c0ad14caca8b8b0972e40ddb9a95a036480055bab963ac39dfa1d5fa952fbf60

General

Target

9586779b197073c3004fba0593e40d76.exe
Size

5.0MB
MD5

9586779b197073c3004fba0593e40d76
SHA1

9bcdf21ef19b847a2e68d6dd53b6461abb931162
SHA256

c0ad14caca8b8b0972e40ddb9a95a036480055bab963ac39dfa1d5fa952fbf60
SHA512

302d531377b37205d105693223fb85a7fd0281516331bb3225794afcc6ef357aafc4a1d7b83b0dff0b983c3088a88077542137f2bed04f794a648eed9c68bae8
SSDEEP

98304:1eM85gLFg3vqpaF4tbigrdNet7NDx+9am+rDy1yz+Ve5dQn1Zx7veL5LRX47zvLM:r85IFg3vqpaUiee3Y9cDefVe5dQ17De9

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

7za.exeSetup.exe

pid process

2836 7za.exe
1032 Setup.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exe

pid process

2664 cmd.exe
2664 cmd.exe
2664 cmd.exe

pid	process
2836	7za.exe
1032	Setup.exe

pid	process
2664	cmd.exe
2664	cmd.exe
2664	cmd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Setup.exe	upx
behavioral1/memory/2664-522-0x0000000002210000-0x00000000022D1000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Setup.exe	upx
behavioral1/memory/1032-524-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/1032-526-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1032-526-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Setup.exe

pid process

1032 Setup.exe

pid	process
1032	Setup.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

9586779b197073c3004fba0593e40d76.exeWScript.execmd.exe

description	pid	process	target process
PID 2636 wrote to memory of 1448	2636	9586779b197073c3004fba0593e40d76.exe	WScript.exe
PID 2636 wrote to memory of 1448	2636	9586779b197073c3004fba0593e40d76.exe	WScript.exe
PID 2636 wrote to memory of 1448	2636	9586779b197073c3004fba0593e40d76.exe	WScript.exe
PID 2636 wrote to memory of 1448	2636	9586779b197073c3004fba0593e40d76.exe	WScript.exe
PID 2636 wrote to memory of 1448	2636	9586779b197073c3004fba0593e40d76.exe	WScript.exe
PID 2636 wrote to memory of 1448	2636	9586779b197073c3004fba0593e40d76.exe	WScript.exe
PID 2636 wrote to memory of 1448	2636	9586779b197073c3004fba0593e40d76.exe	WScript.exe
PID 1448 wrote to memory of 2664	1448	WScript.exe	cmd.exe
PID 1448 wrote to memory of 2664	1448	WScript.exe	cmd.exe
PID 1448 wrote to memory of 2664	1448	WScript.exe	cmd.exe
PID 1448 wrote to memory of 2664	1448	WScript.exe	cmd.exe
PID 1448 wrote to memory of 2664	1448	WScript.exe	cmd.exe
PID 1448 wrote to memory of 2664	1448	WScript.exe	cmd.exe
PID 1448 wrote to memory of 2664	1448	WScript.exe	cmd.exe
PID 2664 wrote to memory of 2836	2664	cmd.exe	7za.exe
PID 2664 wrote to memory of 2836	2664	cmd.exe	7za.exe
PID 2664 wrote to memory of 2836	2664	cmd.exe	7za.exe
PID 2664 wrote to memory of 2836	2664	cmd.exe	7za.exe
PID 2664 wrote to memory of 2836	2664	cmd.exe	7za.exe
PID 2664 wrote to memory of 2836	2664	cmd.exe	7za.exe
PID 2664 wrote to memory of 2836	2664	cmd.exe	7za.exe
PID 2664 wrote to memory of 1032	2664	cmd.exe	Setup.exe
PID 2664 wrote to memory of 1032	2664	cmd.exe	Setup.exe
PID 2664 wrote to memory of 1032	2664	cmd.exe	Setup.exe
PID 2664 wrote to memory of 1032	2664	cmd.exe	Setup.exe
PID 2664 wrote to memory of 1032	2664	cmd.exe	Setup.exe
PID 2664 wrote to memory of 1032	2664	cmd.exe	Setup.exe
PID 2664 wrote to memory of 1032	2664	cmd.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\9586779b197073c3004fba0593e40d76.exe
"C:\Users\Admin\AppData\Local\Temp\9586779b197073c3004fba0593e40d76.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Extract.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\7za.exe
      .\7za.exe e .\WebPlayerTV.7z -pjesuisadmin -y
      4⤵
      Executes dropped EXE
      PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      .\Setup.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extract.bat

Filesize
87B

MD5
9495ff73014b8a17bd4798911ad097fa

SHA1
71b6db4d7e576cf8b1cbf93079397bc0c1ce46b2

SHA256
0a59275adf474e7164e14a7e622ecb93f3a1477958e6e1e0de6d7ae2c6913a33

SHA512
55062bb9381ac302367aeb43492613762434da730663891f577e050fcbc0993eaf19e96154adf4d669cb9587d8eef2a7ec96cb02b366db5d5c58b1eefe64ecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs

Filesize
115B

MD5
67eb1322395d41dddc9045b4eef2309d

SHA1
b85b2332b9fd4ac03aec49a9291e90e8b96547a5

SHA256
56ddc657309aeab74ca42cf466deac992da8a0054830340ba839ffdf1d242be4

SHA512
de37b1358f639f6647e6ae99b6719a0ddf5e9b8f9e8ea33b6284ecac3d33650e9257a63697dcd5d79ee5ed2790ece0b3aca3332719f678ca89f3d4562b00603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
14KB

MD5
7080754c8a2a59e2a77305c85027838a

SHA1
da2743f9333c100668dec3e12e0f3e2e318a2b63

SHA256
7aafa3439867c8a4ee3d9d83dfccf2ef6624d5eeebf36db5189cecca685bfd86

SHA512
281c1f30cc8eb1b8cede4bcbfe7b738ac050e20533b3f7795d107928bcb9bc588c36f22140b195a18db5e1bc1cb2723a254eddbb562ec1924de57b8643b6fe79

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebPlayerTV.7z

Filesize
4.6MB

MD5
d146c84ee942954eb4c1a792d1de60b6

SHA1
c73f141bfd36b7fc5bbe1373da4124769ac84405

SHA256
8c0771717c96bb79f59a0a72a428115e848ba40ef3a2b9113758f5fcf7b5aeab

SHA512
701d61395854ff468505787214826b4d1a26922cec1ed9ca5a87c8d3f6efb651fbe2a33ac27df3a7d95fe4b45ab83ae8d2ba240ac7f9a080b5f520a9db1463cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
383B

MD5
e48e0650aee7207a0b908d9830b0b487

SHA1
56d23ed45ebf1ec42914da69bdd5b890733744b2

SHA256
652034b9a3d29611ec91971a3f3d7e9438c0ed748f050df4329371ccf91da0ee

SHA512
c0ca42779a040e3aeaaf8d4f53d4ce17639dc82068d90d78830ba927f652c8127fca19321bddeaba321d9470d78892fa48d1d83dc9cebae1bdf88704fa0ae1cb

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
412KB

MD5
84a495da12130393c9c05d9bf15e36be

SHA1
58b3746de71279fd0905526a7f07c26a0cb52893

SHA256
99bbe3ddad3c227fda24a2a227b1e664aef3538877b31281eda32333a2bfaf60

SHA512
dc8a85c085e6811560956b4ed106abd7180c5c0ae95a95a7f61ee6633f22f5541d68ad197c9863bffd40e4153ae4f372e0f5fc613031db7bcb45749a3f352edb

Download Submit
memory/1032-524-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1032-526-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2664-522-0x0000000002210000-0x00000000022D1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads