19KB

        MD5

        3adaa386b671c2df3bae5b39dc093008

        SHA1

        067cf95fbdb922d81db58432c46930f86d23dded

        SHA256

        71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

        SHA512

        bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

      • memory/2840-152-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/2840-163-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/2840-154-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/2840-151-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/3992-162-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

      • memory/3992-160-0x0000000000400000-0x00000000004BC000-memory.dmp

        Filesize

        752KB

      • memory/3992-12-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

      • memory/4540-190-0x0000000000730000-0x00000000007CE000-memory.dmp

        Filesize

        632KB

      • memory/4540-209-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-176-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-161-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-177-0x0000000000730000-0x00000000007CE000-memory.dmp

        Filesize

        632KB

      • memory/4540-158-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-166-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-167-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-170-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-182-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-206-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-203-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-173-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-183-0x0000000000730000-0x00000000007CE000-memory.dmp

        Filesize

        632KB

      • memory/4540-186-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-189-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-156-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-193-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-196-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/4540-199-0x0000000000400000-0x00000000005CF000-memory.dmp

        Filesize

        1.8MB

      • memory/5104-0-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

      • memory/5104-159-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

      • memory/5104-2-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB