53015ec4339dca036dcd4be39565c626d49e1ca9fd6242642050afb281f7df45

General

Target

8eca46b796c3f4b07c5cf4282b1b076a.exe
Size

2.5MB
MD5

8eca46b796c3f4b07c5cf4282b1b076a
SHA1

a64b462bccfb1a726cad6ffd0d7237984d0b6a3f
SHA256

53015ec4339dca036dcd4be39565c626d49e1ca9fd6242642050afb281f7df45
SHA512

6639bddaa382d8e484a12c06e659e0156e3758aca015b265e5372e259cadf80baf6f87f059527ffdc2528e7e3bb5a2561d7dc9b4eb415eb1ccbd41406edf9742
SSDEEP

49152:52YT/j0AG7BmgYBf/ZkYDXAOcL/szp/mPrDpPYQ1qX2w5aV:sgj0JVm/peYDXAOc4duDDpI8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2988	StpFC68_TMP.EXE
2520	StpFC68_TMP.tmp

Loads dropped DLL 6 IoCs

pid	Process
2932	8eca46b796c3f4b07c5cf4282b1b076a.exe
2988	StpFC68_TMP.EXE
2988	StpFC68_TMP.EXE
2988	StpFC68_TMP.EXE
2520	StpFC68_TMP.tmp
2520	StpFC68_TMP.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2520	StpFC68_TMP.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2988	2932	8eca46b796c3f4b07c5cf4282b1b076a.exe	28
PID 2932 wrote to memory of 2988	2932	8eca46b796c3f4b07c5cf4282b1b076a.exe	28
PID 2932 wrote to memory of 2988	2932	8eca46b796c3f4b07c5cf4282b1b076a.exe	28
PID 2932 wrote to memory of 2988	2932	8eca46b796c3f4b07c5cf4282b1b076a.exe	28
PID 2932 wrote to memory of 2988	2932	8eca46b796c3f4b07c5cf4282b1b076a.exe	28
PID 2932 wrote to memory of 2988	2932	8eca46b796c3f4b07c5cf4282b1b076a.exe	28
PID 2932 wrote to memory of 2988	2932	8eca46b796c3f4b07c5cf4282b1b076a.exe	28
PID 2988 wrote to memory of 2520	2988	StpFC68_TMP.EXE	29
PID 2988 wrote to memory of 2520	2988	StpFC68_TMP.EXE	29
PID 2988 wrote to memory of 2520	2988	StpFC68_TMP.EXE	29
PID 2988 wrote to memory of 2520	2988	StpFC68_TMP.EXE	29
PID 2988 wrote to memory of 2520	2988	StpFC68_TMP.EXE	29
PID 2988 wrote to memory of 2520	2988	StpFC68_TMP.EXE	29
PID 2988 wrote to memory of 2520	2988	StpFC68_TMP.EXE	29

C:\Users\Admin\AppData\Local\Temp\8eca46b796c3f4b07c5cf4282b1b076a.exe
"C:\Users\Admin\AppData\Local\Temp\8eca46b796c3f4b07c5cf4282b1b076a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\StpFC68_TMP.EXE
  "C:\Users\Admin\AppData\Local\Temp\StpFC68_TMP.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\is-KUSMU.tmp\StpFC68_TMP.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KUSMU.tmp\StpFC68_TMP.tmp" /SL5="$40016,2257206,53248,C:\Users\Admin\AppData\Local\Temp\StpFC68_TMP.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\StpFC68_TMP.EXE

Filesize
967KB

MD5
aa2918cbc35496df71eb22882317a733

SHA1
744760a8d8f10943d97c74eb2fb53b1da1b10609

SHA256
bcbc9f93df723f3a31c04583968b9da3dfe6c9ca1cf7ce60702717d26158825d

SHA512
6bcb291ebfde4eff2545830c698616612147778f1fe9272b860c28a48d44b851e79f5a78db069c2b5bc5b7cbeae5f36397693b1d9d79dadc78d04ee00c072766

Download Submit
C:\Users\Admin\AppData\Local\Temp\StpFC68_TMP.EXE

Filesize
1.9MB

MD5
66177e076d08c84fc77ed9b01e75def3

SHA1
55263cff46eebe4fa59bf08bca32b544e58b81bc

SHA256
a7736a7c1f09a620dc6dd310c2b1ce962a1323f5208392a2710962de235714b7

SHA512
6e4d52a0bd43106ba8f11abf7f22cc54a924d6b7a9b8f15ae2a548d793121804a40cf5cf56d93d9a0af830febb84e44bb9be0e0f73457fed3029f53145789de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KUSMU.tmp\StpFC68_TMP.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
\Users\Admin\AppData\Local\Temp\StpFC68_TMP.EXE

Filesize
1.9MB

MD5
55109f61b3cc7cecec12b99b2114e8f1

SHA1
389b08808b71f4049104e6729b0d0eefc0bf37d3

SHA256
768c512af35c03885642f8449748882c1e6162b2b30811249069bb2e60ddf703

SHA512
a95b47dffcfcb58b6bd02e49a13fb4c3650db6f4bb3545fcbdd35088dd9c70b8c82dd07b110a71f13672471b8dcf86eb29893c000324bceb65a55195f7550c8d

Download Submit
\Users\Admin\AppData\Local\Temp\StpFC68_TMP.EXE

Filesize
1.2MB

MD5
e59178302ce662caaeb946b0c3cd2f62

SHA1
e936172b86fc7d281ea5ce43006fc3ec3f24d32a

SHA256
6fa6cc67a7b7c646af2d2600656b1898f1e263e0fc521c196b2564913f6a7f63

SHA512
33804d2b0164da952ee46a157e271b04ed4c69c4b86504666b2beae09ea73ea2aacd583a7cf5499b1f1ba68a1f1a60f41cd6fc5f6e50288b67da5d1e273fdfe6

Download Submit
\Users\Admin\AppData\Local\Temp\StpFC68_TMP.EXE

Filesize
755KB

MD5
307da84d6146c8dca5004a85aa4f798f

SHA1
bb9a8ce6be7e3a9832f4de0b9fc0f36ae7cc2ba2

SHA256
cb3b5b811842e4cc70d674b8d85289b726be09ccebba35c159e82e0bc4ff7fe3

SHA512
5ce203d5ac8a4b778b4c68ea9d8d427b6cf81b5cc70a489c5e3fa17a852f2856b81f8fb1ab829fc490de0ac1f7580c92f99039d6c6257300dc221c8d77600deb

Download Submit
\Users\Admin\AppData\Local\Temp\is-JBCUH.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2520-26-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2988-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2988-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2988-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing