8d7471f66c3d67a3baa4af0b46486a4b41dc09f622bb93c179a8fb0ae853446e

General

Target

11a2bb7682b29931ba28923f4b1ade78.exe
Size

385KB
MD5

11a2bb7682b29931ba28923f4b1ade78
SHA1

121bbac766fa309488f52cd9736539d209494982
SHA256

8d7471f66c3d67a3baa4af0b46486a4b41dc09f622bb93c179a8fb0ae853446e
SHA512

11006003b71ae01ac1a0bf662b180a1463b051f5fdaa15076275468b89531dea31fbcecb5a508c468c2561b6305b879b5a4c6458f775595d1fd0a6bfb58bb334
SSDEEP

12288:YQiGmCL8+iDNdRI+MBTlPadSfXioRcpMXVJof:YQizi8DdFMBTlP0QjcpMXVJof

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2060	11a2bb7682b29931ba28923f4b1ade78.tmp

Loads dropped DLL 4 IoCs

pid	Process
2296	11a2bb7682b29931ba28923f4b1ade78.exe
2060	11a2bb7682b29931ba28923f4b1ade78.tmp
2060	11a2bb7682b29931ba28923f4b1ade78.tmp
2060	11a2bb7682b29931ba28923f4b1ade78.tmp

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2060	2296	11a2bb7682b29931ba28923f4b1ade78.exe	14
PID 2296 wrote to memory of 2060	2296	11a2bb7682b29931ba28923f4b1ade78.exe	14
PID 2296 wrote to memory of 2060	2296	11a2bb7682b29931ba28923f4b1ade78.exe	14
PID 2296 wrote to memory of 2060	2296	11a2bb7682b29931ba28923f4b1ade78.exe	14
PID 2296 wrote to memory of 2060	2296	11a2bb7682b29931ba28923f4b1ade78.exe	14
PID 2296 wrote to memory of 2060	2296	11a2bb7682b29931ba28923f4b1ade78.exe	14
PID 2296 wrote to memory of 2060	2296	11a2bb7682b29931ba28923f4b1ade78.exe	14

C:\Users\Admin\AppData\Local\Temp\is-HUGSS.tmp\11a2bb7682b29931ba28923f4b1ade78.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HUGSS.tmp\11a2bb7682b29931ba28923f4b1ade78.tmp" /SL5="$40156,138429,56832,C:\Users\Admin\AppData\Local\Temp\11a2bb7682b29931ba28923f4b1ade78.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060

C:\Users\Admin\AppData\Local\Temp\11a2bb7682b29931ba28923f4b1ade78.exe
"C:\Users\Admin\AppData\Local\Temp\11a2bb7682b29931ba28923f4b1ade78.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-HUGSS.tmp\11a2bb7682b29931ba28923f4b1ade78.tmp

Filesize
571KB

MD5
cfb626847b806098825bc9227e26f33e

SHA1
9cb575d043bb40ec8d7db43666b597fad18d0a04

SHA256
06ada55096ffc74208b33a70f06cb30846b188ee0bf3c7c0280c4c935d89d73b

SHA512
526ff0377d226f3439b5c8efd7f3af98032bc9a56f338333dfd02f9c5d9a1cc2d6113d73d0d9094ef7884af62a58affb686d9045fbc831ebf8bd0f37e42bbae6

Download Submit
\Users\Admin\AppData\Local\Temp\is-HUGSS.tmp\11a2bb7682b29931ba28923f4b1ade78.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\is-O3IMD.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-O3IMD.tmp\itdownload.dll

Filesize
92KB

MD5
4f32fb89741e09ca5039c22f584f233b

SHA1
f4c074564c8f34a5f0cb0d0dd0a4c9d75e8c3709

SHA256
a956d740748feeb5e5e2ed1ecc04cba2f08445bc07df788715e4e3c4bf1d01d3

SHA512
2ac62e1bf9b342478e8158d728ff94c15f0415c9df49e2dea3f15383eac7ba38f9c64d3d2a14fa504c874e6ba595d15a3223dfdc60246a8af39be2c0cdbfe723

Download Submit
memory/2060-24-0x00000000003B0000-0x00000000003EC000-memory.dmp

Filesize
240KB

Download
memory/2060-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2060-17-0x00000000003B0000-0x00000000003EC000-memory.dmp

Filesize
240KB

Download
memory/2060-20-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2060-21-0x00000000003B0000-0x00000000003EC000-memory.dmp

Filesize
240KB

Download
memory/2060-23-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2060-25-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2060-26-0x00000000003B0000-0x00000000003EC000-memory.dmp

Filesize
240KB

Download
memory/2296-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2296-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2296-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2296-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing