7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2

General

Target

7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe
Size

7.6MB
MD5

d72b059982474d061f9225cda2ac7332
SHA1

46e516115ae645549a0c1f81908c76c28f2a4ed7
SHA256

7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2
SHA512

9ac5bd592c087008b53cf5ffaeb3e5b1e8a1c876c8b38b0f88842beaf5047aa09d37a1d320c591685f7219d4e50c3f43c066bad3dd6ec494f4966aec7dc9540c
SSDEEP

196608:80Kt+85pmKgLzMod0FjVIznYbLF8MyG5tamy:8ntn5QLHyJVI+CpG5ny

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
2496	audioconverterystudio.exe

Loads dropped DLL 6 IoCs

pid	Process
2104	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe
1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
2496	audioconverterystudio.exe
2496	audioconverterystudio.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1676	2104	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe	28
PID 2104 wrote to memory of 1676	2104	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe	28
PID 2104 wrote to memory of 1676	2104	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe	28
PID 2104 wrote to memory of 1676	2104	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe	28
PID 2104 wrote to memory of 1676	2104	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe	28
PID 2104 wrote to memory of 1676	2104	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe	28
PID 2104 wrote to memory of 1676	2104	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe	28
PID 1676 wrote to memory of 2292	1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	29
PID 1676 wrote to memory of 2292	1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	29
PID 1676 wrote to memory of 2292	1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	29
PID 1676 wrote to memory of 2292	1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	29
PID 1676 wrote to memory of 2496	1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	31
PID 1676 wrote to memory of 2496	1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	31
PID 1676 wrote to memory of 2496	1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	31
PID 1676 wrote to memory of 2496	1676	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	31

C:\Users\Admin\AppData\Local\Temp\7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe
"C:\Users\Admin\AppData\Local\Temp\7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\is-3ML0V.tmp\7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3ML0V.tmp\7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp" /SL5="$3012C,7691642,56832,C:\Users\Admin\AppData\Local\Temp\7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "Audio_Converter_Y_Studio_6241"
    3⤵
    PID:2292
- - C:\Users\Admin\AppData\Local\Audio Converter Y Studio\audioconverterystudio.exe
    "C:\Users\Admin\AppData\Local\Audio Converter Y Studio\audioconverterystudio.exe" 9f5b944e3d666b659e72b0cd70c52a73
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Audio Converter Y Studio\audioconverterystudio.exe

Filesize
6.8MB

MD5
4d29f78697d9b7d68d3146795726ee7f

SHA1
945ec1e32017b2f00c4c493f669931db8ed32142

SHA256
c781324dc50ddac1ec32442aeb2c352677e7b32a07aabdff4811a703b7edd34c

SHA512
e65f3d8f6d59dbd8f8e982bcf03fb3473556c167eccee4df12c038f84f9e74e4cc26afb6043f9f835820a8583d1f4b0bdc23886e62175343a8dfdec853744cae

Download Submit
\Users\Admin\AppData\Local\Temp\is-3ML0V.tmp\7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp

Filesize
694KB

MD5
63ee9cb9ef9ce97030e1749abe869b26

SHA1
281dbf11aff9122dd1e0dbcbf2f7c78590af52d9

SHA256
d64606b2388a9b12544fe1a453fbab4989e99813fcaeb5e54957854be958dec0

SHA512
3373c6716494c75c7c4340803f08def3e374d4250484af3fc0c5bde3fe3fe0d0f63fc4ce3d5ee17ede0a4175eb42d9d6f4b19700ca2847a23c1d8d75f07f22c9

Download Submit
\Users\Admin\AppData\Local\Temp\is-KE2D5.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-KE2D5.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-KE2D5.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1676-16-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1676-77-0x00000000039E0000-0x00000000044B5000-memory.dmp

Filesize
10.8MB

Download
memory/1676-82-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2104-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2104-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2104-81-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2496-79-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/2496-80-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/2496-83-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing