32e15aa26a62761a64dfac28e63e8407c124ce2f823d9c5b67a8365ed902d0b8

General

Target

96f92cfdee68ecfcf016c2d4104ef397.exe
Size

5.1MB
MD5

96f92cfdee68ecfcf016c2d4104ef397
SHA1

c2ed10a3fc906d46450dbcfe082a1f351732c973
SHA256

32e15aa26a62761a64dfac28e63e8407c124ce2f823d9c5b67a8365ed902d0b8
SHA512

c2a1c02b7b2261b9e962102317dd3eb102db5e59aabac77fed6c39747e80bf5fec3975f27ef018f7ea673c4ecf899cc2e0130d6be19f2ff9c7a42431828e5d38
SSDEEP

98304:DUo2jCVAvzvcI06rDWGe+i5Ca6Tt2Sk29seCQdwr783Q0h4gkQ33zcFNHx2I:raCVALER6rmd5lSkebw03Hh4XQ33mR2I

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

7za.exeSetup.exe

pid	Process
2908	7za.exe
2868	Setup.exe

Loads dropped DLL 3 IoCs

Processes:

cmd.exe

pid	Process
1340	cmd.exe
1340	cmd.exe
1340	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0006000000014fed-38.dat	upx
behavioral1/memory/1340-40-0x0000000000780000-0x0000000000841000-memory.dmp	upx
behavioral1/memory/2868-44-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2868-44-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Setup.exe

pid	Process
2868	Setup.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

96f92cfdee68ecfcf016c2d4104ef397.execmd.exe

description	pid	Process	procid_target
PID 2252 wrote to memory of 1340	2252	96f92cfdee68ecfcf016c2d4104ef397.exe	28
PID 2252 wrote to memory of 1340	2252	96f92cfdee68ecfcf016c2d4104ef397.exe	28
PID 2252 wrote to memory of 1340	2252	96f92cfdee68ecfcf016c2d4104ef397.exe	28
PID 2252 wrote to memory of 1340	2252	96f92cfdee68ecfcf016c2d4104ef397.exe	28
PID 2252 wrote to memory of 1340	2252	96f92cfdee68ecfcf016c2d4104ef397.exe	28
PID 2252 wrote to memory of 1340	2252	96f92cfdee68ecfcf016c2d4104ef397.exe	28
PID 2252 wrote to memory of 1340	2252	96f92cfdee68ecfcf016c2d4104ef397.exe	28
PID 1340 wrote to memory of 2908	1340	cmd.exe	30
PID 1340 wrote to memory of 2908	1340	cmd.exe	30
PID 1340 wrote to memory of 2908	1340	cmd.exe	30
PID 1340 wrote to memory of 2908	1340	cmd.exe	30
PID 1340 wrote to memory of 2908	1340	cmd.exe	30
PID 1340 wrote to memory of 2908	1340	cmd.exe	30
PID 1340 wrote to memory of 2908	1340	cmd.exe	30
PID 1340 wrote to memory of 2868	1340	cmd.exe	31
PID 1340 wrote to memory of 2868	1340	cmd.exe	31
PID 1340 wrote to memory of 2868	1340	cmd.exe	31
PID 1340 wrote to memory of 2868	1340	cmd.exe	31
PID 1340 wrote to memory of 2868	1340	cmd.exe	31
PID 1340 wrote to memory of 2868	1340	cmd.exe	31
PID 1340 wrote to memory of 2868	1340	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\96f92cfdee68ecfcf016c2d4104ef397.exe
"C:\Users\Admin\AppData\Local\Temp\96f92cfdee68ecfcf016c2d4104ef397.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\extract.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\7za.exe
    .\7za.exe e .\WebPlayerTV.7z -pjesuisadmin -y
    3⤵
    - Executes dropped EXE
    PID:2908
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    .\Setup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extract.bat

Filesize
87B

MD5
9495ff73014b8a17bd4798911ad097fa

SHA1
71b6db4d7e576cf8b1cbf93079397bc0c1ce46b2

SHA256
0a59275adf474e7164e14a7e622ecb93f3a1477958e6e1e0de6d7ae2c6913a33

SHA512
55062bb9381ac302367aeb43492613762434da730663891f577e050fcbc0993eaf19e96154adf4d669cb9587d8eef2a7ec96cb02b366db5d5c58b1eefe64ecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebPlayerTV.7z

Filesize
3.9MB

MD5
a1ee5163ee5d3e112d5a972ae5588ca3

SHA1
fcc1e8fc34091bc43dd0cb625585896da79dafc0

SHA256
9c0aa4fe43f1f27d0058d03f5aab35c7f7f4542df24959ada19c2d603dfa58c6

SHA512
cc77e4e7cc29112b1ecc2fa1f7cce81ea0eccc7363003936f00165a8cb0e920f74d3df5cec0ebfd16a786fbf289e539a44de0647ccc66c2cde04bd764ae7ac83

Download Submit
C:\Users\Admin\AppData\Local\Temp\conditions.txt

Filesize
18KB

MD5
18ecfd10ad618670c9b5a6506aedecd4

SHA1
e9659a3ccb3d74302a039d137f2abfb289b6beb1

SHA256
11aad77b7086f3422b2befe0fba993d4d172dd7aea24b345c6d84036fb17665e

SHA512
0a5ad7da4deb3b93fbf6cbe54cc45f8324e281be21cbdf887c1a727fde88feadb8dc1f6c44df35c6a6dc348ebc53f9a25f761b174495eddfd8013213f7872200

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
428B

MD5
877875ed7bef4ba5c90f3850e3d39030

SHA1
9f45f80568fde3a0725e09eb1465a051a5271d6b

SHA256
d9fd4afb7ad2c1505a82c244c6c48ce8a377e8ebdd5d157615af7cb222e32697

SHA512
5bc55c19e4e2350f7e55adb9658ab07c993160265b577bc0219903519c6c7a12f26c29f887f5e8589b66bdef6f1a7248b24e731db0aca21147c18a69c6bccb0d

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
387KB

MD5
ce68dce74b754a258c414338a0b8b1f9

SHA1
ac64f0252ec7097287e52ed1ce55d641c25810c5

SHA256
dade0855884933b3e1c4ec86f39883ea8e22c080a25ad8ac71dae915f21fd355

SHA512
eeae803d6f4a9f8a8258faec69c6c1d062a7d69d350f49613243c1532185e9532424d0d29b5c30fe83dc9d810f4ea391ee0ed633f21dd49f7b62992ec482319e

Download Submit
memory/1340-40-0x0000000000780000-0x0000000000841000-memory.dmp

Filesize
772KB

Download
memory/2868-44-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads