89db31dd0bb6ad371ffab153b3356273c2921602830ed4a463108e46cd211d12

General

Target

10dbfd553067fe9783918a2f598b75d0.exe
Size

1.0MB
MD5

10dbfd553067fe9783918a2f598b75d0
SHA1

4a7ef1ee04a61f1f6363a717c3e9e94138f2c665
SHA256

89db31dd0bb6ad371ffab153b3356273c2921602830ed4a463108e46cd211d12
SHA512

3839d4409d23a171006baa31fa730fbd12028c13a92937fce49d9d6a13c964ff477287665225bd9945d49617b044fb3f8e202b81eaf90ef570897f49cc6ec66d
SSDEEP

24576:7G50ZfFKMQQp25hx/13FlJfc1hXmgH8FcuQp6kwkoN1oC:7G5UfgY25F1fcLmz33kwkC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4484	installer.exe
1012	GenericSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4484	installer.exe
4484	installer.exe
1012	GenericSetup.exe
1012	GenericSetup.exe
1012	GenericSetup.exe
1012	GenericSetup.exe
1012	GenericSetup.exe
1012	GenericSetup.exe
1012	GenericSetup.exe
1012	GenericSetup.exe
1012	GenericSetup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	GenericSetup.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 4484	1228	10dbfd553067fe9783918a2f598b75d0.exe	19
PID 1228 wrote to memory of 4484	1228	10dbfd553067fe9783918a2f598b75d0.exe	19
PID 1228 wrote to memory of 4484	1228	10dbfd553067fe9783918a2f598b75d0.exe	19
PID 4484 wrote to memory of 1012	4484	installer.exe	21
PID 4484 wrote to memory of 1012	4484	installer.exe	21

C:\Users\Admin\AppData\Local\Temp\10dbfd553067fe9783918a2f598b75d0.exe
"C:\Users\Admin\AppData\Local\Temp\10dbfd553067fe9783918a2f598b75d0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\7zSCC479857\installer.exe
  .\installer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\7zSCC479857\GenericSetup.exe
    C:\Users\Admin\AppData\Local\Temp\7zSCC479857\GenericSetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCC479857\BundleConfig.xml

Filesize
58KB

MD5
2a3197a5b7a3cca523671e3612cb2cac

SHA1
647c6c39e4c2030f2a371e37081bed6ecdd7decd

SHA256
c0e2d295c285996e8941ce17407d9301b6ff15b122591b0a8540e1b2a3417cec

SHA512
20772de4bf257ab8c7f8d1040b33b8d890b44e3c8c685aa9d90f84197d0e9ab9c19d2e1c363fbc9d64dfb1811ae1b6d2a6b1973fab8b6dc0f072bcf92aa2dd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC479857\de\DevLib.resources.dll

Filesize
11KB

MD5
830598a39f2dff1071bbc3f82b83322d

SHA1
22f43e1c374471b0d645209796239d869398d291

SHA256
c540d3a8fd0af4489610592493d3ae0229e77ab8caec6a2a1f9334edef6daeb7

SHA512
1893f7b139f77cb82aa03e8dbd76a64a42e5013dc9393aaa8a499b92bc9f390620659017b1a579048c66c3d1bfb4a551cb50f72234d3db519e505bd7d2bf27dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC479857\en\DevLib.resources.dll

Filesize
10KB

MD5
2ebbaff278fd7e787e82bc707e0f48d4

SHA1
8f124a7719adc3777f201ddef22b3b879dce7aa3

SHA256
64d18f71982d80559732237e544335c8138b1b5c82282873a11f651e5cfbf8c6

SHA512
3e85ee65c723ecf0c1f2b98593844da82062245b33624dfc2a1390573036732a9564e41346effd72d61fbafb7cd5142c9240548d1c34b39b635a184943513f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC479857\fr\DevLib.resources.dll

Filesize
11KB

MD5
0c80166f1be01630705287790b944736

SHA1
a0b982e54d69ba6b7a95d205ae347b1a39017c8e

SHA256
ec4fdcecdd6310a57e757e16a51007890100ec925a6fc195a46c054d482bfebb

SHA512
e32bd2b3347f26ac031a5c6ca2efe773b5c110feedda3660d6e59e9a9835c79d3c5ffae5e949924d2fdf8a114d0c4c6fe2b7798ef03a04119dcc976851919cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC479857\installer.exe

Filesize
1.1MB

MD5
78e3aac524686f6b2ef166456ff048ef

SHA1
a03b8906dd24a34ae1eadb5c43f7734ccb7b1e0a

SHA256
954c553e2eef5a3fa860ca84888a19ae09285f8158f6fd8e6a4ca490d6f06665

SHA512
b9b0cfb7af1e1973b633bb5e8ac777c2b0fa954fa2c8886a09b895872cfaf6ff5a28b736afd5dafee4e8121e2264891695b1bd39deb07080a1757bb7253b7b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC479857\it\DevLib.resources.dll

Filesize
10KB

MD5
eff7418376a575662be95016e7a98297

SHA1
9e0f654004777504514631032a12cb78335f415f

SHA256
e77c2866e662691c8fc2e0cf998a3f5e7cd12ee4d63ddad315dae07cf3e5087c

SHA512
6dee8ee7fb8cfe80b00e474088db377c1c92310090865b50ceb6014b685c2320838f141f96bd1dd807c7c6db86465b0f8c771f287644f0cc390791314f223f0c

Download Submit
memory/1012-52-0x00007FFEE6F30000-0x00007FFEE79F1000-memory.dmp

Filesize
10.8MB

Download
memory/1012-70-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download
memory/1012-54-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download
memory/1012-51-0x000000001AFD0000-0x000000001B054000-memory.dmp

Filesize
528KB

Download
memory/1012-50-0x0000000000370000-0x0000000000384000-memory.dmp

Filesize
80KB

Download
memory/1012-66-0x000000001C590000-0x000000001CAB8000-memory.dmp

Filesize
5.2MB

Download
memory/1012-69-0x000000001C560000-0x000000001C57A000-memory.dmp

Filesize
104KB

Download
memory/1012-53-0x000000001B360000-0x000000001B3B0000-memory.dmp

Filesize
320KB

Download
memory/1012-71-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download
memory/1012-80-0x00007FFEE6F30000-0x00007FFEE79F1000-memory.dmp

Filesize
10.8MB

Download
memory/1012-81-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download
memory/1012-82-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download
memory/1012-84-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download
memory/1012-83-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing