23f9a81888e9d5de95fbfdab513baa577a46f6dd94d1f1537d8ee43ea3dffa18

General

Target

456bcdeae8a437acf9efe95c5ebb47be.exe
Size

419KB
MD5

456bcdeae8a437acf9efe95c5ebb47be
SHA1

27ce68df8f404cb1d74a3d725c9cfce99f2ebf53
SHA256

23f9a81888e9d5de95fbfdab513baa577a46f6dd94d1f1537d8ee43ea3dffa18
SHA512

c4251e4dd2f214085a35196934aea30887179103512c071bb84b6cb3738c6eb502d967a00e55ec3d87de1f541c79d64cc9f5a7c9b7439bc1b6c7d5a66cc5d4b1
SSDEEP

6144:1/QiQPtXdEOdEoj1Z6xFOQhD1Qx9PkYxXyVlcG40eAw38o85XOC8T/FUyKGpM9Ck:NQiGtXSh/dhDex+NlcGpX98iR4o

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	456bcdeae8a437acf9efe95c5ebb47be.tmp

Loads dropped DLL 4 IoCs

pid	Process
1632	456bcdeae8a437acf9efe95c5ebb47be.exe
2700	456bcdeae8a437acf9efe95c5ebb47be.tmp
2700	456bcdeae8a437acf9efe95c5ebb47be.tmp
2700	456bcdeae8a437acf9efe95c5ebb47be.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2356	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2700	456bcdeae8a437acf9efe95c5ebb47be.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2700	1632	456bcdeae8a437acf9efe95c5ebb47be.exe	27
PID 1632 wrote to memory of 2700	1632	456bcdeae8a437acf9efe95c5ebb47be.exe	27
PID 1632 wrote to memory of 2700	1632	456bcdeae8a437acf9efe95c5ebb47be.exe	27
PID 1632 wrote to memory of 2700	1632	456bcdeae8a437acf9efe95c5ebb47be.exe	27
PID 1632 wrote to memory of 2700	1632	456bcdeae8a437acf9efe95c5ebb47be.exe	27
PID 1632 wrote to memory of 2700	1632	456bcdeae8a437acf9efe95c5ebb47be.exe	27
PID 1632 wrote to memory of 2700	1632	456bcdeae8a437acf9efe95c5ebb47be.exe	27
PID 2700 wrote to memory of 2896	2700	456bcdeae8a437acf9efe95c5ebb47be.tmp	28
PID 2700 wrote to memory of 2896	2700	456bcdeae8a437acf9efe95c5ebb47be.tmp	28
PID 2700 wrote to memory of 2896	2700	456bcdeae8a437acf9efe95c5ebb47be.tmp	28
PID 2700 wrote to memory of 2896	2700	456bcdeae8a437acf9efe95c5ebb47be.tmp	28
PID 2896 wrote to memory of 2356	2896	cmd.exe	30
PID 2896 wrote to memory of 2356	2896	cmd.exe	30
PID 2896 wrote to memory of 2356	2896	cmd.exe	30
PID 2896 wrote to memory of 2356	2896	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\456bcdeae8a437acf9efe95c5ebb47be.exe
"C:\Users\Admin\AppData\Local\Temp\456bcdeae8a437acf9efe95c5ebb47be.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\is-MSN3N.tmp\456bcdeae8a437acf9efe95c5ebb47be.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MSN3N.tmp\456bcdeae8a437acf9efe95c5ebb47be.tmp" /SL5="$5015A,139536,56832,C:\Users\Admin\AppData\Local\Temp\456bcdeae8a437acf9efe95c5ebb47be.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-3FB6T.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3FB6T.tmp\av.txt

Filesize
24B

MD5
f8f8258012893e0a2c957d226bdd7587

SHA1
ed482b5f912ef2d31e2b231df6b6e3b64967390c

SHA256
c341965a331692b4f79eed856a7da98c550d74fdef27d1241893284f1b51c3d2

SHA512
6e563814e4347ffa1da1d4d26ab45430987d5224c22278e1ee41b207700eb263aaab1e69088a5eeb267fdd385f36a61c0c66415f5df0887162eefbcbec9d19d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3FB6T.tmp\ex.bat

Filesize
786B

MD5
3ec662c46ccc48d30eba1b002090d824

SHA1
f48c3f923255d1b8295e40fe5dff62e94429f06b

SHA256
83b9d43f2fed5a31b9c1c2f62168c7ff637140ce29b255b3d729487bdecf9f71

SHA512
4a47b6315e66a37c316b74966e0c824cb35ab0365829aea820a179bf64b5dd497b9eb7bf269c0309d451ad5b4373e9545001b47efd6d80d02c612bbe6c4fb34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MSN3N.tmp\456bcdeae8a437acf9efe95c5ebb47be.tmp

Filesize
198KB

MD5
b9b295264982f750a8c5983b3da48a92

SHA1
17aa07adaa87c8fe5ead2286e9d2fad69c534b33

SHA256
b68ff18bcd0bfc9312c8cd08e6733ad15f7da3791b6ebd8c62daad2653304b34

SHA512
5548e34c78dac2c614f411a85b71e8f8b457171a9f0621c78a5b47fbac639652b6c17ba25316d85e4b001a36712ec93a7229480d8e7422d1610a5937e253e026

Download Submit
\Users\Admin\AppData\Local\Temp\is-3FB6T.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-3FB6T.tmp\itdownload.dll

Filesize
202KB

MD5
640c2525d575a42c3be5af4609f135a3

SHA1
68d544c113116936be03c3a90f0ac47e16c15f25

SHA256
b1ed2f6d034aca5804da15d954c66d9942e90f8287812ea55e7f8f9e5c04081c

SHA512
f1c2c18ade52b39724a69ea361a37b791480e515ba7e93aca5f8e1f8d3ceeb40ef00b068ce7fef8a213311c9b525f47f62616972796baf3e89eed719b97fbe9b

Download Submit
\Users\Admin\AppData\Local\Temp\is-MSN3N.tmp\456bcdeae8a437acf9efe95c5ebb47be.tmp

Filesize
378KB

MD5
d699068f037acebe05dd5f6c7a07eceb

SHA1
17d38c801f3b93859a9a200d0004326a3ff97509

SHA256
08aef156ede3d84a0c035e81a3a6632a79ff5ff95f14913824305b7c754ba328

SHA512
f70e692523e21f94565b2e7df4bb2b1e082883e8d0248e0328636e9aba6aff2f412b2ce1f43d49bb5d530e71a566c531bc6342a13e6fdeb3a885c924662c3795

Download Submit
memory/1632-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1632-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2356-27-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2356-25-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2356-24-0x0000000073710000-0x0000000073CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2356-26-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2356-23-0x0000000073710000-0x0000000073CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2356-28-0x0000000073710000-0x0000000073CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2700-33-0x0000000000670000-0x00000000006AC000-memory.dmp

Filesize
240KB

Download
memory/2700-32-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2700-17-0x0000000000670000-0x00000000006AC000-memory.dmp

Filesize
240KB

Download
memory/2700-34-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing