bb5f59ace38acbed87eb89972e461722182bf3a75dbe7dc9f7ddca47a9dbc747

General

Target

2d916f950f257216cf9e599d284c5623.exe
Size

7.0MB
MD5

2d916f950f257216cf9e599d284c5623
SHA1

7234fc3111db70d3e441030fd3aeee4022b66efa
SHA256

bb5f59ace38acbed87eb89972e461722182bf3a75dbe7dc9f7ddca47a9dbc747
SHA512

4d41243dfc17239b29e3c3a507fb3b7ad5617e455a2565b582273bc06a07142da12500e44b40c90f571e24ba5b1aaedacdb7fae69385bacb2ef5be8fee2337a9
SSDEEP

98304:DUodQVDPpCx223tXz7bUHXHxYhDgtFeGSj+giojcgZWBmswab5kaWSgWkNX83DEF:rmb4xr3tD8XHFeGS0ZBVwabawCNSIAju

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2676	7za.exe
2264	Setup.exe

Loads dropped DLL 3 IoCs

pid	Process
2756	cmd.exe
2756	cmd.exe
2756	cmd.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00050000000197e4-38.dat	autoit_exe
behavioral1/files/0x00050000000197e4-40.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2264	Setup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2756	3028	2d916f950f257216cf9e599d284c5623.exe	28
PID 3028 wrote to memory of 2756	3028	2d916f950f257216cf9e599d284c5623.exe	28
PID 3028 wrote to memory of 2756	3028	2d916f950f257216cf9e599d284c5623.exe	28
PID 3028 wrote to memory of 2756	3028	2d916f950f257216cf9e599d284c5623.exe	28
PID 3028 wrote to memory of 2756	3028	2d916f950f257216cf9e599d284c5623.exe	28
PID 3028 wrote to memory of 2756	3028	2d916f950f257216cf9e599d284c5623.exe	28
PID 3028 wrote to memory of 2756	3028	2d916f950f257216cf9e599d284c5623.exe	28
PID 2756 wrote to memory of 2676	2756	cmd.exe	30
PID 2756 wrote to memory of 2676	2756	cmd.exe	30
PID 2756 wrote to memory of 2676	2756	cmd.exe	30
PID 2756 wrote to memory of 2676	2756	cmd.exe	30
PID 2756 wrote to memory of 2676	2756	cmd.exe	30
PID 2756 wrote to memory of 2676	2756	cmd.exe	30
PID 2756 wrote to memory of 2676	2756	cmd.exe	30
PID 2756 wrote to memory of 2264	2756	cmd.exe	31
PID 2756 wrote to memory of 2264	2756	cmd.exe	31
PID 2756 wrote to memory of 2264	2756	cmd.exe	31
PID 2756 wrote to memory of 2264	2756	cmd.exe	31
PID 2756 wrote to memory of 2264	2756	cmd.exe	31
PID 2756 wrote to memory of 2264	2756	cmd.exe	31
PID 2756 wrote to memory of 2264	2756	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\2d916f950f257216cf9e599d284c5623.exe
"C:\Users\Admin\AppData\Local\Temp\2d916f950f257216cf9e599d284c5623.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\extract.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\7za.exe
    .\7za.exe e .\WebPlayerTV.7z -pjesuisadmin -y
    3⤵
    - Executes dropped EXE
    PID:2676
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    .\Setup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extract.bat

Filesize
87B

MD5
9495ff73014b8a17bd4798911ad097fa

SHA1
71b6db4d7e576cf8b1cbf93079397bc0c1ce46b2

SHA256
0a59275adf474e7164e14a7e622ecb93f3a1477958e6e1e0de6d7ae2c6913a33

SHA512
55062bb9381ac302367aeb43492613762434da730663891f577e050fcbc0993eaf19e96154adf4d669cb9587d8eef2a7ec96cb02b366db5d5c58b1eefe64ecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
145KB

MD5
32aaea67979423fadf7ddf817a878e5a

SHA1
4b69ff523f03ebcfe6a8bee91f4431c15f850630

SHA256
c5d757fdfb529c89bcb5e81cbd1a9009a96a0fa83e7d5727e6bef0f430ca89dd

SHA512
9f1100310382001a78b598d345f63917a98736b76b76ee1eda11d8774e18e4ccfa619eebb6bd6b0f34995c0093002a7182e60d76a1eadcdf4436e6781f7dc542

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebPlayerTV.7z

Filesize
185KB

MD5
fa0a6b73e500385a7950cbe98369d1cc

SHA1
4ee0c410f59d5548ed785d3846afe7d05e1ec2f4

SHA256
2eb69a9d43eec3c646697424057372a515b35d775de4681766c6239c42a193b6

SHA512
8daa0605741c41d40ddc6928d6a733a00d94f090e8683911ef4d339db90fe073aeb0b8be276164663f89515bbb54af2fbcafba7d5062ee8574dfb1020630501c

Download Submit
C:\Users\Admin\AppData\Local\Temp\conditions.txt

Filesize
18KB

MD5
18ecfd10ad618670c9b5a6506aedecd4

SHA1
e9659a3ccb3d74302a039d137f2abfb289b6beb1

SHA256
11aad77b7086f3422b2befe0fba993d4d172dd7aea24b345c6d84036fb17665e

SHA512
0a5ad7da4deb3b93fbf6cbe54cc45f8324e281be21cbdf887c1a727fde88feadb8dc1f6c44df35c6a6dc348ebc53f9a25f761b174495eddfd8013213f7872200

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
868B

MD5
7bab904a91a70f0ab7617d65bbfdba44

SHA1
94d44c927b78c89114e16cab0faab57d3f80274c

SHA256
f46af6bb0b4552ca5903eaee712ebb97b4669dab47ed9d0a43368d48096f00a1

SHA512
9a896f75265386983a7be6467cffa15c9bc392e3e8d60072a57f0a46303cb9acb64a06dc0928db1e419d3ab46746159f8dbcbc1116ad245de4d9bf5f346e178c

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
129KB

MD5
7258c4e287b6fb03f47588aa26945f7d

SHA1
ac020e39d13b773b93e4b7fd2509d42653f5151c

SHA256
640bb8f26be2f2e5bc03995a1f230d1df86df128d56cb12b9a36fd8786e144f3

SHA512
238ac02536573538079796a9716301503292ad54cea71883bc630f676553057fdbb9b41eb5b78071bfcb31119518e7e9f26ce8c26b2343887dd970fbf6e9a0ae

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
727KB

MD5
d2f43767f65948b68247d31e523298d9

SHA1
b99a9f9bebed1863b44bd5ddcc897cf57666339f

SHA256
5386b117632e09d5546bba294b70de965929acec8da0fe70028cddb70ec5c687

SHA512
f4180a01279a821cb40e2a874787ad2817f7a020d1f72d169d8216e58440d02e8298dbc950cb6be1c465aa716fa0982f90cc0eb1b0f319c8fbfb06221167df0e

Download Submit

Analysis

Sharing