458dec29bc4efc6f5914c9ff20bbc4448a059fe1ada32b84eed9c5b9a9985a9f

General

Target

SamFwToolSetup.exe
Size

56.8MB
MD5

a3a38db6f62269ed7cee99fabb676135
SHA1

39f4958ae7481b2a3e7452c2dffb648ea5e200be
SHA256

7640282150d51c407ffdfe2fab35f2c60b93b0dc56ac93ad2459b16789aec61b
SHA512

e340b323bba664fd2b2d819da151c886ec66849ba3798377cf0e8cbcf253f9604ce248e62b22ac184939e5947f87a2f5964ee649099d6d14971c71270894771d
SSDEEP

1572864:lCRAP2DnTG0r6OFxObdjUW8Odiw1NF3Zh4aNfv/VG:lDknTdGO2ZjUezFjv9G

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2792	SamFwToolSetup.tmp
3296	7za.exe
4136	SamFwTool.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2792	SamFwToolSetup.tmp
2792	SamFwToolSetup.tmp
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe
4136	SamFwTool.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3296	7za.exe
Token: 35	3296	7za.exe
Token: SeSecurityPrivilege	3296	7za.exe
Token: SeSecurityPrivilege	3296	7za.exe
Token: SeDebugPrivilege	4136	SamFwTool.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2792	SamFwToolSetup.tmp
4136	SamFwTool.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4136	SamFwTool.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2792	4956	SamFwToolSetup.exe	81
PID 4956 wrote to memory of 2792	4956	SamFwToolSetup.exe	81
PID 4956 wrote to memory of 2792	4956	SamFwToolSetup.exe	81
PID 2792 wrote to memory of 3296	2792	SamFwToolSetup.tmp	83
PID 2792 wrote to memory of 3296	2792	SamFwToolSetup.tmp	83
PID 2792 wrote to memory of 3296	2792	SamFwToolSetup.tmp	83
PID 2792 wrote to memory of 4136	2792	SamFwToolSetup.tmp	86
PID 2792 wrote to memory of 4136	2792	SamFwToolSetup.tmp	86
PID 2792 wrote to memory of 4136	2792	SamFwToolSetup.tmp	86

C:\Users\Admin\AppData\Local\Temp\SamFwToolSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SamFwToolSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\is-65174.tmp\SamFwToolSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-65174.tmp\SamFwToolSetup.tmp" /SL5="$B004E,58690757,832512,C:\Users\Admin\AppData\Local\Temp\SamFwToolSetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\SamFwTool\data\7za.exe
    "C:\SamFwTool\data\7za.exe" x "C:\SamFwTool\data.7z" -o"C:\SamFwTool\" * -r -aoa
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- - C:\SamFwTool\SamFwTool.exe
    "C:\SamFwTool\SamFwTool.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SamFwTool\SamFwTool.exe

Filesize
16.0MB

MD5
99b1e36598e55933e350430519b53b34

SHA1
202174440b5bbf8483e60a209b33f92576d5e0a9

SHA256
72b4e02b59b6cf1bfec786e2b1acf98d31cdceb906beb115b52f3bbf07e02fb3

SHA512
1db4ff19d90bc4fd909c29cff97c08bf60ab0a9673a2bab5756b17646213c397e552079519e7f5193fe7bdd7320d5d8456036273ae96b62a98c525e5c22d0eaa

Download Submit
C:\SamFwTool\data.7z

Filesize
39.6MB

MD5
e2a12d6e1340e12e29f8d5113fabb6eb

SHA1
f57e4a9e4b39018cd8aa294ffb372e3dd5071d7b

SHA256
77a2961a5c03c5c972e53083ddc81c37b3aa3dc6b2dbf4934064035949fa4b9f

SHA512
9d5e658a8cb68ea01e11dc26ce713a091088d7629d2baff20cf9b43002c55e15eca3ec7dcbc53bf5e4a4b8b3d98b5f649f59280c4a625f239474a87b79174424

Download Submit
C:\SamFwTool\data\7za.exe

Filesize
676KB

MD5
2e3309647ce678ca313fe3825a57ccb9

SHA1
792fdeccddd3cc182eac3a1ecd7affe5b48262c8

SHA256
e6855553350fa6fb23e05839c7f3ef140dad29d9a0e3495de4d1b17a9fbf5ca4

SHA512
5eb2af380fed7117d45232d42dec4d05a6f4f6cd6c7d03583c181b235344ea922290b6e0bf6b9683592bccc0f4a3b2b9b9fd7d41fbfebf1045bd95b027539dbc

Download Submit
C:\SamFwTool\data\drivers\x86\libusbK.dll

Filesize
166KB

MD5
3935ec3158d0e488da1929b77edd1633

SHA1
bd6d94704b29b6cef3927796bfe22a2d09ee4fe7

SHA256
87cbd1f3bf5ab72089a879df110263784602a574c0ae83f428df57ae2f8115db

SHA512
5173891b1dfad2298910236a786c7b9bbcfce641491a25f933022088c81465fb93fd2385d270e9a0632f674355538da464d1edacf511140d6f31d91d1afe64fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-65174.tmp\SamFwToolSetup.tmp

Filesize
3.1MB

MD5
c40a8a7891124f63f741ee4e36ae459c

SHA1
12fbe834dd5d52cdb4dddca392604721872d259d

SHA256
7e865f2ab27c2cdc895cc42ba887c4968a85619d435d74c556cc8f8ce47e615c

SHA512
f7043fc31cd692eb52b00a24f3085609b0c616b04b7ec0ff22c7d34d27c34c07ec7f27424256fec2cf975ddc277c2005cc96e3668bf11ad112db77b750e9d92a

Download Submit
memory/2792-129-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2792-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2792-114-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4136-126-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4136-138-0x0000000009CC0000-0x0000000009CCA000-memory.dmp

Filesize
40KB

Download
memory/4136-124-0x00000000735FE000-0x00000000735FF000-memory.dmp

Filesize
4KB

Download
memory/4136-125-0x00000000002D0000-0x00000000012DA000-memory.dmp

Filesize
16.0MB

Download
memory/4136-141-0x00000000735F0000-0x0000000073DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4136-140-0x00000000735FE000-0x00000000735FF000-memory.dmp

Filesize
4KB

Download
memory/4136-139-0x000000000AB00000-0x000000000B02C000-memory.dmp

Filesize
5.2MB

Download
memory/4136-131-0x000000000F7F0000-0x0000000010422000-memory.dmp

Filesize
12.2MB

Download
memory/4136-132-0x00000000067F0000-0x0000000006D94000-memory.dmp

Filesize
5.6MB

Download
memory/4136-133-0x0000000005E40000-0x0000000005ED2000-memory.dmp

Filesize
584KB

Download
memory/4136-134-0x00000000061E0000-0x00000000061EA000-memory.dmp

Filesize
40KB

Download
memory/4136-135-0x0000000009AF0000-0x0000000009B66000-memory.dmp

Filesize
472KB

Download
memory/4136-136-0x0000000009C70000-0x0000000009CA4000-memory.dmp

Filesize
208KB

Download
memory/4136-137-0x000000000A540000-0x000000000A5D2000-memory.dmp

Filesize
584KB

Download
memory/4956-15-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4956-130-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4956-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4956-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing