30bdd4958bbf8d1366decd44945aa166c45e3fc862b162951a964fc24969bfaa

General

Target

51ccdc20e450c623de8c76ed494336b4.exe
Size

1.9MB
MD5

51ccdc20e450c623de8c76ed494336b4
SHA1

afdaa8e4c039e702b02ce3d44d0988cf87869f86
SHA256

30bdd4958bbf8d1366decd44945aa166c45e3fc862b162951a964fc24969bfaa
SHA512

aced1a3ab10709dfc32f61f0913ca941511d3674e1980f2a8911ccbd88c80e3376e64cb8578320b7d8663adab38b44f3b62cd23e36805a072b2e53a0b5d81a12
SSDEEP

49152:v2oABKC/EkXuq2GEwge9DFT8MMsuZORoaM4jaV:uoABK2EkxExezoZF4M

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1076	51ccdc20e450c623de8c76ed494336b4.tmp

Loads dropped DLL 4 IoCs

pid	Process
2608	51ccdc20e450c623de8c76ed494336b4.exe
1076	51ccdc20e450c623de8c76ed494336b4.tmp
1076	51ccdc20e450c623de8c76ed494336b4.tmp
1076	51ccdc20e450c623de8c76ed494336b4.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1076	51ccdc20e450c623de8c76ed494336b4.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 1076	2608	51ccdc20e450c623de8c76ed494336b4.exe	14
PID 2608 wrote to memory of 1076	2608	51ccdc20e450c623de8c76ed494336b4.exe	14
PID 2608 wrote to memory of 1076	2608	51ccdc20e450c623de8c76ed494336b4.exe	14
PID 2608 wrote to memory of 1076	2608	51ccdc20e450c623de8c76ed494336b4.exe	14
PID 2608 wrote to memory of 1076	2608	51ccdc20e450c623de8c76ed494336b4.exe	14
PID 2608 wrote to memory of 1076	2608	51ccdc20e450c623de8c76ed494336b4.exe	14
PID 2608 wrote to memory of 1076	2608	51ccdc20e450c623de8c76ed494336b4.exe	14

C:\Users\Admin\AppData\Local\Temp\is-37DFU.tmp\51ccdc20e450c623de8c76ed494336b4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-37DFU.tmp\51ccdc20e450c623de8c76ed494336b4.tmp" /SL5="$40152,1555768,53248,C:\Users\Admin\AppData\Local\Temp\51ccdc20e450c623de8c76ed494336b4.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1076

C:\Users\Admin\AppData\Local\Temp\51ccdc20e450c623de8c76ed494336b4.exe
"C:\Users\Admin\AppData\Local\Temp\51ccdc20e450c623de8c76ed494336b4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-37DFU.tmp\51ccdc20e450c623de8c76ed494336b4.tmp

Filesize
12KB

MD5
802eee5a8f882330c623e0685745d913

SHA1
277ccead0e12dd3c089e7c9cbfd80d5751b609a1

SHA256
3b0f7ef3a1234ebc6e8bdffbfdd34c0abb384444bb1670d5c0ee154f1243163e

SHA512
d21c5c48f39ce38d0df391b9ce1682190d90c298886ce4cb9e6a0890b39ae5b58038b5cd91da3bed7f4544f805b63e082da779782a3ee9de44ce0ba5000b87cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-37DFU.tmp\51ccdc20e450c623de8c76ed494336b4.tmp

Filesize
45KB

MD5
5ee515591ae9ecdae9290bd2488ba618

SHA1
282971d00482bfd52bffa7dc51b270c158413ff4

SHA256
59dd111c44106acde167271987e6f8908457d9b6daf77212f1dc06f5be0103e6

SHA512
65cca152a188381a18c8b3bc4cd55a9b8a03356d5d9ac336a86a217ef7e017227944a7ad8c370c21d1b0fec1393adc26919d2f058177861bd73c92a47ecf39d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3K682.tmp\Games.inf

Filesize
161B

MD5
61593d97dee8ca54fb07716b7e96cd7e

SHA1
ddd95395ca661002a5126b4fd309f0a4544939d2

SHA256
b0ab99788e42f815657de13b62c7e23e7ef49b6b7ef564014ba8af513d402165

SHA512
b01aca457a31f7137a09ba2bc08b56c936e6ffe9cb8c4f448f050293958e887717364eef10ceeb5cd72039559b02feb7ce1d62bd94f3386cb546af3d6bb023f2

Download Submit
\Users\Admin\AppData\Local\Temp\is-37DFU.tmp\51ccdc20e450c623de8c76ed494336b4.tmp

Filesize
41KB

MD5
67c9a094e96e89c0b148004777319482

SHA1
4919dbdf1dbf7795716b68944794db32c09bfbc9

SHA256
3e501720bd8b252bb2432fa97fed16ba8609cb2bd96bdd57a5e88eba7f4e507f

SHA512
eda03aaba1dcd52fbe6db9d4f1a1640964661ae94185902ba27384b2efb427d6d305f7d8fb6c4b23c16a1d57348b57bfa4ba60d3d47258d8e76efc9a4ec5b0bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-3K682.tmp\_isetup\_shfoldr.dll

Filesize
14KB

MD5
190fcf542a84bca579e7971ce30d761e

SHA1
08afb1c9a1780384959e0ab1661ffc788cb10b8d

SHA256
181b1763a322fff029d1bdac7ea18646977814f81b2af10c2c79b8139143796f

SHA512
1b4bc3300c971b4bae343c56da2902489342c79382e4d71b56139ce86a449a23ae3155d5d70abc95ebbe15900ff94f24a81a5364b75daa2304706efe668deca3

Download Submit
\Users\Admin\AppData\Local\Temp\is-3K682.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-3K682.tmp\isxdl.dll

Filesize
1KB

MD5
c47fba22a433b368596405ec17330071

SHA1
69817481bfca2db34ac65dab83630a0c4952af8d

SHA256
48c1b4d2da869d1535d61d338e3f56b1e9994b9b82355f894fe843d901842e2b

SHA512
0d4504893dbb1c9ca312e38b181d00303d9e763376668fadaf08a659f1c117ddc3163ae071c04d20b7af25137813e489c1ea866f73b0cc8f63b49a3e68891dc3

Download Submit
memory/1076-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1076-34-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1076-37-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2608-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2608-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2608-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing