1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c

General

Target

1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.exe
Size

2.1MB
MD5

2f2b3b7da6eacecf527411eccf4d3ea9
SHA1

9aad2f6360daf31f27c3dee01b1f7628e3e6dcba
SHA256

1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c
SHA512

df764d2fb2a112a3602867b31f0de779d8ffc996a90623489c716875193a5c45a135949e871ed967282b961c0ae2d682f67395d7ebf626aec79ccdb0d0cc14ba
SSDEEP

49152:tBuZrEUomnOzOPiFp0Rqk8c55DdN7POGjVs:7kL/DGqq7c55lji

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2072	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.tmp

Loads dropped DLL 2 IoCs

pid	Process
1412	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.exe
2072	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2576	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2072	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 2072	1412	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.exe	30
PID 1412 wrote to memory of 2072	1412	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.exe	30
PID 1412 wrote to memory of 2072	1412	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.exe	30
PID 1412 wrote to memory of 2072	1412	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.exe	30
PID 1412 wrote to memory of 2072	1412	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.exe	30
PID 1412 wrote to memory of 2072	1412	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.exe	30
PID 1412 wrote to memory of 2072	1412	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.exe	30
PID 2072 wrote to memory of 2060	2072	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.tmp	31
PID 2072 wrote to memory of 2060	2072	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.tmp	31
PID 2072 wrote to memory of 2060	2072	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.tmp	31
PID 2072 wrote to memory of 2060	2072	1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.tmp	31
PID 2060 wrote to memory of 2576	2060	cmd.exe	33
PID 2060 wrote to memory of 2576	2060	cmd.exe	33
PID 2060 wrote to memory of 2576	2060	cmd.exe	33
PID 2060 wrote to memory of 2576	2060	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.exe
"C:\Users\Admin\AppData\Local\Temp\1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\is-8R6LU.tmp\1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8R6LU.tmp\1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.tmp" /SL5="$100156,1388696,832512,C:\Users\Admin\AppData\Local\Temp\1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im ClusterManagerServer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im ClusterManagerServer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-8R6LU.tmp\1a6ef07dcd124e088d4adfeb6c6897e4ad6292bb2e8605b39701168c1f349a3c.tmp

Filesize
3.0MB

MD5
c1133bd8fc9669d65aa243a158d7818a

SHA1
ebafd950aa5e63ec17421b9fb293442bba5f2e15

SHA256
fd3522ae1fc77d7a2a1eb2dcfbf98a5c57fc232f034fe2a035e60c44e35bcf3e

SHA512
d21716d9b6fe179c144c8183647a0e20f4062506405a03978b573f5244d524ce8e8dc6e537b0205bcf4753cda830a1d5114e8a8e6b7fe73278095786d6549ae2

Download Submit
\Users\Admin\AppData\Local\Temp\is-UAD4K.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
memory/1412-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1412-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1412-13-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2072-9-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2072-14-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing