f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891

General

Target

f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.exe
Size

6.0MB
MD5

de156f01b293b24f9add10533f9597cc
SHA1

2bbec67bbf358073851aa4fedaa92fdc276e230d
SHA256

f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891
SHA512

0e9c2b3f39967de4f330c475a4591ae6d3c98873dca8d353b7d2237a1de41afed838e74eb69c329f81f7684d1c2222b08ea0c4473fbefd3c0bed0b2ccdd0827e
SSDEEP

98304:POV7BIi2tx/sdUkfaoyW4yOS3xhnlLDmnfaoJPdbSoiOULgZ7KV8GMiJ+hl5x9P1:GtBl2zoIL8jUjxdbNv/7ukn/VTp2C

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp
2912	growthmusicstudio32.exe

Loads dropped DLL 13 IoCs

pid	Process
2572	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.exe
2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp
2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp
2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp
2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp
2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe
2776	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2776	2912	WerFault.exe	33

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp
2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2096	2572	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.exe	30
PID 2572 wrote to memory of 2096	2572	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.exe	30
PID 2572 wrote to memory of 2096	2572	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.exe	30
PID 2572 wrote to memory of 2096	2572	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.exe	30
PID 2572 wrote to memory of 2096	2572	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.exe	30
PID 2572 wrote to memory of 2096	2572	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.exe	30
PID 2572 wrote to memory of 2096	2572	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.exe	30
PID 2096 wrote to memory of 2852	2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp	31
PID 2096 wrote to memory of 2852	2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp	31
PID 2096 wrote to memory of 2852	2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp	31
PID 2096 wrote to memory of 2852	2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp	31
PID 2096 wrote to memory of 2912	2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp	33
PID 2096 wrote to memory of 2912	2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp	33
PID 2096 wrote to memory of 2912	2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp	33
PID 2096 wrote to memory of 2912	2096	f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp	33
PID 2912 wrote to memory of 2776	2912	growthmusicstudio32.exe	34
PID 2912 wrote to memory of 2776	2912	growthmusicstudio32.exe	34
PID 2912 wrote to memory of 2776	2912	growthmusicstudio32.exe	34
PID 2912 wrote to memory of 2776	2912	growthmusicstudio32.exe	34

C:\Users\Admin\AppData\Local\Temp\f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.exe
"C:\Users\Admin\AppData\Local\Temp\f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Local\Temp\is-OOUQ0.tmp\f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OOUQ0.tmp\f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp" /SL5="$4010A,6055321,56832,C:\Users\Admin\AppData\Local\Temp\f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "Growth_Music_Studio_6192"
    3⤵
    PID:2852
- - C:\Users\Admin\AppData\Local\Growth Music Studio\growthmusicstudio32.exe
    "C:\Users\Admin\AppData\Local\Growth Music Studio\growthmusicstudio32.exe" c7ca93282cb56ba180a1144801fd059c
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 172
      4⤵
      Loads dropped DLL
      Program crash
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Growth Music Studio\growthmusicstudio32.exe

Filesize
5.0MB

MD5
447ba4286d4496c2792a42693b96579b

SHA1
291d62111940ee6b99131042b00bf967e09217df

SHA256
02c6422137ed2e73516de971e6b7b587da023b216689a10b76f7ff2c14b9a716

SHA512
49b9bb1c73589f8f137e3014e8fdeb7cd4d8b2409789860421aadfe732a2b82bbf57431b8875f141b425867530c8ec2a60223238fd1802db0a81af0cd10fb365

Download Submit
\Users\Admin\AppData\Local\Temp\is-67ETD.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-67ETD.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-67ETD.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-OOUQ0.tmp\f2ad4a4a509ab85449f5119172cd48d43c4dcb29ead0ada424ffb7e2b8c54891.tmp

Filesize
694KB

MD5
f0d3f31955f4989644cecc26e164deb4

SHA1
9c0f2e1effc15a53e7dfcad9a8f60fbe8ca709ad

SHA256
b00c55ecf4c11c62c23cf0a0d213e4708c29f9793baa85aa7d73ddafc4dc9ff5

SHA512
d58976a08d4c3b5dc18796e983921caccc663050eef854ed6dbfe68791454c7ff3b2b29dc4c1ea9e703bb34d07097f66b20278d1b96f7899e7330d34b6793dbd

Download Submit
memory/2096-8-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2096-78-0x0000000003A00000-0x000000000430B000-memory.dmp

Filesize
9.0MB

Download
memory/2096-88-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2096-91-0x0000000003A00000-0x000000000430B000-memory.dmp

Filesize
9.0MB

Download
memory/2572-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2572-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2572-87-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2912-79-0x0000000000400000-0x0000000000D0B000-memory.dmp

Filesize
9.0MB

Download

Analysis

Sharing