82b508beca25dadeb8467d3cfa719a6eb16ad870afda87dd5e40cf112520c983

General

Target

13b28d9f5431c4c4ede2badfd5892fee.exe
Size

854KB
MD5

13b28d9f5431c4c4ede2badfd5892fee
SHA1

e32014b0cbffc33d6f23c89d61e7367a4c917e29
SHA256

82b508beca25dadeb8467d3cfa719a6eb16ad870afda87dd5e40cf112520c983
SHA512

791a3436ad0dc5f18a2ec1ab304890c972f25db3218f0320f86e41949377793fd2d3c27ab98d4f83dd43cb9e498239e9b9a9db00f46b93ca4e2ef07ad2ecd2c7
SSDEEP

24576:Ji2sFbAw0o9MoxaK/uudvvPRBUCjcBEc//////i:TKjDM0VRB2Ec//////i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2236	boxplayersetup.exe
1668	is-IR1SK.tmp

Loads dropped DLL 38 IoCs

pid	Process
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe
4596	13b28d9f5431c4c4ede2badfd5892fee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 2236	4596	13b28d9f5431c4c4ede2badfd5892fee.exe	88
PID 4596 wrote to memory of 2236	4596	13b28d9f5431c4c4ede2badfd5892fee.exe	88
PID 4596 wrote to memory of 2236	4596	13b28d9f5431c4c4ede2badfd5892fee.exe	88
PID 2236 wrote to memory of 1668	2236	boxplayersetup.exe	90
PID 2236 wrote to memory of 1668	2236	boxplayersetup.exe	90
PID 2236 wrote to memory of 1668	2236	boxplayersetup.exe	90

C:\Users\Admin\AppData\Local\Temp\13b28d9f5431c4c4ede2badfd5892fee.exe
"C:\Users\Admin\AppData\Local\Temp\13b28d9f5431c4c4ede2badfd5892fee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\boxplayersetup.exe
  C:\Users\Admin\AppData\Local\Temp\boxplayersetup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\is-KHQ04.tmp\is-IR1SK.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KHQ04.tmp\is-IR1SK.tmp" /SL4 $E0028 "C:\Users\Admin\AppData\Local\Temp\boxplayersetup.exe" 542035 51712
    3⤵
    - Executes dropped EXE
    PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\boxplayersetup.exe

Filesize
750KB

MD5
10e92421f33416c62e258d5c06f82c6a

SHA1
3273e6c5d30b7d9d4fc33d59d772a1129210f634

SHA256
b82d6dbb11b2730f8ed6c3b8ee146c34aa9f7267337dd1d5f357a68691226677

SHA512
74dd74af3ddda2cd867422e4fd51c1cedb48d46e540e0e5717cef70ae5d3d5e5e6f3ce5baea87a9ece1d129d49cc6aae7b42d96d73114385825675eb350f560d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KHQ04.tmp\is-IR1SK.tmp

Filesize
615KB

MD5
347f21c81f0570f85df0261da8aaf85b

SHA1
9172c87e380d8f2394c83140017528976fc83a2e

SHA256
a3ab66c99945ee5f371388c82b76394494eb7eaf28d365cba26ab9443f623f80

SHA512
592fd3c363370a433d4219891b7e17528554b71075594194aa2465fce6a2c5f3620e4a0655ec0cdf5b688e8fe6033a88b49cae0ed20d013147eb175a9a0d0f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszDEB8.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszDEB8.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
memory/1668-65-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1668-170-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1668-177-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2236-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-169-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing