7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2

General

Target

7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe
Size

7.6MB
MD5

d72b059982474d061f9225cda2ac7332
SHA1

46e516115ae645549a0c1f81908c76c28f2a4ed7
SHA256

7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2
SHA512

9ac5bd592c087008b53cf5ffaeb3e5b1e8a1c876c8b38b0f88842beaf5047aa09d37a1d320c591685f7219d4e50c3f43c066bad3dd6ec494f4966aec7dc9540c
SSDEEP

196608:80Kt+85pmKgLzMod0FjVIznYbLF8MyG5tamy:8ntn5QLHyJVI+CpG5ny

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
856	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
4860	audioconverterystudio.exe

Loads dropped DLL 3 IoCs

pid	Process
856	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
856	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
856	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 14 IoCs

pid	pid_target	Process	procid_target
4436	4860	WerFault.exe	83
2228	4860	WerFault.exe	83
3280	4860	WerFault.exe	83
216	4860	WerFault.exe	83
1720	4860	WerFault.exe	83
4372	4860	WerFault.exe	83
3584	4860	WerFault.exe	83
4260	4860	WerFault.exe	83
2572	4860	WerFault.exe	83
4052	4860	WerFault.exe	83
672	4860	WerFault.exe	83
1384	4860	WerFault.exe	83
3028	4860	WerFault.exe	83
4260	4860	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
856	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
856	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
4860	audioconverterystudio.exe
4860	audioconverterystudio.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
856	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 856	2508	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe	80
PID 2508 wrote to memory of 856	2508	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe	80
PID 2508 wrote to memory of 856	2508	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe	80
PID 856 wrote to memory of 4916	856	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	81
PID 856 wrote to memory of 4916	856	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	81
PID 856 wrote to memory of 4916	856	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	81
PID 856 wrote to memory of 4860	856	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	83
PID 856 wrote to memory of 4860	856	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	83
PID 856 wrote to memory of 4860	856	7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp	83

C:\Users\Admin\AppData\Local\Temp\7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe
"C:\Users\Admin\AppData\Local\Temp\7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\is-U07O2.tmp\7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-U07O2.tmp\7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp" /SL5="$B006E,7691642,56832,C:\Users\Admin\AppData\Local\Temp\7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "Audio_Converter_Y_Studio_6241"
    3⤵
    PID:4916
- - C:\Users\Admin\AppData\Local\Audio Converter Y Studio\audioconverterystudio.exe
    "C:\Users\Admin\AppData\Local\Audio Converter Y Studio\audioconverterystudio.exe" 9f5b944e3d666b659e72b0cd70c52a73
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 852
      4⤵
      Program crash
      PID:4436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 860
      4⤵
      Program crash
      PID:2228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 908
      4⤵
      Program crash
      PID:3280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1052
      4⤵
      Program crash
      PID:216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1060
      4⤵
      Program crash
      PID:1720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1060
      4⤵
      Program crash
      PID:4372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1140
      4⤵
      Program crash
      PID:3584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1176
      4⤵
      Program crash
      PID:4260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1148
      4⤵
      Program crash
      PID:2572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 964
      4⤵
      Program crash
      PID:4052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 880
      4⤵
      Program crash
      PID:672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1224
      4⤵
      Program crash
      PID:1384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1088
      4⤵
      Program crash
      PID:3028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1356
      4⤵
      Program crash
      PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 4860
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 4860
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4860 -ip 4860
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4860 -ip 4860
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4860 -ip 4860
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4860 -ip 4860
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4860 -ip 4860
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 4860
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4860 -ip 4860
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4860 -ip 4860
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 4860
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4860 -ip 4860
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4860 -ip 4860
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4860 -ip 4860
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Audio Converter Y Studio\audioconverterystudio.exe

Filesize
6.8MB

MD5
4d29f78697d9b7d68d3146795726ee7f

SHA1
945ec1e32017b2f00c4c493f669931db8ed32142

SHA256
c781324dc50ddac1ec32442aeb2c352677e7b32a07aabdff4811a703b7edd34c

SHA512
e65f3d8f6d59dbd8f8e982bcf03fb3473556c167eccee4df12c038f84f9e74e4cc26afb6043f9f835820a8583d1f4b0bdc23886e62175343a8dfdec853744cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9MVR1.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9MVR1.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U07O2.tmp\7ef6904ea6310db109b96a51a1ac58a63e8a769eaaf8a52e76d83437e8aea0c2.tmp

Filesize
694KB

MD5
63ee9cb9ef9ce97030e1749abe869b26

SHA1
281dbf11aff9122dd1e0dbcbf2f7c78590af52d9

SHA256
d64606b2388a9b12544fe1a453fbab4989e99813fcaeb5e54957854be958dec0

SHA512
3373c6716494c75c7c4340803f08def3e374d4250484af3fc0c5bde3fe3fe0d0f63fc4ce3d5ee17ede0a4175eb42d9d6f4b19700ca2847a23c1d8d75f07f22c9

Download Submit
memory/856-6-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/856-78-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2508-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2508-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2508-77-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4860-74-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/4860-75-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/4860-76-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/4860-79-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing