6ab6ab0a819457f88339252bea1dd2e011effac34643e75f3cdf300f95966fe0

General

Target

setup_uh0ben5HYC.exe
Size

6.9MB
MD5

4559b48a4d35e34e826489fecf922b77
SHA1

d289615c792e80215d6f8daeafe20c9182d4fe2d
SHA256

6ab6ab0a819457f88339252bea1dd2e011effac34643e75f3cdf300f95966fe0
SHA512

7651e857d75053b08e874be93892639268946255e6791127bd55b0e60530bf2b59956f4ea1ab655d73554e80fe6bd24e45327b53e02c10c3a977ad298f2429b6
SSDEEP

196608:3DyjzRg2C0rM8BKQQvag8o1Cpzqaiv1/EmCBXbyJJ:6zakWDP/EmmyJJ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1176	setup_uh0ben5HYC.exe.tmp
2556	immpplayer32.exe

Loads dropped DLL 3 IoCs

pid	Process
1176	setup_uh0ben5HYC.exe.tmp
1176	setup_uh0ben5HYC.exe.tmp
1176	setup_uh0ben5HYC.exe.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
1196	2556	WerFault.exe	89
4436	2556	WerFault.exe	89
4908	2556	WerFault.exe	89
3692	2556	WerFault.exe	89
2580	2556	WerFault.exe	89
4580	2556	WerFault.exe	89
3908	2556	WerFault.exe	89
3932	2556	WerFault.exe	89
2236	2556	WerFault.exe	89
4416	2556	WerFault.exe	89
4272	2556	WerFault.exe	89
2656	2556	WerFault.exe	89
4668	2556	WerFault.exe	89
1232	2556	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2556	immpplayer32.exe
2556	immpplayer32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1176	1376	setup_uh0ben5HYC.exe	84
PID 1376 wrote to memory of 1176	1376	setup_uh0ben5HYC.exe	84
PID 1376 wrote to memory of 1176	1376	setup_uh0ben5HYC.exe	84
PID 1176 wrote to memory of 1204	1176	setup_uh0ben5HYC.exe.tmp	88
PID 1176 wrote to memory of 1204	1176	setup_uh0ben5HYC.exe.tmp	88
PID 1176 wrote to memory of 1204	1176	setup_uh0ben5HYC.exe.tmp	88
PID 1176 wrote to memory of 2556	1176	setup_uh0ben5HYC.exe.tmp	89
PID 1176 wrote to memory of 2556	1176	setup_uh0ben5HYC.exe.tmp	89
PID 1176 wrote to memory of 2556	1176	setup_uh0ben5HYC.exe.tmp	89

C:\Users\Admin\AppData\Local\Temp\setup_uh0ben5HYC.exe
"C:\Users\Admin\AppData\Local\Temp\setup_uh0ben5HYC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\is-QINBO.tmp\setup_uh0ben5HYC.exe.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QINBO.tmp\setup_uh0ben5HYC.exe.tmp" /SL5="$60066,7025092,53248,C:\Users\Admin\AppData\Local\Temp\setup_uh0ben5HYC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "IMMP_Audio_Player_4192"
    3⤵
    PID:1204
- - C:\Users\Admin\AppData\Local\IMMP Audio Player\immpplayer32.exe
    "C:\Users\Admin\AppData\Local\IMMP Audio Player\immpplayer32.exe" 247e5f28c994e3a03efc624405e5d841
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 896
      4⤵
      Program crash
      PID:1196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 912
      4⤵
      Program crash
      PID:4436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 924
      4⤵
      Program crash
      PID:4908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1104
      4⤵
      Program crash
      PID:3692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1144
      4⤵
      Program crash
      PID:2580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1160
      4⤵
      Program crash
      PID:4580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1164
      4⤵
      Program crash
      PID:3908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1200
      4⤵
      Program crash
      PID:3932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1160
      4⤵
      Program crash
      PID:2236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1012
      4⤵
      Program crash
      PID:4416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 920
      4⤵
      Program crash
      PID:4272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1336
      4⤵
      Program crash
      PID:2656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1152
      4⤵
      Program crash
      PID:4668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1348
      4⤵
      Program crash
      PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2556 -ip 2556
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2556 -ip 2556
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2556 -ip 2556
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2556 -ip 2556
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2556 -ip 2556
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2556 -ip 2556
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2556 -ip 2556
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2556 -ip 2556
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2556 -ip 2556
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2556 -ip 2556
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2556 -ip 2556
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2556 -ip 2556
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2556 -ip 2556
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2556 -ip 2556
1⤵
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IMMP Audio Player\immpplayer32.exe

Filesize
5.0MB

MD5
28fdf0d20c5788426599b7b05938cb02

SHA1
0b76ade6df6e05dbdce68033b0dd6766053fdb55

SHA256
246b1434ad13d3851fc83a8bdb27d0d5253b124bdc10e830fd1a38b31cb95427

SHA512
d23b83137819d39d1b545ee1f98fa6e713acc6865e6b061a3aa2e98050b5b84e9134f62920f4b520410fb578bc1469a05b3948d00d1a45c787132a8ad00a1d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MBJIN.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MBJIN.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QINBO.tmp\setup_uh0ben5HYC.exe.tmp

Filesize
666KB

MD5
a9760f82412b4dc5ba165ac3c1a6d4f9

SHA1
4380d0c44fc9a8472e3a62bea033be440065192e

SHA256
4ba3c29168d80c8ba623309dee20627215a0157be65ebfefd8f9ad89d0fb8820

SHA512
c843779fabcc191409649ba009ac356c60743faf61ffd01ff280e83e276a2d5e6ce3ca5a4505f7cdb58d864b32b95a3e10b6efebd221729838611cbe79c8a7ec

Download Submit
memory/1176-82-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1176-7-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1176-84-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1376-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1376-81-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1376-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2556-77-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/2556-78-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/2556-79-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/2556-80-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download
memory/2556-83-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/2556-88-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing