15e7bbb40e232b0ef7dfddd396dc76fbca3392b3f8425b29bb9e4f2e71d80399

General

Target

34692030cc60c66ddbf0fc07453cf957.exe
Size

2.2MB
MD5

34692030cc60c66ddbf0fc07453cf957
SHA1

42da08eb98d389567576658570f158ba91e72b6e
SHA256

15e7bbb40e232b0ef7dfddd396dc76fbca3392b3f8425b29bb9e4f2e71d80399
SHA512

64bbacc2da2c316f75b6aa35ca7b69b40c66e3a697cd1aea676bb48e913e67a9187057beb9a1aeca3520fd79aa94558b919d890face145995cc405a442eb7a0c
SSDEEP

49152:mVZGK3uCyrppFvdHBteJIigkLdqZK7j6eKebA5rOYiZnj:ZKVyrpndHBwJIig27jXKebSivZnj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2160	34692030cc60c66ddbf0fc07453cf957.tmp

Loads dropped DLL 4 IoCs

pid	Process
1716	34692030cc60c66ddbf0fc07453cf957.exe
2160	34692030cc60c66ddbf0fc07453cf957.tmp
2160	34692030cc60c66ddbf0fc07453cf957.tmp
2160	34692030cc60c66ddbf0fc07453cf957.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2160	34692030cc60c66ddbf0fc07453cf957.tmp
2160	34692030cc60c66ddbf0fc07453cf957.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2160	34692030cc60c66ddbf0fc07453cf957.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2160	1716	34692030cc60c66ddbf0fc07453cf957.exe	28
PID 1716 wrote to memory of 2160	1716	34692030cc60c66ddbf0fc07453cf957.exe	28
PID 1716 wrote to memory of 2160	1716	34692030cc60c66ddbf0fc07453cf957.exe	28
PID 1716 wrote to memory of 2160	1716	34692030cc60c66ddbf0fc07453cf957.exe	28
PID 1716 wrote to memory of 2160	1716	34692030cc60c66ddbf0fc07453cf957.exe	28
PID 1716 wrote to memory of 2160	1716	34692030cc60c66ddbf0fc07453cf957.exe	28
PID 1716 wrote to memory of 2160	1716	34692030cc60c66ddbf0fc07453cf957.exe	28

C:\Users\Admin\AppData\Local\Temp\34692030cc60c66ddbf0fc07453cf957.exe
"C:\Users\Admin\AppData\Local\Temp\34692030cc60c66ddbf0fc07453cf957.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\is-D6VOD.tmp\34692030cc60c66ddbf0fc07453cf957.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D6VOD.tmp\34692030cc60c66ddbf0fc07453cf957.tmp" /SL5="$40016,1666468,70144,C:\Users\Admin\AppData\Local\Temp\34692030cc60c66ddbf0fc07453cf957.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-D6VOD.tmp\34692030cc60c66ddbf0fc07453cf957.tmp

Filesize
733KB

MD5
b2a334153f1d7dede0a74f25536699f6

SHA1
f8ffedfc895cd14f655f03d57c0f125a7e7ee332

SHA256
db65f92a6ac60cb9bf2b400d6460eff1d352e696a593ea1b6f029259bda8292d

SHA512
3e6e0ecd7c709d504341477b56c21aa7c254291ca686b2f7b3d25b5be050d4f1fecd5c4a8f2906304a71316762e33515fcb0f841d5b026538edb22bccdbaacaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D6VOD.tmp\34692030cc60c66ddbf0fc07453cf957.tmp

Filesize
1.1MB

MD5
cd1cebdfbc45cfa779a2cd4e66f207b2

SHA1
fb7d2c5658021a3941418e955f3199976d728d3e

SHA256
994f716207bc77d00e3cc0d764d5fc97602495543ec9e90273c66931dbd7316b

SHA512
d2c4ccc7be5e023a17e6fd09e1010b5fe569e67911e7aacd2649e53300d0fe61b39186f8dbb8abdc57c316ccfc0221647fa671a158e3e39b9e71e9943a4e1f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VLDHF.tmp\RI_AfterDot.bmp

Filesize
84B

MD5
7ccd5a0af4da51cf4962f184fcf9456a

SHA1
de37f4521fa7fee49b37898f4136728e8971ee0f

SHA256
8f2374b30622dfae1fd0b9706520de34c5e1597c1531fddbff65bc0201132ac7

SHA512
d7c4fbc6a4413dc457400fa2e026dea5d639a5b413164cc6939284c46bb46b6ae8ff10184ba2da4f32ace89646b026400db2a49dd9894d71e88d003a91c8267a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VLDHF.tmp\setupcfg.ini

Filesize
44B

MD5
d4b9c1534fbfdcf87a7eccac17f3d792

SHA1
09d80183e68472959274eb92f141b27efe60e7e3

SHA256
f7bf7ea6b6a4f994c815915a493424f2999a7c2c7a497d3c6c4133be5258f8e6

SHA512
2a1b814d38ae2b98d4960231a39c3d65323617ccbe9aada6aeb796813c16a1510f5dfec572e7520444843dcc40d0db6f000d3740ea5be51aa7b437fc2ee96b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VLDHF.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
\Users\Admin\AppData\Local\Temp\is-D6VOD.tmp\34692030cc60c66ddbf0fc07453cf957.tmp

Filesize
1024KB

MD5
89e8fa0fdc8ad4cd4bdccb2182267949

SHA1
63af5bc3e76566ca0975e1d5d024a6701eadb363

SHA256
b80b28231ea6164a3b6b9012f227780fa76bd69d18c67648742ebd8fdc644b73

SHA512
1e67fb93e46f63448a616027dda526312a16454c3a6aa55b31dda7790bc38f9caafc7e8beb25d06d5734f1596cf707334601c578fc089648357543af1874a74b

Download Submit
\Users\Admin\AppData\Local\Temp\is-VLDHF.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
\Users\Admin\AppData\Local\Temp\is-VLDHF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1716-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1716-165-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2160-21-0x0000000000B80000-0x0000000000BB7000-memory.dmp

Filesize
220KB

Download
memory/2160-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2160-166-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2160-167-0x0000000000B80000-0x0000000000BB7000-memory.dmp

Filesize
220KB

Download
memory/2160-171-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing