01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053

General

Target

01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe
Size

7.0MB
MD5

771a4b5986aaa12e52cc75520c7acf8d
SHA1

a3f4495de0a3d1a48aab836c55602f680f0a4675
SHA256

01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053
SHA512

6cac997ffb897bbd519c8969ba53fc5b9eccd3cecc386adfd9438ce22c78ab0135a0a4d0121f4582f29c35c39f5c50e008d23fbecc1beb8f2058be9ee434be80
SSDEEP

196608:kU35rF8HXJpD34NIJtYJVeW1ZL3t7vYEF0r7Dbl:T/Aj4NIvkx3t7vYvvDbl

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
460	01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe.tmp
1672	immpplayer32.exe

Loads dropped DLL 3 IoCs

pid	Process
460	01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe.tmp
460	01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe.tmp
460	01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
3572	1672	WerFault.exe	93
4392	1672	WerFault.exe	93
4380	1672	WerFault.exe	93
3488	1672	WerFault.exe	93
2088	1672	WerFault.exe	93
4460	1672	WerFault.exe	93
3584	1672	WerFault.exe	93
796	1672	WerFault.exe	93
5024	1672	WerFault.exe	93
4840	1672	WerFault.exe	93
1348	1672	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1672	immpplayer32.exe
1672	immpplayer32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 460	2368	01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe	90
PID 2368 wrote to memory of 460	2368	01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe	90
PID 2368 wrote to memory of 460	2368	01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe	90
PID 460 wrote to memory of 4760	460	01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe.tmp	91
PID 460 wrote to memory of 4760	460	01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe.tmp	91
PID 460 wrote to memory of 4760	460	01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe.tmp	91
PID 460 wrote to memory of 1672	460	01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe.tmp	93
PID 460 wrote to memory of 1672	460	01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe.tmp	93
PID 460 wrote to memory of 1672	460	01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe.tmp	93

C:\Users\Admin\AppData\Local\Temp\01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe
"C:\Users\Admin\AppData\Local\Temp\01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\is-IMC43.tmp\01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IMC43.tmp\01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe.tmp" /SL5="$C003C,7114651,53248,C:\Users\Admin\AppData\Local\Temp\01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "IMMP_Audio_Player_4192"
    3⤵
    PID:4760
- - C:\Users\Admin\AppData\Local\IMMP Audio Player\immpplayer32.exe
    "C:\Users\Admin\AppData\Local\IMMP Audio Player\immpplayer32.exe" 9352263ac5d79bad984e0ef60869242c
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 896
      4⤵
      Program crash
      PID:3572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 904
      4⤵
      Program crash
      PID:4392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 896
      4⤵
      Program crash
      PID:4380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1092
      4⤵
      Program crash
      PID:3488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1184
      4⤵
      Program crash
      PID:2088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1236
      4⤵
      Program crash
      PID:4460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1256
      4⤵
      Program crash
      PID:3584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1336
      4⤵
      Program crash
      PID:796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1372
      4⤵
      Program crash
      PID:5024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 908
      4⤵
      Program crash
      PID:4840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 904
      4⤵
      Program crash
      PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1672 -ip 1672
1⤵
PID:876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1672 -ip 1672
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1672 -ip 1672
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1672 -ip 1672
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1672 -ip 1672
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1672 -ip 1672
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1672 -ip 1672
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1672 -ip 1672
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1672 -ip 1672
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1672 -ip 1672
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1672 -ip 1672
1⤵
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IMMP Audio Player\immpplayer32.exe

Filesize
5.1MB

MD5
9ff3213677cfc8a82cd45f3ab560a321

SHA1
c68823431d5846b2827116eff1bd39807b136f5c

SHA256
a8573dc6938668588e362c9b8fcb2812510461be9d6e7f0d81542dd6e21082ec

SHA512
8d97620749385edcb1f78a5472e2828fed0244b0dbc930065f3ff6adc4b3ce153644a4a7dbd27e3df4501624b8828e2400b3427762980189391c2a15026ecff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BSBQO.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BSBQO.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IMC43.tmp\01d767441fb213034c9765381fac414859030eb3e47831751aa2eea054eb2053.exe.tmp

Filesize
666KB

MD5
bdfb2b7cc3577e4d8333ed3a084d7331

SHA1
8497df4d32157d12d710325f653eca937d586006

SHA256
8daa2613d4bfe79cebdc5d3546e40788f1f4677a5311a3e3e1dff6b79e0ed69a

SHA512
7dd208d37d58923f374f6894c0e8170f35d7ea019e62f40383052f69d403eef9b79a9cb6d19a5afece1d907cccab048d92516146ebe2f0368d1f5e145f7c5ed9

Download Submit
memory/460-86-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/460-7-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/460-80-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1672-78-0x0000000000400000-0x0000000000D15000-memory.dmp

Filesize
9.1MB

Download
memory/1672-79-0x0000000000400000-0x0000000000D15000-memory.dmp

Filesize
9.1MB

Download
memory/1672-81-0x0000000000400000-0x0000000000D15000-memory.dmp

Filesize
9.1MB

Download
memory/1672-82-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/1672-84-0x0000000000400000-0x0000000000D15000-memory.dmp

Filesize
9.1MB

Download
memory/1672-91-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/1672-92-0x0000000000400000-0x0000000000D15000-memory.dmp

Filesize
9.1MB

Download
memory/1672-95-0x0000000000400000-0x0000000000D15000-memory.dmp

Filesize
9.1MB

Download
memory/1672-98-0x0000000000400000-0x0000000000D15000-memory.dmp

Filesize
9.1MB

Download
memory/2368-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2368-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2368-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing