bbc0e7d33dbc3c8be9e51db9436cdaa977ce81f2b253a310e0449a7e2278e26c

General

Target

dee990ddd77157f47682f6e236a283c7.exe
Size

30.7MB
MD5

dee990ddd77157f47682f6e236a283c7
SHA1

27503f225422e3303bcf6fb974a6aa4f1c76be81
SHA256

bbc0e7d33dbc3c8be9e51db9436cdaa977ce81f2b253a310e0449a7e2278e26c
SHA512

3f0250d8f590ed2c106f6e35473dec41362c5e7c37d0fe3cea29304fe4fd763b0239f777444b37898f34ae64641886c251bb905e34703fc1f1e732155e23c885
SSDEEP

786432:5SXp/vP8sp7Hzrbls4uSSFzAy5yVBWieyh:EXp/nXbEFd5AVRh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2256	HideAndSecretSetup27151.exe
2948	is-VLAFR.tmp

Loads dropped DLL 4 IoCs

pid	Process
2276	dee990ddd77157f47682f6e236a283c7.exe
2256	HideAndSecretSetup27151.exe
2948	is-VLAFR.tmp
2948	is-VLAFR.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ReflexiveArcade\Channels\20749\Channel.dat	dee990ddd77157f47682f6e236a283c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2948	is-VLAFR.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2256	2276	dee990ddd77157f47682f6e236a283c7.exe	28
PID 2276 wrote to memory of 2256	2276	dee990ddd77157f47682f6e236a283c7.exe	28
PID 2276 wrote to memory of 2256	2276	dee990ddd77157f47682f6e236a283c7.exe	28
PID 2276 wrote to memory of 2256	2276	dee990ddd77157f47682f6e236a283c7.exe	28
PID 2276 wrote to memory of 2256	2276	dee990ddd77157f47682f6e236a283c7.exe	28
PID 2276 wrote to memory of 2256	2276	dee990ddd77157f47682f6e236a283c7.exe	28
PID 2276 wrote to memory of 2256	2276	dee990ddd77157f47682f6e236a283c7.exe	28
PID 2256 wrote to memory of 2948	2256	HideAndSecretSetup27151.exe	29
PID 2256 wrote to memory of 2948	2256	HideAndSecretSetup27151.exe	29
PID 2256 wrote to memory of 2948	2256	HideAndSecretSetup27151.exe	29
PID 2256 wrote to memory of 2948	2256	HideAndSecretSetup27151.exe	29
PID 2256 wrote to memory of 2948	2256	HideAndSecretSetup27151.exe	29
PID 2256 wrote to memory of 2948	2256	HideAndSecretSetup27151.exe	29
PID 2256 wrote to memory of 2948	2256	HideAndSecretSetup27151.exe	29

C:\Users\Admin\AppData\Local\Temp\dee990ddd77157f47682f6e236a283c7.exe
"C:\Users\Admin\AppData\Local\Temp\dee990ddd77157f47682f6e236a283c7.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\HideAndSecretSetup27151.exe
  "C:\Users\Admin\AppData\Local\Temp\HideAndSecretSetup27151.exe" ""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\is-MOB9J.tmp\is-VLAFR.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-MOB9J.tmp\is-VLAFR.tmp" /SL4 $80122 "C:\Users\Admin\AppData\Local\Temp\HideAndSecretSetup27151.exe" 31735501 52224 ""
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HideAndSecretSetup27151.exe

Filesize
23.1MB

MD5
95717aa9446a8fe77c7905e3b7aedd70

SHA1
64671efbc2ebf4529f169bc02622de1fede8cce3

SHA256
c5f9b77d6238e533bcf182e9476bacbd54db6905f5949181d013ed6baf736629

SHA512
1714fb4d30438845accc951b134ec582da15732c177e59b01bb8cf7bc0a855a34420b9cd1aae56365045bceea0026fa5ee52048d2d7e8f543e8504e6788d1b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\HideAndSecretSetup27151.exe

Filesize
24.8MB

MD5
65dea21b0445459841baeebf2d690b0a

SHA1
44c12e6bcedf750fd5b893371f98e40d1fa217ac

SHA256
0152854648cf491706a10bb8b5705d25fe8c2291a647342ae581cc3c02b43f4a

SHA512
306970bb300fedafa20f9f5f0e3e7e0e77fdd7dfedc75fce4e8058b237a5f1e9e476fe0608d93a4c65ad3f392ee4965f400187ef7ad0597fbf49fb43087ead80

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MOB9J.tmp\is-VLAFR.tmp

Filesize
652KB

MD5
581bb44526a65c02b388e1b8a83fe86c

SHA1
dc387f115977b5fb94d9c9084f33a1c231b50acb

SHA256
385a9bb48f5180984867f3bff1d327250d22ab4399137b343be291c370ee3699

SHA512
aab4cb6dd5ad4ebfded18748c5cd1a4361c154459f36a4cb49e32855b6866f92d3f065cd9cafa16e621a4216bb176f1554a8bbea7fd458b317eb1ff4c3c2bea1

Download Submit
\Users\Admin\AppData\Local\Temp\HideAndSecretSetup27151.exe

Filesize
19.8MB

MD5
e293c24b31a05221bf1eccc926642f33

SHA1
f248342f9c0b0425a3f45dc8e88d41d39b0fa280

SHA256
f962150e7569dfe124d2143d1b3aa3721b27c4e7201dea5536f6ade857a34761

SHA512
629a5ecdcb338ca7ab7e296ddf7c52cb2e9f668f60f7f05822a0b18364d358aad30aeb2c95142a113063a42f7edfcac0393d2d641538f304098daaf87070a91b

Download Submit
\Users\Admin\AppData\Local\Temp\is-4B3L0.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2256-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2256-5-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2256-23-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2948-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2948-24-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2948-27-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing