dd0b856cfae3e47857fd9b02e8704fb47b2cc7d7b5419709bffc3ae1f9fd3e33

General

Target

656eb12e066611facea04c07829c6463.exe
Size

1.6MB
MD5

656eb12e066611facea04c07829c6463
SHA1

081f1246067d9357dc14746d9f485ab6ccefe3e4
SHA256

dd0b856cfae3e47857fd9b02e8704fb47b2cc7d7b5419709bffc3ae1f9fd3e33
SHA512

f8a150df2f3393f899d0ed9fadf2447cb6d5a5182fd02f347ac165dbb23143d011c1e2ef78d010955d80ef62dfb062e95e308a658d86bab688bd8f175f115a3c
SSDEEP

49152:j2fp/YXq3wH+WpBaR7CRqrTJX7jExnDe7G/aQ:Kfp/Oq3wRpgFrV/Exq76

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2124	Stp1342_TMP.EXE
2812	Stp1342_TMP.tmp

Loads dropped DLL 6 IoCs

pid	Process
2844	656eb12e066611facea04c07829c6463.exe
2124	Stp1342_TMP.EXE
2124	Stp1342_TMP.EXE
2124	Stp1342_TMP.EXE
2812	Stp1342_TMP.tmp
2812	Stp1342_TMP.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2812	Stp1342_TMP.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2124	2844	656eb12e066611facea04c07829c6463.exe	28
PID 2844 wrote to memory of 2124	2844	656eb12e066611facea04c07829c6463.exe	28
PID 2844 wrote to memory of 2124	2844	656eb12e066611facea04c07829c6463.exe	28
PID 2844 wrote to memory of 2124	2844	656eb12e066611facea04c07829c6463.exe	28
PID 2844 wrote to memory of 2124	2844	656eb12e066611facea04c07829c6463.exe	28
PID 2844 wrote to memory of 2124	2844	656eb12e066611facea04c07829c6463.exe	28
PID 2844 wrote to memory of 2124	2844	656eb12e066611facea04c07829c6463.exe	28
PID 2124 wrote to memory of 2812	2124	Stp1342_TMP.EXE	29
PID 2124 wrote to memory of 2812	2124	Stp1342_TMP.EXE	29
PID 2124 wrote to memory of 2812	2124	Stp1342_TMP.EXE	29
PID 2124 wrote to memory of 2812	2124	Stp1342_TMP.EXE	29
PID 2124 wrote to memory of 2812	2124	Stp1342_TMP.EXE	29
PID 2124 wrote to memory of 2812	2124	Stp1342_TMP.EXE	29
PID 2124 wrote to memory of 2812	2124	Stp1342_TMP.EXE	29

C:\Users\Admin\AppData\Local\Temp\656eb12e066611facea04c07829c6463.exe
"C:\Users\Admin\AppData\Local\Temp\656eb12e066611facea04c07829c6463.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\Stp1342_TMP.EXE
  "C:\Users\Admin\AppData\Local\Temp\Stp1342_TMP.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\is-BKI8A.tmp\Stp1342_TMP.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-BKI8A.tmp\Stp1342_TMP.tmp" /SL5="$400EE,1335752,53248,C:\Users\Admin\AppData\Local\Temp\Stp1342_TMP.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stp1342_TMP.EXE

Filesize
1.1MB

MD5
250fe9881cebe52cb79489108da65748

SHA1
ccc32587399be9d438c360c98d9e59ee4c17e4fd

SHA256
b0980d86b1c59011113be15c9adf57bac18b49f87122eb2f028d456d5ec3a20c

SHA512
5382d0fc1a6d6c17d524d69ae7c2593ae7c66263c84c44ecc4c9eb55dccfc6642260906a61638e44e3f720b9bb6b5637e06662009b10acb64f33e4250f477522

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stp1342_TMP.EXE

Filesize
920KB

MD5
e12a8106212e5d8a04c25eb82addff75

SHA1
f64360d731e696a5673362a9245debbde5a07703

SHA256
21d0e66b618cdb8db5f0355a433af3124d3cd5ffd9aeb987c9dc4af615bfd7b5

SHA512
830165e4e71b83c315dcf49f5c8ca197e25147587acb291e6718292d22c6c127e3adf8d2e21e0ff57d1c708520a96abcfd7958515bfd06431064c2169629ba2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BKI8A.tmp\Stp1342_TMP.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
\Users\Admin\AppData\Local\Temp\Stp1342_TMP.EXE

Filesize
1.6MB

MD5
d6eda4bfd998bcbd7b97562727744475

SHA1
4377b51f86f987df225557806cf8939ef5c2ce1d

SHA256
41326829fc7fdf7652f76d8f3bb1866bc4873c5e9a56184948f5ceeb03673aa8

SHA512
d1fe68e10d80087390c6aef6c15674ac17425824db3b4faa4d0abebc31f46e2344af2d4ce2fe68d1685da8403ca1a654a66b649d3953729ee81cbd5713400d40

Download Submit
\Users\Admin\AppData\Local\Temp\Stp1342_TMP.EXE

Filesize
910KB

MD5
a4a59ff286361ef0095712c5299b36f6

SHA1
ac5cf31bcc51dc589e06ce11b54297def3ef3255

SHA256
05c6d9e68f6badfdda56821a424e3821f001bd175157a37309676e01eea80df7

SHA512
9072ea7aa4e0ff4d5aaefa1efdb3f4fbff0d4d32b6031e5b0fc518a9496fb59d61dfb9486152c0afe5633ed0895655cb2a2ef1a8a15e8c9e4e249e96693dc8c7

Download Submit
\Users\Admin\AppData\Local\Temp\Stp1342_TMP.EXE

Filesize
888KB

MD5
9a2d8120737731820fc462177ee90f26

SHA1
d4f81412fcbc198b122cdc9c7cff6b27e36e4bbb

SHA256
5ad5c8a2e50593374374399f041faa62d41c2f4849bc66e7fb388634e45c1604

SHA512
fb5da8d1d2a4e78b187c68f3f6ab056c07bf655dcdeaafb156e2f09cb7e925db2a1b2c9440025961a8e41048114fb04515e2f02a046350d65368f0b4566355cb

Download Submit
\Users\Admin\AppData\Local\Temp\is-A12FT.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2124-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2124-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2124-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2812-25-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing