7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272

General

Target

7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.exe
Size

2.5MB
MD5

2f9281010bf12890403934bdb517c2c4
SHA1

6e822864dd45fa4a09d29b6e0dc5906dbf96e3d1
SHA256

7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272
SHA512

725ea7e7a262d0bc7f75a9f3c24aa1290827198b9146b784d57d984c9cccc7feaa38d8fa6200793bcd226b4da9461e894f728b89c6f94157202b586468de1335
SSDEEP

49152:eBuZrEUGmrsuyh3kw8bgyjvpnLw7vhzDd0Ua7AqKwd40Lp8Hg/9RQTMVG5V:YkLGmY338ZvpnLoxD6ATwdxYg/4I47

Score

6^/10

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

Processes:

7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\AVG\AV\Dir	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\AVAST Software\Avast	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp

Executes dropped EXE 1 IoCs

Processes:

7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp

pid process

4208 7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
Loads dropped DLL 1 IoCs

Processes:

7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp

pid process

4208 7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp

pid	process
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
4208	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.exe

description	pid	process	target process
PID 3484 wrote to memory of 4208	3484	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.exe	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
PID 3484 wrote to memory of 4208	3484	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.exe	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
PID 3484 wrote to memory of 4208	3484	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.exe	7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp

C:\Users\Admin\AppData\Local\Temp\7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.exe
"C:\Users\Admin\AppData\Local\Temp\7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Local\Temp\is-T81TU.tmp\7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T81TU.tmp\7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp" /SL5="$E01C2,1633941,874496,C:\Users\Admin\AppData\Local\Temp\7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.exe"
2⤵
- Checks for any installed AV software in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-19FIK.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
b83f5833e96c2eb13f14dcca805d51a1

SHA1
9976b0a6ef3dabeab064b188d77d870dcdaf086d

SHA256
00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401

SHA512
8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T81TU.tmp\7ccef9af5267c22a56bdbaf2f9109a02611bba461e0b0321bed42b5911163272.tmp

Filesize
3.1MB

MD5
4f0ef46de64a97f2f8fcdf189068244d

SHA1
e251fd9a7a56526b623e087c50d767c96844de2b

SHA256
a462faeab6713e66c2c870b873fad186e5b5351d853a0d5432a9edd3311ac032

SHA512
b56b665305199e3a44b10ae9d1710685b3f4bb5ecff6ee77bc6aa743d48528d91f88fa1853daf99f4a0fb652102d6a313a2f61102eed61d3558545cf527fc1dd

Download Submit
memory/3484-0-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3484-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3484-25-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4208-6-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/4208-23-0x0000000003690000-0x00000000037D0000-memory.dmp

Filesize
1.2MB

Download
memory/4208-24-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/4208-26-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads