f57f8479bbd909018d0d9d6905daca0e2002a49a2ba9d930c3cd105a6b7ca302

General

Target

0eade894df6a630fac0070b78c735fe0.exe
Size

6.8MB
MD5

0eade894df6a630fac0070b78c735fe0
SHA1

c19f10a17d715c67fc47090f66956e9cb8f3d625
SHA256

f57f8479bbd909018d0d9d6905daca0e2002a49a2ba9d930c3cd105a6b7ca302
SHA512

9d0f6e79e93e3b50b2a793061b29fb7a8153586e9fd88fcb93703a464504af4f0d3d3063a5d30b7dcfb1b282a759b1b603b91709fa2639efb04f44861fd215f4
SSDEEP

196608:JGEGnqSnezwC5jtzcVklC0eOJYkuse4BUfS:fIWj5jtzcklLeOwseH6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1248	0eade894df6a630fac0070b78c735fe0.tmp
2596	wmfdist.exe
2696	CardRecoveryEFO.exe

Loads dropped DLL 4 IoCs

pid	Process
2952	0eade894df6a630fac0070b78c735fe0.exe
1248	0eade894df6a630fac0070b78c735fe0.tmp
1248	0eade894df6a630fac0070b78c735fe0.tmp
1248	0eade894df6a630fac0070b78c735fe0.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\EFO Recovery\wmfdist.exe	0eade894df6a630fac0070b78c735fe0.tmp
File created	C:\Program Files (x86)\EFO Recovery\is-5AT91.tmp	0eade894df6a630fac0070b78c735fe0.tmp
File created	C:\Program Files (x86)\EFO Recovery\is-VUBQF.tmp	0eade894df6a630fac0070b78c735fe0.tmp
File created	C:\Program Files (x86)\EFO Recovery\is-559F2.tmp	0eade894df6a630fac0070b78c735fe0.tmp
File opened for modification	C:\Program Files (x86)\EFO Recovery\unins000.dat	0eade894df6a630fac0070b78c735fe0.tmp
File opened for modification	C:\Program Files (x86)\EFO Recovery\CardRecoveryEFO.exe	0eade894df6a630fac0070b78c735fe0.tmp
File opened for modification	C:\Program Files (x86)\EFO Recovery\sqlite3.dll	0eade894df6a630fac0070b78c735fe0.tmp
File created	C:\Program Files (x86)\EFO Recovery\unins000.dat	0eade894df6a630fac0070b78c735fe0.tmp
File created	C:\Program Files (x86)\EFO Recovery\is-05QGQ.tmp	0eade894df6a630fac0070b78c735fe0.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1248	0eade894df6a630fac0070b78c735fe0.tmp
1248	0eade894df6a630fac0070b78c735fe0.tmp
2696	CardRecoveryEFO.exe
2696	CardRecoveryEFO.exe
2696	CardRecoveryEFO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1248	0eade894df6a630fac0070b78c735fe0.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1248	2952	0eade894df6a630fac0070b78c735fe0.exe	18
PID 2952 wrote to memory of 1248	2952	0eade894df6a630fac0070b78c735fe0.exe	18
PID 2952 wrote to memory of 1248	2952	0eade894df6a630fac0070b78c735fe0.exe	18
PID 2952 wrote to memory of 1248	2952	0eade894df6a630fac0070b78c735fe0.exe	18
PID 2952 wrote to memory of 1248	2952	0eade894df6a630fac0070b78c735fe0.exe	18
PID 2952 wrote to memory of 1248	2952	0eade894df6a630fac0070b78c735fe0.exe	18
PID 2952 wrote to memory of 1248	2952	0eade894df6a630fac0070b78c735fe0.exe	18
PID 1248 wrote to memory of 2596	1248	0eade894df6a630fac0070b78c735fe0.tmp	23
PID 1248 wrote to memory of 2596	1248	0eade894df6a630fac0070b78c735fe0.tmp	23
PID 1248 wrote to memory of 2596	1248	0eade894df6a630fac0070b78c735fe0.tmp	23
PID 1248 wrote to memory of 2596	1248	0eade894df6a630fac0070b78c735fe0.tmp	23
PID 1248 wrote to memory of 2596	1248	0eade894df6a630fac0070b78c735fe0.tmp	23
PID 1248 wrote to memory of 2596	1248	0eade894df6a630fac0070b78c735fe0.tmp	23
PID 1248 wrote to memory of 2596	1248	0eade894df6a630fac0070b78c735fe0.tmp	23
PID 1248 wrote to memory of 2696	1248	0eade894df6a630fac0070b78c735fe0.tmp	22
PID 1248 wrote to memory of 2696	1248	0eade894df6a630fac0070b78c735fe0.tmp	22
PID 1248 wrote to memory of 2696	1248	0eade894df6a630fac0070b78c735fe0.tmp	22
PID 1248 wrote to memory of 2696	1248	0eade894df6a630fac0070b78c735fe0.tmp	22

C:\Users\Admin\AppData\Local\Temp\0eade894df6a630fac0070b78c735fe0.exe
"C:\Users\Admin\AppData\Local\Temp\0eade894df6a630fac0070b78c735fe0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\is-7UUQG.tmp\0eade894df6a630fac0070b78c735fe0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7UUQG.tmp\0eade894df6a630fac0070b78c735fe0.tmp" /SL5="$70120,6390235,721408,C:\Users\Admin\AppData\Local\Temp\0eade894df6a630fac0070b78c735fe0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Program Files (x86)\EFO Recovery\CardRecoveryEFO.exe
    "C:\Program Files (x86)\EFO Recovery\CardRecoveryEFO.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2696
- - C:\Program Files (x86)\EFO Recovery\wmfdist.exe
    "C:\Program Files (x86)\EFO Recovery\wmfdist.exe" /Q:A /R:N
    3⤵
    - Executes dropped EXE
    PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EFO Recovery\wmfdist.exe

Filesize
894KB

MD5
62caef482aac63af2437d8dbfcf7e336

SHA1
bdbc2ff16acfa5143736e7cb902dabdd6c8b0cad

SHA256
d235a14956188ab24d4adc56deeb23887c777fa32448eaf2a9b48f4d91cab68d

SHA512
b51352f339b6f118aa33fc972c9f585f1d7f4667423aaeee7e8b352cfb3af53da8b493791bd45409681c17e55db5387e647867123b69272771aa4eb480a9d314

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UUQG.tmp\0eade894df6a630fac0070b78c735fe0.tmp

Filesize
92KB

MD5
e3bd2dd07d94b742b5e3bddfd1304a84

SHA1
aaff04a80b171e38918dc8dad54ab5a27d95cc13

SHA256
dbfae24ff1a0b94676529839461ccda94b6d810124c48b1d849c832ab457e1c8

SHA512
75ab4b8889e8d3fee472a323e833c13ca8b63cf42dc1d9a83a6543fbb1d8ce7f5380806b6d854c7fc8a54f4bcff42b78853300eaf1ed8d68576f155761ba3dbd

Download Submit
\Program Files (x86)\EFO Recovery\wmfdist.exe

Filesize
856KB

MD5
a02675c8c7b0be8ab9a5ac59b95c2616

SHA1
c37541f83f94b2443facfe8a7d68089a60677bbe

SHA256
fecdfda2818787a5c062cf61c206244ec58eafda55f0ed4f38279ebed5f71f13

SHA512
0662ca0b7ac858642b16d3c6b73e2bddc92c82a7b42c60f14bb1e6e1150a94e5ffb588d064d69120636a8c1d982f36be421f7201c55a59245cdc1c54874d2d3c

Download Submit
memory/1248-38-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/1248-7-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1248-43-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2696-35-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/2696-36-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/2696-39-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/2696-49-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/2696-52-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/2696-64-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/2696-73-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/2696-83-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/2952-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2952-37-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing