067454e4c56e421442cd036923c2a8b7f60f4f4ce59f4243160d36f959d1bff1

General

Target

1f8187292660e4ab4a567f917ed5fee8.exe
Size

5.5MB
MD5

1f8187292660e4ab4a567f917ed5fee8
SHA1

832442b51532bff1a93b62e8a64509d81ea58294
SHA256

067454e4c56e421442cd036923c2a8b7f60f4f4ce59f4243160d36f959d1bff1
SHA512

be84f01f27898e933be08e5cbe75a2cdf976f5dc99876bf67171fb9c94b25863e41a823aef89ca52c3d87694ca4eb065425b1312a64baea78ca70de673a76330
SSDEEP

98304:gvSYro+waPiQjmjP028bc0TtJEJNx5DJXMWbD0nLWI9HJn6wz6+Ln7kr+qrRW6Ja:WpUwjmjc28Imk3jsymJn62t3UE6llYn

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4340}	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463C-AFF1-A69D9E530F96}	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11D3-B153-00C04F79FAA6}	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	1f8187292660e4ab4a567f917ed5fee8.tmp

Executes dropped EXE 1 IoCs

pid	Process
3024	1f8187292660e4ab4a567f917ed5fee8.tmp

Loads dropped DLL 4 IoCs

pid	Process
356	1f8187292660e4ab4a567f917ed5fee8.exe
3024	1f8187292660e4ab4a567f917ed5fee8.tmp
3024	1f8187292660e4ab4a567f917ed5fee8.tmp
3024	1f8187292660e4ab4a567f917ed5fee8.tmp

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2804	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3024	1f8187292660e4ab4a567f917ed5fee8.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 356 wrote to memory of 3024	356	1f8187292660e4ab4a567f917ed5fee8.exe	28
PID 356 wrote to memory of 3024	356	1f8187292660e4ab4a567f917ed5fee8.exe	28
PID 356 wrote to memory of 3024	356	1f8187292660e4ab4a567f917ed5fee8.exe	28
PID 356 wrote to memory of 3024	356	1f8187292660e4ab4a567f917ed5fee8.exe	28
PID 356 wrote to memory of 3024	356	1f8187292660e4ab4a567f917ed5fee8.exe	28
PID 356 wrote to memory of 3024	356	1f8187292660e4ab4a567f917ed5fee8.exe	28
PID 356 wrote to memory of 3024	356	1f8187292660e4ab4a567f917ed5fee8.exe	28
PID 3024 wrote to memory of 2764	3024	1f8187292660e4ab4a567f917ed5fee8.tmp	29
PID 3024 wrote to memory of 2764	3024	1f8187292660e4ab4a567f917ed5fee8.tmp	29
PID 3024 wrote to memory of 2764	3024	1f8187292660e4ab4a567f917ed5fee8.tmp	29
PID 3024 wrote to memory of 2764	3024	1f8187292660e4ab4a567f917ed5fee8.tmp	29
PID 2764 wrote to memory of 2804	2764	cmd.exe	31
PID 2764 wrote to memory of 2804	2764	cmd.exe	31
PID 2764 wrote to memory of 2804	2764	cmd.exe	31
PID 2764 wrote to memory of 2804	2764	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8.exe
"C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:356
- C:\Users\Admin\AppData\Local\Temp\is-44CHU.tmp\1f8187292660e4ab4a567f917ed5fee8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-44CHU.tmp\1f8187292660e4ab4a567f917ed5fee8.tmp" /SL5="$5014E,5495633,56832,C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-EIFSI.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-44CHU.tmp\1f8187292660e4ab4a567f917ed5fee8.tmp

Filesize
160KB

MD5
1b90baade036c74a61bf32bbbe2c5c2b

SHA1
b4e8019a5683821e6c9fefb7ccd989e40fa925e9

SHA256
3cf08cf0b3e3052186e1a6ba47b096d862117db9bb125541333734c63cc0ec9a

SHA512
ded9824dc59d3a026e6a522ffdcbcd7b85f6e0b9dc93c9d9a7c04d02d92ab8ea1568bf9df8029e50c38175b95944e7e9ada1e62c19f3969cf5793f35777d44dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EIFSI.tmp\ex.bat

Filesize
786B

MD5
59cd6d362574f68058171536b8679dc9

SHA1
775eb8b41a72f7b2caef6418468d366207ad8a04

SHA256
853bac6735a1abc969f6a427bf2f44b77e4cea8ce6ea18b29f526b1d89849a63

SHA512
1b8e8284521f1260fb4c690aee94fe0101984db9d2f81d9e07e8e25ab0771453516dcaa707b20cda88e94d9cc9261abbf3554a751a642cf9886b0ff328885505

Download Submit
\Users\Admin\AppData\Local\Temp\is-44CHU.tmp\1f8187292660e4ab4a567f917ed5fee8.tmp

Filesize
691KB

MD5
24c26b99dd41ade8904deac62dc652ec

SHA1
7f7128fb6858929d3634bc093770830c759b09c5

SHA256
e2877ee4bce324043f7635ae962110d7fc9dfe1af8eb75d352e83aaa55af3c06

SHA512
0cf836d10bc9012348fb3433b52b825e34ee04ed247c13337e35d2c6bba48667a85331c2dedffd6305b76b18c733d485d6d185158cd3fb77a53f8a0c7122c78d

Download Submit
\Users\Admin\AppData\Local\Temp\is-EIFSI.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-EIFSI.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/356-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/356-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/356-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2804-24-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2804-23-0x0000000073790000-0x0000000073D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-25-0x0000000073790000-0x0000000073D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-27-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2804-26-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2804-28-0x0000000073790000-0x0000000073D3B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-17-0x0000000000650000-0x000000000068C000-memory.dmp

Filesize
240KB

Download
memory/3024-33-0x0000000000650000-0x000000000068C000-memory.dmp

Filesize
240KB

Download
memory/3024-32-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3024-14-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3024-37-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads