47c1cb0f609f6711a27d6e93203569e6c638c3d4cf1e35a1bcb4875b540eb6d6

General

Target

nitamaexternal_yW8AvTQEWM.exe
Size

5.9MB
MD5

c9e09e9a83265a88d791975e5da63146
SHA1

1f5c3de69402369664b1745345a159b8be04440c
SHA256

47c1cb0f609f6711a27d6e93203569e6c638c3d4cf1e35a1bcb4875b540eb6d6
SHA512

34f06d926cbee9d2c37c8a8a1e189ac72eb27a5753b98b17f1b7d32e3b082ca62e533a22d57d1709d77bc2bdc193704678740a1e97d95c9f3475034dd942a209
SSDEEP

98304:gk/hYquGIdRDaOOhY5eGQbzxM91oCJC/wG3NnSZXEThB5k1L3NlqRza:BIfDT1Qb+91oZ98CB52b7

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2176	nitamaexternal_yW8AvTQEWM.tmp
1548	steelhorsestudio32.exe

Loads dropped DLL 6 IoCs

pid	Process
2116	nitamaexternal_yW8AvTQEWM.exe
2176	nitamaexternal_yW8AvTQEWM.tmp
2176	nitamaexternal_yW8AvTQEWM.tmp
2176	nitamaexternal_yW8AvTQEWM.tmp
2176	nitamaexternal_yW8AvTQEWM.tmp
2176	nitamaexternal_yW8AvTQEWM.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2176	nitamaexternal_yW8AvTQEWM.tmp
2176	nitamaexternal_yW8AvTQEWM.tmp
1548	steelhorsestudio32.exe
1548	steelhorsestudio32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2176	nitamaexternal_yW8AvTQEWM.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2176	2116	nitamaexternal_yW8AvTQEWM.exe	28
PID 2116 wrote to memory of 2176	2116	nitamaexternal_yW8AvTQEWM.exe	28
PID 2116 wrote to memory of 2176	2116	nitamaexternal_yW8AvTQEWM.exe	28
PID 2116 wrote to memory of 2176	2116	nitamaexternal_yW8AvTQEWM.exe	28
PID 2116 wrote to memory of 2176	2116	nitamaexternal_yW8AvTQEWM.exe	28
PID 2116 wrote to memory of 2176	2116	nitamaexternal_yW8AvTQEWM.exe	28
PID 2116 wrote to memory of 2176	2116	nitamaexternal_yW8AvTQEWM.exe	28
PID 2176 wrote to memory of 2476	2176	nitamaexternal_yW8AvTQEWM.tmp	29
PID 2176 wrote to memory of 2476	2176	nitamaexternal_yW8AvTQEWM.tmp	29
PID 2176 wrote to memory of 2476	2176	nitamaexternal_yW8AvTQEWM.tmp	29
PID 2176 wrote to memory of 2476	2176	nitamaexternal_yW8AvTQEWM.tmp	29
PID 2176 wrote to memory of 1548	2176	nitamaexternal_yW8AvTQEWM.tmp	31
PID 2176 wrote to memory of 1548	2176	nitamaexternal_yW8AvTQEWM.tmp	31
PID 2176 wrote to memory of 1548	2176	nitamaexternal_yW8AvTQEWM.tmp	31
PID 2176 wrote to memory of 1548	2176	nitamaexternal_yW8AvTQEWM.tmp	31

C:\Users\Admin\AppData\Local\Temp\nitamaexternal_yW8AvTQEWM.exe
"C:\Users\Admin\AppData\Local\Temp\nitamaexternal_yW8AvTQEWM.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\is-H15QO.tmp\nitamaexternal_yW8AvTQEWM.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-H15QO.tmp\nitamaexternal_yW8AvTQEWM.tmp" /SL5="$4011C,5958739,56832,C:\Users\Admin\AppData\Local\Temp\nitamaexternal_yW8AvTQEWM.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "Steel_Horse_Studio_5122"
    3⤵
    PID:2476
- - C:\Users\Admin\AppData\Local\Steel Horse Studio\steelhorsestudio32.exe
    "C:\Users\Admin\AppData\Local\Steel Horse Studio\steelhorsestudio32.exe" 4a41ce84003122968fd82a73ae06750b
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Steel Horse Studio\steelhorsestudio32.exe

Filesize
3.6MB

MD5
c676e770a76c4c95309259ee34775a02

SHA1
19ab45f55c2610dd39979963328b287466cea28a

SHA256
aa0299b36535d763b8f2549ff6c22ae194c897f2897009d8024724e5bfb1bad9

SHA512
b51b452f6785d0b31ed566696a14bd29fef0997d8aceefb0a58112aabd1378837d72cb3fe0a0573092c49adcc3d8e22c663da05ce133c54f76239dde6532b37e

Download Submit
\Users\Admin\AppData\Local\Temp\is-H15QO.tmp\nitamaexternal_yW8AvTQEWM.tmp

Filesize
692KB

MD5
6c8bd255b01d7ccd268815cc7c49d440

SHA1
ead1c12e1ae1a991dcae7895f4ad6e211166b142

SHA256
f2b9f3b45b5f4dfb9f94901abe1550e6852ea3035d6fc648b8ab7072febd9781

SHA512
3b6755bfbcf6322343b3a04bcfb7d67d4634e8dc3627a6393cce6f08a53c1e69d2889ef14f6ead5a4ae56a7b97835483720bacdb2c8ff323b2850fead862c60d

Download Submit
\Users\Admin\AppData\Local\Temp\is-PNH4U.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-PNH4U.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-PNH4U.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1548-83-0x0000000000400000-0x0000000000B9C000-memory.dmp

Filesize
7.6MB

Download
memory/1548-87-0x0000000000400000-0x0000000000B9C000-memory.dmp

Filesize
7.6MB

Download
memory/1548-79-0x0000000000400000-0x0000000000B9C000-memory.dmp

Filesize
7.6MB

Download
memory/1548-80-0x0000000000400000-0x0000000000B9C000-memory.dmp

Filesize
7.6MB

Download
memory/2116-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2116-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2116-81-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2176-78-0x0000000003F30000-0x00000000046CC000-memory.dmp

Filesize
7.6MB

Download
memory/2176-82-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2176-84-0x0000000003F30000-0x00000000046CC000-memory.dmp

Filesize
7.6MB

Download
memory/2176-14-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing