14c6bda9f6678bc8c35cee7db76e053be509828c83eb3e7d5e7c7496fc72ddd4

General

Target

20ac13452bc8264cfa95cb2bb558c356.exe
Size

6.1MB
MD5

20ac13452bc8264cfa95cb2bb558c356
SHA1

0a5a4e4009c9e8ca7fd237a7db737da6cea39d9f
SHA256

14c6bda9f6678bc8c35cee7db76e053be509828c83eb3e7d5e7c7496fc72ddd4
SHA512

f900e8fa75f536b24e801f2c8a7bbfb4f2104944549b4d1b7172b606d36b484371182c7769e3bb9c89ecdb54c485a872e7cf7af591af4ab5dd3af5feca211946
SSDEEP

196608:LOCiRcsTQ6cyjKusmAB/DRdzuKTspRpkL8ZTnM2xG6YvJasKIzV:Ldi6sQ64tf/DRVuF7kLonZxHyvzV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2764	20ac13452bc8264cfa95cb2bb558c356.tmp

Loads dropped DLL 5 IoCs

pid	Process
2392	20ac13452bc8264cfa95cb2bb558c356.exe
2764	20ac13452bc8264cfa95cb2bb558c356.tmp
2764	20ac13452bc8264cfa95cb2bb558c356.tmp
2764	20ac13452bc8264cfa95cb2bb558c356.tmp
2764	20ac13452bc8264cfa95cb2bb558c356.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	20ac13452bc8264cfa95cb2bb558c356.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	20ac13452bc8264cfa95cb2bb558c356.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2764	20ac13452bc8264cfa95cb2bb558c356.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2764	2392	20ac13452bc8264cfa95cb2bb558c356.exe	17
PID 2392 wrote to memory of 2764	2392	20ac13452bc8264cfa95cb2bb558c356.exe	17
PID 2392 wrote to memory of 2764	2392	20ac13452bc8264cfa95cb2bb558c356.exe	17
PID 2392 wrote to memory of 2764	2392	20ac13452bc8264cfa95cb2bb558c356.exe	17
PID 2392 wrote to memory of 2764	2392	20ac13452bc8264cfa95cb2bb558c356.exe	17
PID 2392 wrote to memory of 2764	2392	20ac13452bc8264cfa95cb2bb558c356.exe	17
PID 2392 wrote to memory of 2764	2392	20ac13452bc8264cfa95cb2bb558c356.exe	17

C:\Users\Admin\AppData\Local\Temp\20ac13452bc8264cfa95cb2bb558c356.exe
"C:\Users\Admin\AppData\Local\Temp\20ac13452bc8264cfa95cb2bb558c356.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\is-BI5IM.tmp\20ac13452bc8264cfa95cb2bb558c356.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BI5IM.tmp\20ac13452bc8264cfa95cb2bb558c356.tmp" /SL5="$90152,5844202,115200,C:\Users\Admin\AppData\Local\Temp\20ac13452bc8264cfa95cb2bb558c356.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-BI5IM.tmp\20ac13452bc8264cfa95cb2bb558c356.tmp

Filesize
60KB

MD5
4266a0a60e72d7be0ab195cb2a81d549

SHA1
b62cca484507c058331f2c1d55e840353c2b2f59

SHA256
1d30751b63a52238f252bffad3bde138c1f6e4a59ae3f879b941c32fe45f0dfa

SHA512
b372ed04e12c33c913511313c7bf2c48b90faafaf2c6e2a2550b7b10ffda684c51fb1a12a5aa5cd06eda704f79076a4b84a80c899a541447e561cc325db19c6f

Download Submit
\Users\Admin\AppData\Local\Temp\is-7ETS9.tmp\OptProHelper.dll

Filesize
1KB

MD5
b1c876a5b951d4af13b4e1aff78cd713

SHA1
a1fccf2bc5c8b565c1c025c06d1c750c6fe85521

SHA256
a99f81239b6a40139644e3d04a40082098ddca1a120d8509d1f17bd4594bcfb5

SHA512
52727ec6d15423b9ef9b11b472809cf3702f69dbb7163bfabf85d18d35bdf20408b03e73a9313b543e4f6b828c4e6b47a4bb2abd3e0cd2fdb3f8e073aa5b3ab6

Download Submit
\Users\Admin\AppData\Local\Temp\is-7ETS9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-7ETS9.tmp\itdownload.dll

Filesize
42KB

MD5
c926bf197a2253cc21d1ccbb5f3d8553

SHA1
58310bd8dc881819a1460e2c8a3aa5a15d9a7385

SHA256
2c1920016e04083efaf761942e81a4a88eb6dac78b99c8ee4d8e04c4c224a30b

SHA512
f4d121336a71dbf287c15270598c9ebe8b2af76cfae37206452ac197a85e0cb888a36c9e955d360657306feb855d61531f285c77294edbcaa6a7964993167683

Download Submit
\Users\Admin\AppData\Local\Temp\is-BI5IM.tmp\20ac13452bc8264cfa95cb2bb558c356.tmp

Filesize
71KB

MD5
0158ca85a7fc0760eb57b78345628372

SHA1
43756ef6c678deb9d3a33ddf6cab3fc4098cfdea

SHA256
bf5cbc0c22c869c37280fa3b60cacca61cebef9d21ca042cada340d22f78ffd5

SHA512
a0ed0c992de89c1a1a4096ea2847de5c3b0ea7159856df9d12db54a552e24c7acc8a5133d71bfa22c7561732802efef327e779f5fafb87200a6fce7d049f7b07

Download Submit
memory/2392-24-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2392-1-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2764-18-0x00000000008A0000-0x00000000008DC000-memory.dmp

Filesize
240KB

Download
memory/2764-22-0x0000000003EE0000-0x0000000004027000-memory.dmp

Filesize
1.3MB

Download
memory/2764-27-0x0000000003EE0000-0x0000000004027000-memory.dmp

Filesize
1.3MB

Download
memory/2764-26-0x00000000008A0000-0x00000000008DC000-memory.dmp

Filesize
240KB

Download
memory/2764-25-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/2764-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2764-29-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/2764-32-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2764-33-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/2764-35-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing