fb4221b99a21312a47c37d27cf9c24ec2b7d1dec2099ee8baa7aabc17075cdb6

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setupprogram_01234.exe
Size

26.8MB
MD5

8855431f6861ce61ae7b518373ce2454
SHA1

b4ac109a3e284df6a56af00aa7a1fe9ffd8f7fc4
SHA256

fa4fd0fbe285908c10eef2c6736de6c0776b38e5c6a7ba18371dedd39e36b451
SHA512

64b6e8b11cd6076f506f48918d9e7fff23acf1fdc00624440a2a5c4d3360402ed1c88b0105ec696d1211dab9f3e9b5d4d161dbd4cf21184d974fec40b34d3774
SSDEEP

786432:MGR2OZUU3y7UMxDsEUAsJYPBgGkpbqRAw2elablkTVI:MyrSPBgGzOeelkhI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1928	MPC-HC.2.1.7.2.x86.exe
2384	MPC-HC.2.1.7.2.x86.tmp

Loads dropped DLL 4 IoCs

pid	Process
1928	MPC-HC.2.1.7.2.x86.exe
2384	MPC-HC.2.1.7.2.x86.tmp
2384	MPC-HC.2.1.7.2.x86.tmp
2384	MPC-HC.2.1.7.2.x86.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MPC-HC\Lang\is-G0Q4S.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-DSE7D.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-5KSGT.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\is-Q9GK8.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders\is-4A38D.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders11\is-44I4V.tmp	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\Lang\mpcresources.ms_MY.dll	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-DM8L2.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-5EUKJ.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\LAVFilters\is-GMB53.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\LAVFilters\is-PGCM5.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\is-2H9E9.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders\is-808EA.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders11\is-98KD6.tmp	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\Lang\mpcresources.pa.dll	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\LAVFilters\is-BI4LS.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders\is-P38KG.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-04I0K.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-ETBO8.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-O3609.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders\is-BH8VQ.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders11\is-B9S3A.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\is-GJPF8.tmp	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\Lang\mpcresources.ca.dll	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-CDBV6.tmp	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\Lang\mpcresources.ja.dll	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\Lang\mpcresources.ko.dll	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-L7IO8.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders11\is-DMA8O.tmp	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\Lang\mpcresources.bg.dll	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\LAVFilters\avformat-lav-60.dll	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\LAVFilters\avfilter-lav-9.dll	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-80VB6.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-V81CD.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-D5469.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders\is-H5QRF.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders\is-M7ENC.tmp	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\Lang\mpcresources.lt.dll	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\Lang\mpcresources.bn.dll	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\Lang\mpcresources.vi.dll	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-JTNNN.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\LAVFilters\is-Q0434.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders\is-8688T.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders11\is-URJ0T.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders11\is-1PVHL.tmp	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\LAVFilters\avcodec-lav-60.dll	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\CrashReporter\is-DVP77.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders11\is-SD3SK.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\LAVFilters\is-B5KBK.tmp	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\Lang\mpcresources.pt_BR.dll	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-2AIF5.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-1ILPB.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\is-2U4LJ.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders\is-UN003.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders\is-G0M4G.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders11\is-N8ML9.tmp	MPC-HC.2.1.7.2.x86.tmp
File opened for modification	C:\Program Files (x86)\MPC-HC\CrashReporter\crashrpt.dll	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders\is-6NP1P.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders11\is-RPE83.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-1F88R.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-SU6A6.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Lang\is-V8FJT.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders\is-L157T.tmp	MPC-HC.2.1.7.2.x86.tmp
File created	C:\Program Files (x86)\MPC-HC\Shaders\is-RJ53G.tmp	MPC-HC.2.1.7.2.x86.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2972	Setupprogram_01234.exe
2384	MPC-HC.2.1.7.2.x86.tmp
2384	MPC-HC.2.1.7.2.x86.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	Setupprogram_01234.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2972	Setupprogram_01234.exe
2384	MPC-HC.2.1.7.2.x86.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2384	1928	MPC-HC.2.1.7.2.x86.exe	35
PID 1928 wrote to memory of 2384	1928	MPC-HC.2.1.7.2.x86.exe	35
PID 1928 wrote to memory of 2384	1928	MPC-HC.2.1.7.2.x86.exe	35
PID 1928 wrote to memory of 2384	1928	MPC-HC.2.1.7.2.x86.exe	35
PID 1928 wrote to memory of 2384	1928	MPC-HC.2.1.7.2.x86.exe	35
PID 1928 wrote to memory of 2384	1928	MPC-HC.2.1.7.2.x86.exe	35
PID 1928 wrote to memory of 2384	1928	MPC-HC.2.1.7.2.x86.exe	35

C:\Users\Admin\AppData\Local\Temp\Setupprogram_01234.exe
"C:\Users\Admin\AppData\Local\Temp\Setupprogram_01234.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2972

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2756

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:2180

C:\Users\Admin\AppData\Local\MPC-HC\MPC-HC.2.1.7.2.x86.exe
"C:\Users\Admin\AppData\Local\MPC-HC\MPC-HC.2.1.7.2.x86.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\is-8OBN0.tmp\MPC-HC.2.1.7.2.x86.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8OBN0.tmp\MPC-HC.2.1.7.2.x86.tmp" /SL5="$11015A,18872303,845824,C:\Users\Admin\AppData\Local\MPC-HC\MPC-HC.2.1.7.2.x86.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MPC-HC\MPC-HC.2.1.7.2.x86.exe

Filesize
19.0MB

MD5
0cf0be4175f4c4cbc1f0244ea173f4f8

SHA1
e9eef43e43ef820cc23f3a9b7259ae9f247474bf

SHA256
495ee02835490d2fd1e18b688c904757e6d727f4f2e344d2e20700b6860a1047

SHA512
5b913a1ee7dd250881f7236da76d7f7c43da4caa20b72610fffc7064170a82e5f42e084f278a054327ae3da947d74eb148d16d273218d88a0d97e5de68f4e8d9

Download Submit
\Program Files (x86)\MPC-HC\mpc-hc.exe

Filesize
10.7MB

MD5
d916a75438f717dc110c853782c8d2b2

SHA1
64cdf79c31f540f566b1eb188d52c8dafb835f27

SHA256
573d620b32f8ccc1b95b071a7e3f689c77187b4fc898f85b81a24ee0e1570883

SHA512
c5c25cb8c6a9539e5ce14bb7af0ff801679bef3b241ddafe1505ba5cf07b1808d6ddb2a253ef3d76c2eee93496fd2f1c5fd8f4f2aa3f7e7275492b3be18c82ff

Download Submit
\Program Files (x86)\MPC-HC\unins000.exe

Filesize
3.1MB

MD5
cf72d288dfac9cb0b4bfe1ade5c719db

SHA1
a77a3b2ed53e03b7043076f6710f0ddc3f8e7fac

SHA256
629c5535fa98564b6b35a37b5c036471d22c8ed192319c7653f6ebc4166ea89f

SHA512
28ba93aad40b10b912d0995abc4dbbd90e1594669ae708e7f4cfe40c93cbf2a0acb0af8c9e0557627bb53e0439ef12955fe5e50120c907e3824f70b4d9c1ead0

Download Submit
\Users\Admin\AppData\Local\Temp\is-8OBN0.tmp\MPC-HC.2.1.7.2.x86.tmp

Filesize
3.0MB

MD5
b60659b89de8a18b8819c0b65b28cf9a

SHA1
9fbcc417d1cc6a4c7fd1ce1bc04c3bf8cc1cb1da

SHA256
356050b9cfc8d089772368a29771beb94f3325e2f223dd5deaec6e15e43667d3

SHA512
c4df5f7e9a90bfbe823503bcf4e7b2bc401f59f7605f1e560bf85b219259125b6e8bcbddb81810289dcc12d1c74e4af7ec8e02f80e78210afef93d28a85412f4

Download Submit
memory/1928-3-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1928-6-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1928-261-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2384-260-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download