c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782

General

Target

c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.exe
Size

4.5MB
MD5

96ffb1d004943f5c289366a97089e907
SHA1

807cef9673faca4f0f10508124016a804c72aa10
SHA256

c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782
SHA512

61b0dd0106252869cb13c333515bd98e3ff9a1e5c2fdec9a32b1bff8ec7d758050c8b0c14232a3d46582fddfbe520367d47bf1c4370048fa25a931490db010e6
SSDEEP

98304:QrH0lE2TGKj7yMPLiFCaZSY72ORhihAf1Ba32UfMiaEECWb9LZW4dm8:a2qKj+WHvoTmhR9QIWb9k4dD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp
1296	sendreportsform.exe
2148	sendreportsform.exe

Loads dropped DLL 6 IoCs

pid	Process
2768	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.exe
2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp
2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp
2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp
2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp
2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2604	2768	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.exe	29
PID 2768 wrote to memory of 2604	2768	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.exe	29
PID 2768 wrote to memory of 2604	2768	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.exe	29
PID 2768 wrote to memory of 2604	2768	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.exe	29
PID 2768 wrote to memory of 2604	2768	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.exe	29
PID 2768 wrote to memory of 2604	2768	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.exe	29
PID 2768 wrote to memory of 2604	2768	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.exe	29
PID 2604 wrote to memory of 1436	2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp	30
PID 2604 wrote to memory of 1436	2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp	30
PID 2604 wrote to memory of 1436	2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp	30
PID 2604 wrote to memory of 1436	2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp	30
PID 2604 wrote to memory of 1296	2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp	32
PID 2604 wrote to memory of 1296	2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp	32
PID 2604 wrote to memory of 1296	2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp	32
PID 2604 wrote to memory of 1296	2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp	32
PID 1436 wrote to memory of 1604	1436	net.exe	33
PID 1436 wrote to memory of 1604	1436	net.exe	33
PID 1436 wrote to memory of 1604	1436	net.exe	33
PID 1436 wrote to memory of 1604	1436	net.exe	33
PID 2604 wrote to memory of 2148	2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp	34
PID 2604 wrote to memory of 2148	2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp	34
PID 2604 wrote to memory of 2148	2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp	34
PID 2604 wrote to memory of 2148	2604	c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp	34

C:\Users\Admin\AppData\Local\Temp\c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.exe
"C:\Users\Admin\AppData\Local\Temp\c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\is-0H9FV.tmp\c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0H9FV.tmp\c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp" /SL5="$40160,4512135,54272,C:\Users\Admin\AppData\Local\Temp\c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 193
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 193
      4⤵
      PID:1604
- - C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe
    "C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1296
- - C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe
    "C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe

Filesize
461KB

MD5
02df25590c0fab736180a6079fb6dc29

SHA1
948920012f5d228b5c0903708d3bf43e3168082e

SHA256
d8466c8cdd9b1031fabc1342ff8c60d8d596eb2aade178ff5385d56f757333a9

SHA512
8049bf43549adfaeefbb48e464ea12a151415e3d6fa4e5f95355c8a4fddfc2edcec31ac1d3f543f415dbe3801d4351c765e46e68966a620898a3e8c575479229

Download Submit
C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe

Filesize
1.7MB

MD5
0dcae88598ec140e78771c2d1f248473

SHA1
1d4b14ed4a48c4aef2da6608e14a863362558db2

SHA256
5baec35758d619a93a1fb2018b75c8248d034ac9093fafa16c24bd14e3d6a765

SHA512
69753787af627959988ee1208aea69712677f4e0c944382e22ef83bfa4bb7a694799231c14798975d82b35bce4ff34f8682ab50c317346a86d3ef2d49b78bad0

Download Submit
C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe

Filesize
520KB

MD5
e21b43b526ae9871486a8ae0afabb804

SHA1
a17918bf8f5cb62a3a80bec2cf4dae41f21c1944

SHA256
4d22252e718814a08fa6f1c73b86a3b2244349957627d6a9187f3fa9a79a3139

SHA512
6f1c743515132ee635cf391f845572d4cca7ed8f12fc46f9b780b38f3bd96ff82fe0c1642266e13790b650e3dbdcb96058ed66ee352bcdc59181b5080f0edc8d

Download Submit
\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe

Filesize
576KB

MD5
5fe2409da9ae57e330988ae31ae85e91

SHA1
5cf5ead5a0d20233e7dca825894abb11cd6d4dbd

SHA256
137f18bdc4d69b69347ef811abfdeebf5906c1858a9ae80dc7eb3c4a4e96c66a

SHA512
b5d330a052202e2d045bd7cc04c7a08b34ea577324c5fde76bfa6866eb35286ae2e93aa0f6b2d5a1fa2aeb9facc691fc94bcaabc67db76b28f52d810cb3f20a6

Download Submit
\Users\Admin\AppData\Local\Temp\is-0H9FV.tmp\c736d5dcb526ba8db53db123fd2e547d478669edff900559766e434dc7fc6782.tmp

Filesize
688KB

MD5
a7662827ecaeb4fc68334f6b8791b917

SHA1
f93151dd228d680aa2910280e51f0a84d0cad105

SHA256
05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

SHA512
e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

Download Submit
\Users\Admin\AppData\Local\Temp\is-T68GG.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-T68GG.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-T68GG.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1296-133-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1296-124-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1296-155-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1296-146-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1296-136-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1296-135-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2148-157-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2148-166-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2148-170-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2148-168-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2148-160-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2148-163-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2604-129-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2604-126-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2604-132-0x0000000002ED0000-0x0000000003086000-memory.dmp

Filesize
1.7MB

Download
memory/2604-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2604-123-0x0000000002ED0000-0x0000000003086000-memory.dmp

Filesize
1.7MB

Download
memory/2768-125-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2768-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2768-3-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing