cb6b4a27af5fee734b162e9912712a2a55d6a265fc94282be6cf891f0e3ad7d0

General

Target

0745945b6caa86864d41738020591e6a.exe
Size

2.0MB
MD5

0745945b6caa86864d41738020591e6a
SHA1

3770b2bffefbe321fcbc03c771289f1c50e7864f
SHA256

cb6b4a27af5fee734b162e9912712a2a55d6a265fc94282be6cf891f0e3ad7d0
SHA512

1aa1405acb90c184e24ac02d42c7d7f27b4e70896b1c70621ea54d67684f7dd5058970852adf176777192102a6068bc80842119c2a6d0d4c24697e52b88600cf
SSDEEP

49152:o2oteZXJPE2aKP7j9e22dQrtzPB8P5GlPS9zQ7kA8k5majaBygB/q:FoIZ5PE222pt76PjlfeJjrgBC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2216	0745945b6caa86864d41738020591e6a.tmp

Loads dropped DLL 4 IoCs

pid	Process
1900	0745945b6caa86864d41738020591e6a.exe
2216	0745945b6caa86864d41738020591e6a.tmp
2216	0745945b6caa86864d41738020591e6a.tmp
2216	0745945b6caa86864d41738020591e6a.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2216	0745945b6caa86864d41738020591e6a.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2216	1900	0745945b6caa86864d41738020591e6a.exe	16
PID 1900 wrote to memory of 2216	1900	0745945b6caa86864d41738020591e6a.exe	16
PID 1900 wrote to memory of 2216	1900	0745945b6caa86864d41738020591e6a.exe	16
PID 1900 wrote to memory of 2216	1900	0745945b6caa86864d41738020591e6a.exe	16
PID 1900 wrote to memory of 2216	1900	0745945b6caa86864d41738020591e6a.exe	16
PID 1900 wrote to memory of 2216	1900	0745945b6caa86864d41738020591e6a.exe	16
PID 1900 wrote to memory of 2216	1900	0745945b6caa86864d41738020591e6a.exe	16

C:\Users\Admin\AppData\Local\Temp\is-5DRNQ.tmp\0745945b6caa86864d41738020591e6a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5DRNQ.tmp\0745945b6caa86864d41738020591e6a.tmp" /SL5="$70122,1806965,72704,C:\Users\Admin\AppData\Local\Temp\0745945b6caa86864d41738020591e6a.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2216

C:\Users\Admin\AppData\Local\Temp\0745945b6caa86864d41738020591e6a.exe
"C:\Users\Admin\AppData\Local\Temp\0745945b6caa86864d41738020591e6a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-5DRNQ.tmp\0745945b6caa86864d41738020591e6a.tmp

Filesize
23KB

MD5
c7ca6d178aa0e19917ed46e51e15f29e

SHA1
68d0ef3f226620cec454faee41a11a5aa1d0a07b

SHA256
fd3f8fc63f1c166892e30a050c803be527b0c3cb7183062db088b26d56c037c8

SHA512
0e5b54bb22ea863630adfda2479ce64ffa7629da5b83a2060481ecdc123702e075d316f6748e437a8ae2b4fba3abf6278daf98d37bb3c0087112104936882b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5DRNQ.tmp\0745945b6caa86864d41738020591e6a.tmp

Filesize
5KB

MD5
8d0fe087e669c90c2db1a906f5111610

SHA1
590c6a5212033601dd9c1573124c474c06d2f117

SHA256
4164489e22724f6fd819656441669d808a967a1f2ad544a8f5171543ebfdc44b

SHA512
1007e51ffd37e3c39ef84d7bd68b26577ff4de244fb91c9e66cbc6894297ac964549372b42727009eaadc5412d329e37aaba00c31f1d4dd245e4dc82fa350cc7

Download Submit
\Users\Admin\AppData\Local\Temp\is-5DRNQ.tmp\0745945b6caa86864d41738020591e6a.tmp

Filesize
30KB

MD5
c0c2c4b663fa56ae70d9f8076aa3d858

SHA1
f431dcf6a923d0d32c4e319d3b30127800045e08

SHA256
6107bc557978b39c97c0232b265039f6a64b2e18d6cea2a8739459490209e9cb

SHA512
e3b22ea0178f8b49335ab98ff5e8a8aeb5ab2e77d6039942be0d68b721a2c3130fe0e623dee2da88219679d171b08e225289f57114aa57b33361693850b45584

Download Submit
\Users\Admin\AppData\Local\Temp\is-SL5TK.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-SL5TK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-SL5TK.tmp\_isetup\_shfoldr.dll

Filesize
11KB

MD5
5adb9f7660fc3c52236aed195792834a

SHA1
aa8d3e4ec18fb2fc098363d880b9265b651dbb40

SHA256
02e0c1aaf0a384a3436ab6abac2d556dcae2c4dc258ae2a50f592fae1f346b2c

SHA512
b1ec0a8380a9332914e8e24c8b52c007bc63050ccbd58920537c4621faaff2cdfe33741c7cbe52f7c87e0d887ae1331e95f000305d3a9f19a3879a62d14ba382

Download Submit
memory/1900-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1900-2-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1900-20-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2216-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2216-21-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2216-24-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing