a0a1660d66b4cf1c40006267b4eb3dcaafc19f7714ed1cd71fbcf51db25c17c3

General

Target

Rufus_Setupx64.exe
Size

152.8MB
MD5

5cf2e80ac2a7f7fa24f74966d3ec904f
SHA1

dd6fedc84c0a23ab407a70c8923509927216620e
SHA256

a0a1660d66b4cf1c40006267b4eb3dcaafc19f7714ed1cd71fbcf51db25c17c3
SHA512

766e2e0431fdcfd0b596cca0059f263605a1415b75253a0518b82bdc2d3d30bf66b0694f83510346a89b37be0708f3111f063006f2e528fbd582a6e1111c820b
SSDEEP

3145728:R++iZtEjNRQ57R1E9cNj7vA9aeXJESUHpZBeUdle26BJpn3y:zige7nEyNHvCXGJZ3dVyfi

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2680	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2372	Rufus_Setupx64.tmp

Loads dropped DLL 4 IoCs

pid	Process
2864	Rufus_Setupx64.exe
2372	Rufus_Setupx64.tmp
2372	Rufus_Setupx64.tmp
2372	Rufus_Setupx64.tmp

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2372	2864	Rufus_Setupx64.exe	28
PID 2864 wrote to memory of 2372	2864	Rufus_Setupx64.exe	28
PID 2864 wrote to memory of 2372	2864	Rufus_Setupx64.exe	28
PID 2864 wrote to memory of 2372	2864	Rufus_Setupx64.exe	28
PID 2864 wrote to memory of 2372	2864	Rufus_Setupx64.exe	28
PID 2864 wrote to memory of 2372	2864	Rufus_Setupx64.exe	28
PID 2864 wrote to memory of 2372	2864	Rufus_Setupx64.exe	28
PID 2372 wrote to memory of 2644	2372	Rufus_Setupx64.tmp	29
PID 2372 wrote to memory of 2644	2372	Rufus_Setupx64.tmp	29
PID 2372 wrote to memory of 2644	2372	Rufus_Setupx64.tmp	29
PID 2372 wrote to memory of 2644	2372	Rufus_Setupx64.tmp	29
PID 2644 wrote to memory of 2680	2644	cmd.exe	31
PID 2644 wrote to memory of 2680	2644	cmd.exe	31
PID 2644 wrote to memory of 2680	2644	cmd.exe	31
PID 2644 wrote to memory of 2680	2644	cmd.exe	31
PID 2372 wrote to memory of 2640	2372	Rufus_Setupx64.tmp	32
PID 2372 wrote to memory of 2640	2372	Rufus_Setupx64.tmp	32
PID 2372 wrote to memory of 2640	2372	Rufus_Setupx64.tmp	32
PID 2372 wrote to memory of 2640	2372	Rufus_Setupx64.tmp	32

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2680	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Rufus_Setupx64.exe
"C:\Users\Admin\AppData\Local\Temp\Rufus_Setupx64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\is-JM2UV.tmp\Rufus_Setupx64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JM2UV.tmp\Rufus_Setupx64.tmp" /SL5="$40150,236328,140800,C:\Users\Admin\AppData\Local\Temp\Rufus_Setupx64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" cmd /c attrib +s +h "str7"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "str7"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-KLIS0.tmp\courier.cmd""
    3⤵
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-KLIS0.tmp\courier.cmd

Filesize
145B

MD5
6733b7ef0a645d29c505d6a04bbec2ef

SHA1
55b35b5c419b463d5ab9194ec944749b85301611

SHA256
632edcfcf100d2b224046aff08faffa7c3fc7b4fa4767d5e99ffc703cefceb4a

SHA512
cdb876896666e3f81f61e6cb31b50e7b7e0d8e84cbfb5a3c68b796b42aecc081c7e69d13057bce66fc7e2afaf6c1b1a58fc7f9a14292ce20c055ec2926820b8b

Download Submit
\Users\Admin\AppData\Local\Temp\is-JM2UV.tmp\Rufus_Setupx64.tmp

Filesize
1.4MB

MD5
59fa1a478f284afac139920f0d64bdcc

SHA1
a42e353a3718f1eb56174ff68e77db2c3c841ac5

SHA256
180d57b6af9e76cb88320bd6754ca571e054b2f9f193d2700e724c1fd584b235

SHA512
e8c964976cf73bddff590c075245c0f68288e0ab86042773077a546c8428a1eefa88bd8055d97c191563afaa1063d6f066983cfa5f5f0af20652bd8dc3a63abb

Download Submit
\Users\Admin\AppData\Local\Temp\is-KLIS0.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KLIS0.tmp\idp.dll

Filesize
240KB

MD5
fbb006814588d50f853347969b63c2a3

SHA1
b072cbc602df37c829a361b110952c166e2f3290

SHA256
5a914955407eb43e13317d32b5ca070154cadbcb98235f37fc1d71d3544c59e1

SHA512
cd8fa53c04c7a697cb47f6fa37adfc009aa9ebf4db7985b3de13619c7d59a5d6f0ba7e62e68151a044ac28847b441d5320f9c1c278b5d6de158c44564f99e641

Download Submit
memory/2372-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2372-19-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2372-22-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2372-30-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2864-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2864-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2864-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads