f57f8479bbd909018d0d9d6905daca0e2002a49a2ba9d930c3cd105a6b7ca302

General

Target

0eade894df6a630fac0070b78c735fe0.exe
Size

6.8MB
MD5

0eade894df6a630fac0070b78c735fe0
SHA1

c19f10a17d715c67fc47090f66956e9cb8f3d625
SHA256

f57f8479bbd909018d0d9d6905daca0e2002a49a2ba9d930c3cd105a6b7ca302
SHA512

9d0f6e79e93e3b50b2a793061b29fb7a8153586e9fd88fcb93703a464504af4f0d3d3063a5d30b7dcfb1b282a759b1b603b91709fa2639efb04f44861fd215f4
SSDEEP

196608:JGEGnqSnezwC5jtzcVklC0eOJYkuse4BUfS:fIWj5jtzcklLeOwseH6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2036	0eade894df6a630fac0070b78c735fe0.tmp
1516	wmfdist.exe
4556	CardRecoveryEFO.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	0eade894df6a630fac0070b78c735fe0.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\EFO Recovery\sqlite3.dll	0eade894df6a630fac0070b78c735fe0.tmp
File opened for modification	C:\Program Files (x86)\EFO Recovery\wmfdist.exe	0eade894df6a630fac0070b78c735fe0.tmp
File created	C:\Program Files (x86)\EFO Recovery\is-PLL5S.tmp	0eade894df6a630fac0070b78c735fe0.tmp
File opened for modification	C:\Program Files (x86)\EFO Recovery\CardRecoveryEFO.exe	0eade894df6a630fac0070b78c735fe0.tmp
File created	C:\Program Files (x86)\EFO Recovery\is-B1LL0.tmp	0eade894df6a630fac0070b78c735fe0.tmp
File created	C:\Program Files (x86)\EFO Recovery\is-CSMVO.tmp	0eade894df6a630fac0070b78c735fe0.tmp
File created	C:\Program Files (x86)\EFO Recovery\is-R44OO.tmp	0eade894df6a630fac0070b78c735fe0.tmp
File opened for modification	C:\Program Files (x86)\EFO Recovery\unins000.dat	0eade894df6a630fac0070b78c735fe0.tmp
File created	C:\Program Files (x86)\EFO Recovery\unins000.dat	0eade894df6a630fac0070b78c735fe0.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1704	4556	WerFault.exe	95
5012	4556	WerFault.exe	95
1368	4556	WerFault.exe	95
776	4556	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2036	0eade894df6a630fac0070b78c735fe0.tmp
2036	0eade894df6a630fac0070b78c735fe0.tmp
4556	CardRecoveryEFO.exe
4556	CardRecoveryEFO.exe
4556	CardRecoveryEFO.exe
4556	CardRecoveryEFO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2036	0eade894df6a630fac0070b78c735fe0.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2036	1880	0eade894df6a630fac0070b78c735fe0.exe	91
PID 1880 wrote to memory of 2036	1880	0eade894df6a630fac0070b78c735fe0.exe	91
PID 1880 wrote to memory of 2036	1880	0eade894df6a630fac0070b78c735fe0.exe	91
PID 2036 wrote to memory of 1516	2036	0eade894df6a630fac0070b78c735fe0.tmp	96
PID 2036 wrote to memory of 1516	2036	0eade894df6a630fac0070b78c735fe0.tmp	96
PID 2036 wrote to memory of 1516	2036	0eade894df6a630fac0070b78c735fe0.tmp	96
PID 2036 wrote to memory of 4556	2036	0eade894df6a630fac0070b78c735fe0.tmp	95
PID 2036 wrote to memory of 4556	2036	0eade894df6a630fac0070b78c735fe0.tmp	95
PID 2036 wrote to memory of 4556	2036	0eade894df6a630fac0070b78c735fe0.tmp	95

C:\Users\Admin\AppData\Local\Temp\0eade894df6a630fac0070b78c735fe0.exe
"C:\Users\Admin\AppData\Local\Temp\0eade894df6a630fac0070b78c735fe0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\is-PUL24.tmp\0eade894df6a630fac0070b78c735fe0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PUL24.tmp\0eade894df6a630fac0070b78c735fe0.tmp" /SL5="$8022C,6390235,721408,C:\Users\Admin\AppData\Local\Temp\0eade894df6a630fac0070b78c735fe0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Program Files (x86)\EFO Recovery\CardRecoveryEFO.exe
    "C:\Program Files (x86)\EFO Recovery\CardRecoveryEFO.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 960
      4⤵
      Program crash
      PID:1704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 964
      4⤵
      Program crash
      PID:5012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1000
      4⤵
      Program crash
      PID:1368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 960
      4⤵
      Program crash
      PID:776
- - C:\Program Files (x86)\EFO Recovery\wmfdist.exe
    "C:\Program Files (x86)\EFO Recovery\wmfdist.exe" /Q:A /R:N
    3⤵
    - Executes dropped EXE
    PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4556 -ip 4556
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4556 -ip 4556
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4556 -ip 4556
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4556 -ip 4556
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EFO Recovery\CardRecoveryEFO.exe

Filesize
893KB

MD5
2a8686b0bbc7c4c53bfe586f8f892ba9

SHA1
9bd8efe9dcb5ab29f552b77ba7451eeabee0b52d

SHA256
e3b592725fa1f872c32d11aa85c8d8c88d016b1788e754a2299eda6c8233b6c4

SHA512
22662d94f7b29ec2ca8f3f1d1cb939499baab9ed278d65c6c1705be93fe024a31c6448ab1d08502a385279fad3dddb07f677ffb32c6a1c4e33da06dfb99c98ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PUL24.tmp\0eade894df6a630fac0070b78c735fe0.tmp

Filesize
317KB

MD5
1f69a00e188c77cf2a93413ee629cd81

SHA1
0fa1605c02bfae53e657d06eef646aac9a622832

SHA256
74c642f142776eb8758a033f0dd1b082d152452cd4aac95d1df7b0b0563e936c

SHA512
1564d744554f2de05d5cb647f7821a88f696ba42d09cae4d8542881dbc6683c7f5c3520e2647a2407f9f610c36368e7d877872ce8417cb36e8c92b3c42e26070

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PUL24.tmp\0eade894df6a630fac0070b78c735fe0.tmp

Filesize
1.3MB

MD5
aeab98d13285806845c417b4272a4363

SHA1
d17212c9d8cb63871fd9f31cb4f62af4aa44e7e7

SHA256
ad48c52a830aea6d7db627047347ca8d289c86c5174ce83590f5a6f0d618d926

SHA512
ce6061f8ea42f8477851f17a7e2b71f7afbcd4169fb27d344a76b0371810854d71045c2efc5056e5802d8fb0cd0a38054e579a0ab1abac55f14f09950b8b927a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QA8HN.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1880-32-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1880-2-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1880-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2036-38-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2036-33-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2036-6-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/4556-31-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/4556-30-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/4556-34-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/4556-46-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/4556-56-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/4556-65-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download
memory/4556-75-0x0000000000400000-0x00000000011E3000-memory.dmp

Filesize
13.9MB

Download

Analysis

Sharing