48f88c114bb04dff280d55cb79528b8920b364057138eb03be75eaa4ead8b31a

General

Target

715bef7d4569eec1f888fd471bf391b1.exe
Size

4.2MB
MD5

715bef7d4569eec1f888fd471bf391b1
SHA1

82c86b7ad803435b14e3919e2bcc430166473885
SHA256

48f88c114bb04dff280d55cb79528b8920b364057138eb03be75eaa4ead8b31a
SHA512

8c8aaa129adb56612aa090d218b1ee98f296477aaa45292ca9e72ff856366b7945acae1ad2e20c6cd2d9d7d0af37233433ed1f0042cc0d6affcc977e51ec759a
SSDEEP

98304:yyHF3pWuKJNbZuoye6+9E46a9R1PGmObNnqGO:yyl5WfJ6oye6ut6MPdEo5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2400	pPokerSetup.exe

Loads dropped DLL 7 IoCs

pid	Process
1656	715bef7d4569eec1f888fd471bf391b1.exe
2400	pPokerSetup.exe
2400	pPokerSetup.exe
2400	pPokerSetup.exe
2400	pPokerSetup.exe
2400	pPokerSetup.exe
2400	pPokerSetup.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001924b-4.dat	upx
behavioral1/memory/1656-6-0x0000000003250000-0x00000000032B5000-memory.dmp	upx
behavioral1/memory/2400-9-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2400-13-0x0000000000310000-0x0000000000375000-memory.dmp	upx
behavioral1/files/0x000500000001a310-18.dat	upx
behavioral1/memory/2400-75-0x0000000000400000-0x0000000000465000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	715bef7d4569eec1f888fd471bf391b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pPokerSetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2400	1656	715bef7d4569eec1f888fd471bf391b1.exe	31
PID 1656 wrote to memory of 2400	1656	715bef7d4569eec1f888fd471bf391b1.exe	31
PID 1656 wrote to memory of 2400	1656	715bef7d4569eec1f888fd471bf391b1.exe	31
PID 1656 wrote to memory of 2400	1656	715bef7d4569eec1f888fd471bf391b1.exe	31
PID 1656 wrote to memory of 2400	1656	715bef7d4569eec1f888fd471bf391b1.exe	31
PID 1656 wrote to memory of 2400	1656	715bef7d4569eec1f888fd471bf391b1.exe	31
PID 1656 wrote to memory of 2400	1656	715bef7d4569eec1f888fd471bf391b1.exe	31

C:\Users\Admin\AppData\Local\Temp\715bef7d4569eec1f888fd471bf391b1.exe
"C:\Users\Admin\AppData\Local\Temp\715bef7d4569eec1f888fd471bf391b1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\pPokerSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\pPokerSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\1KA0R1H8\Resume.exe

Filesize
471KB

MD5
fd39777b282cf75f79c2880bca01fd0c

SHA1
5928007b5e020fab5f955b0ac626773e35764e64

SHA256
cf72f4f9a5ed87837a202883633a20979bcfaa25e2dbd458abc90648c7611bf5

SHA512
cbb6daf18809e4268051fb3a529fd29425bdb9e90a9ffdb3714b8fe3afc00d65acabcc50490d62027137bf7727753cf859905818c473eb21779adfd9de76a056

Download Submit
\Temp\1KA0R1H8\pPokerSetup\plugins\0\FindWin.dll

Filesize
32KB

MD5
f8d1e08d77851b6df104c0c5ca00d9e5

SHA1
c0716d1b78f54d64cd280af25e566fab02a3f5f9

SHA256
bde15255c2805c1ad1769d09c9042dadbbcea7b6f9c16d29c9ba94a396cdf5b3

SHA512
5bfc73951bafd8aa10e80f2d3e3b3b43f6fb570d87dfda81ae842783647cdfda1ca025fe7fc70b05c88a0e1e849a981c6edededea7ef8cf0433206af55dc0b73

Download Submit
\Temp\1KA0R1H8\pPokerSetup\plugins\1\CustomUI.dll

Filesize
341KB

MD5
68db0007a2b8a1416d2dcef05c23c81d

SHA1
33638a0aaaf39ba371edf723ac8676aad053363d

SHA256
badd189d8d23bda66b44a48d2969b4c17b48c469cd86d1a094b701268d57a07b

SHA512
79551d29f67c7d8a7fce80c4e6a3986707b80452ded3ef515b9e931bc48ae054755def7df0d034685df6a6dbaf4fb909ea5c31c8fc6175ee53b1c670ebbf9bae

Download Submit
\Temp\1KA0R1H8\unpack.dll

Filesize
34KB

MD5
705aa1dc6f5fb72a2182ffd2c95bfa2e

SHA1
08de4589e01d3f0f589209baf8b669fae04b5875

SHA256
ec8361e43f0f83d0da13261718b8791e5517375fce67b4055d390353a5b2ca00

SHA512
5d00edf396efc5c130e1e7071fe027afaaa35d4d746441a1f0e0736c4828941e55e49f5319f5c1739bd75d2b5e03504d59284b2754430e0053e3f8d5f2702e4d

Download Submit
\Users\Admin\AppData\Local\Temp\pPokerSetup.exe

Filesize
4.2MB

MD5
8ca11e6ff0154ec1e86b0f0e667c3b49

SHA1
7f0e03e0a6e9334d874d652d7168af595b7fa374

SHA256
88713621eb3b6e4f70f4f3d09d4765a99b5403ef3bc6a7187171f8145a6d22ed

SHA512
8153c0b26388525371d9d0ab0a9e9fb9b05ee4d851516f7961473ead1ce239c32272932cad0760a85430424b48b3a0ae93fba1047237b78e6a0a842b1de9f9bb

Download Submit
memory/1656-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1656-6-0x0000000003250000-0x00000000032B5000-memory.dmp

Filesize
404KB

Download
memory/2400-16-0x0000000000310000-0x0000000000375000-memory.dmp

Filesize
404KB

Download
memory/2400-13-0x0000000000310000-0x0000000000375000-memory.dmp

Filesize
404KB

Download
memory/2400-9-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2400-71-0x0000000002C40000-0x0000000002C9B000-memory.dmp

Filesize
364KB

Download
memory/2400-75-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2400-76-0x0000000002C40000-0x0000000002C9B000-memory.dmp

Filesize
364KB

Download
memory/2400-88-0x0000000002C40000-0x0000000002C9B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing