1471675ea691758074d59a20c8d9edd5fa4b72fdf6dbccc15c1d7519d094a8f3

General

Target

1f144611a468922a230f9e91e555b1be.exe
Size

1.6MB
MD5

1f144611a468922a230f9e91e555b1be
SHA1

a7f41835a1c237292e32d6b77dfa4406e6df52b2
SHA256

1471675ea691758074d59a20c8d9edd5fa4b72fdf6dbccc15c1d7519d094a8f3
SHA512

900c196ddafcf0e5ef77e78226839b3a87a92a70a5920ab93269112ddedb53c119a8728d9d650ece9729267f9ba52a222ebebd65d3b9b76591a83f70c885fd02
SSDEEP

24576:HTJNCX4btC/vnWr8fuXUVMMIhWLwJKd8l4LYWKt4NB69bA5rV4Yihe5CpnE:6IpgWNMjLwQdQ4/KGNBebA5rOYiZnE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1668	1f144611a468922a230f9e91e555b1be.tmp

Loads dropped DLL 3 IoCs

pid	Process
824	1f144611a468922a230f9e91e555b1be.exe
1668	1f144611a468922a230f9e91e555b1be.tmp
1668	1f144611a468922a230f9e91e555b1be.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1668	1f144611a468922a230f9e91e555b1be.tmp
1668	1f144611a468922a230f9e91e555b1be.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1668	1f144611a468922a230f9e91e555b1be.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1668	824	1f144611a468922a230f9e91e555b1be.exe	17
PID 824 wrote to memory of 1668	824	1f144611a468922a230f9e91e555b1be.exe	17
PID 824 wrote to memory of 1668	824	1f144611a468922a230f9e91e555b1be.exe	17
PID 824 wrote to memory of 1668	824	1f144611a468922a230f9e91e555b1be.exe	17
PID 824 wrote to memory of 1668	824	1f144611a468922a230f9e91e555b1be.exe	17
PID 824 wrote to memory of 1668	824	1f144611a468922a230f9e91e555b1be.exe	17
PID 824 wrote to memory of 1668	824	1f144611a468922a230f9e91e555b1be.exe	17

C:\Users\Admin\AppData\Local\Temp\1f144611a468922a230f9e91e555b1be.exe
"C:\Users\Admin\AppData\Local\Temp\1f144611a468922a230f9e91e555b1be.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\is-7MOOE.tmp\1f144611a468922a230f9e91e555b1be.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7MOOE.tmp\1f144611a468922a230f9e91e555b1be.tmp" /SL5="$40026,987698,70144,C:\Users\Admin\AppData\Local\Temp\1f144611a468922a230f9e91e555b1be.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-7MOOE.tmp\1f144611a468922a230f9e91e555b1be.tmp

Filesize
894KB

MD5
6f22f344d4fd83c732b134da60d0fa72

SHA1
ac5cb7b494857aa4842f35dcececccf5dc97b51a

SHA256
9b21c0bc06663d0f45041e6bcd68a5c1bfbe4cbdebda115d45712b31dff4513f

SHA512
4a6b4a706c380a3f51b2be369e0cfd67cb96c94c289d9786902de177fb972faac3d4d6cf4a76b23e90cc3605edda97385f46be2264f584ad82accbf26b7a7d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MOOE.tmp\1f144611a468922a230f9e91e555b1be.tmp

Filesize
382KB

MD5
1b5f147df9c15ca30fa680c2c46ada5b

SHA1
6a7b629e67f93686db08834adf9dc4021dbdd64a

SHA256
c30347f8b2c6555d5602feb801014837384804e9136042a9f8a9bbea7973289d

SHA512
f24246a44e6c8a7b909ee1343dcc006abba7409639236a0d3e2357a32055395c361fbc481196de5357e7c77a524fba4a7ba6da7da5186b5ec640db6b482a7902

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-91GVO.tmp\setupcfg.ini

Filesize
44B

MD5
e8a04e198785b5f47d6bf31c5af564e6

SHA1
81c5c235fbf6d1df22261203782865cf4a693112

SHA256
dc67ed892d36ebd43a2214ad708a11edcadcfcdc94cb3079dd64e20041f9e5d0

SHA512
1a6d9d63fc97f9cf489a8bdf81b3b81b21f7880ece657beaf9706dbd1f040cbda87f664a8452583ac69777824d58c54f19874822c03b8f05d03bbf61dff2779f

Download Submit
\Users\Admin\AppData\Local\Temp\is-7MOOE.tmp\1f144611a468922a230f9e91e555b1be.tmp

Filesize
401KB

MD5
700fa26d3337853cef0eae5b950e2536

SHA1
69522a0110a8df6e09d028195e19f32fedbd0da2

SHA256
4c7238a823325fb0c9cda52930c59c78edfb7e737e57c025a679999aa6cb04fe

SHA512
9353f397bfce39adc4b550137aab0ad3a26f21c508f2bbc5b6ea8b13645d00fde79e3a5803f023f6a2c4729854904d3606544e0953b3545c962418e3e8a6c2af

Download Submit
\Users\Admin\AppData\Local\Temp\is-91GVO.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/824-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/824-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/824-42-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1668-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1668-43-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1668-46-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing