Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/12/2023, 14:01

General

  • Target

    609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.exe

  • Size

    6.9MB

  • MD5

    3358cb22a9bf87607cb5db3a8e175444

  • SHA1

    c0e3009eb7785564419fea15a75f17f7e2197122

  • SHA256

    609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83

  • SHA512

    82fe94027da520454b0ad9a96d036a36e45b1a0b42734c706e22ff4169b2258c0d62eced0e1bcf6d1feded9ae75f1ae940f7bcc73a01b161af2b7c1f35180f99

  • SSDEEP

    196608:wW0fKLtr95HARqIrmVY8S50UL8Kj8yTwHvWY3Nzj:wtO/hAPmVNyEWeNzj

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 63 IoCs
  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.exe
    "C:\Users\Admin\AppData\Local\Temp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Users\Admin\AppData\Local\Temp\is-0PLAM.tmp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0PLAM.tmp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp" /SL5="$80170,6973457,68096,C:\Users\Admin\AppData\Local\Temp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Query
        3⤵
          PID:2156
        • C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
          "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -i
          3⤵
          • Executes dropped EXE
          PID:4520
        • C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
          "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -s
          3⤵
          • Executes dropped EXE
          PID:3060
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\system32\net.exe" helpmsg 11
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3088
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 helpmsg 11
            4⤵
              PID:1628

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

              Filesize

              1.6MB

              MD5

              904084c7faa6984b6fdf02634916429a

              SHA1

              88fdf77437f19b7c9d8da30e038930a972563826

              SHA256

              4226d4568e9565f0e7fdde9ee26dea89e2af9b1889fbe6a5597b94847ee79e30

              SHA512

              38c2240049f64e1d7d81cb5349bec7318daf1e55fbfe781158986a759687720618364ba003ed4deba90e12da0cef54d6aa828492c1b402dfc6cde1bf996752ee

            • C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

              Filesize

              709KB

              MD5

              33eb0ae708e9ed21fd5736231565eb1f

              SHA1

              4e882db8a849b4ba818f74030e65918a6e9d6147

              SHA256

              4fbcc94d5ee98474b12f06da6786cd73e356b10082cff17b6eea9544a922e9b1

              SHA512

              bf42f293e83c0acad2eea73ac1e777b29946ab91a808cd0f708a546fff61592e47d962f7c5f8112eb400af62606a86599e443e120b7215079c6cda218e826a5d

            • C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

              Filesize

              268KB

              MD5

              e2f7c1c367cff0d22856b0dcd53652a9

              SHA1

              7090e2b20bd7c0f9a88af15b3f168fe39d1ba243

              SHA256

              5ff0ecfedab42211eeb1f99ecc579edfce527a122c1d7cbc3b4783f820945ab6

              SHA512

              2194872d4fae73e6c854761ddbcc4875e6374d8ea08b7025fa6d68836ca6cfe17d31cd1674873bf05f0ecb55d368349202e8bb92a7498dd682c0355066f868b9

            • C:\Users\Admin\AppData\Local\Temp\is-0PLAM.tmp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp

              Filesize

              327KB

              MD5

              386a9fa475ba699f3a7eb46ed8a53bcb

              SHA1

              afcc76755e3fe8b949ab06b486d0714fb024c4d7

              SHA256

              de5e93e13f5a620e29db0352833a98543100b7fd22aeb397ab79c26596265103

              SHA512

              8869faf32e5a314debc5ae6790d8e589de1c21e15a9ddc6ea55b1d359ecb94f154dd90e23a2630b53c713c9eb9057a66e97ec25f9de444b201918364b3f1b1f1

            • C:\Users\Admin\AppData\Local\Temp\is-0PLAM.tmp\609fbd1bbc940ddfa4e68a752488d9c1dc20b6c529ea10850583c7e41e204f83.tmp

              Filesize

              359KB

              MD5

              2056c108ad2c4c88365aff643a6126a1

              SHA1

              aa29bee3f3c0bf3af4713e01caa3b65bb5e06ced

              SHA256

              0c719c71f8b7283d02e614e9ab276c5c9ad04696173e23e7bce7f3dde5bf8367

              SHA512

              a2570250b5b706e1cfce0b9c3e0a6da656bad9f00138803b2be8b442b45348075462c3a22e1953d0b3ea6795dbed7d5af8b84593b415505187aebfab15dfb85d

            • C:\Users\Admin\AppData\Local\Temp\is-CKLLM.tmp\_isetup\_iscrypt.dll

              Filesize

              2KB

              MD5

              a69559718ab506675e907fe49deb71e9

              SHA1

              bc8f404ffdb1960b50c12ff9413c893b56f2e36f

              SHA256

              2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

              SHA512

              e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

            • C:\Users\Admin\AppData\Local\Temp\is-CKLLM.tmp\_isetup\_isdecmp.dll

              Filesize

              19KB

              MD5

              3adaa386b671c2df3bae5b39dc093008

              SHA1

              067cf95fbdb922d81db58432c46930f86d23dded

              SHA256

              71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

              SHA512

              bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

            • memory/3060-183-0x00000000008D0000-0x000000000096E000-memory.dmp

              Filesize

              632KB

            • memory/3060-170-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-208-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-205-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-202-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-199-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-196-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-157-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-159-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-193-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-190-0x00000000008D0000-0x000000000096E000-memory.dmp

              Filesize

              632KB

            • memory/3060-162-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-189-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-166-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-167-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-186-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-173-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-176-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/3060-179-0x00000000008D0000-0x000000000096E000-memory.dmp

              Filesize

              632KB

            • memory/3060-180-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/4520-155-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/4520-154-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/4520-152-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/4520-151-0x0000000000400000-0x00000000005CF000-memory.dmp

              Filesize

              1.8MB

            • memory/4828-0-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

            • memory/4828-160-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

            • memory/4828-2-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

            • memory/5048-12-0x0000000002330000-0x0000000002331000-memory.dmp

              Filesize

              4KB

            • memory/5048-163-0x0000000002330000-0x0000000002331000-memory.dmp

              Filesize

              4KB

            • memory/5048-161-0x0000000000400000-0x00000000004BC000-memory.dmp

              Filesize

              752KB