4d583fdd6786cfe15b704ee6a4bd224c320520abab0e2d19682b0b8761bc0e3e

General

Target

4d583fdd6786cfe15b704ee6a4bd224c320520abab0e2d19682b0b8761bc0e3e.exe
Size

2.7MB
MD5

a2fab352f50c8bbb04d99138e691d9c4
SHA1

0d14a03c5f0276414d5bd8bda368ec4d59d9c1b7
SHA256

4d583fdd6786cfe15b704ee6a4bd224c320520abab0e2d19682b0b8761bc0e3e
SHA512

fd160e132778ec1b399d41267d4aa7b37fc52fac732ba22fdda608bdf827239b8c967e258882b4bdab8100672b0d0ce12050c6bc02d709eb79605054f6f39b65
SSDEEP

49152:dKBz0iAely3r1kSvXRkLhyLNhH2o5dqJKgUIbU4+a5sTW11qthC9BuT8gzpNVa9i:CZAec3r1kYRGQNhH2o5dqJKgUIbU4+aa

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1848	rpuesutkpa.exe
2704	rpuesutkpa.tmp

Loads dropped DLL 6 IoCs

pid	Process
2516	cmd.exe
1848	rpuesutkpa.exe
2704	rpuesutkpa.tmp
2704	rpuesutkpa.tmp
2704	rpuesutkpa.tmp
2704	rpuesutkpa.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MYPGNotes\is-3AEB2.tmp	rpuesutkpa.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-UDLN1.tmp	rpuesutkpa.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-U0G2D.tmp	rpuesutkpa.tmp
File opened for modification	C:\Program Files (x86)\MYPGNotes\unins000.dat	rpuesutkpa.tmp
File opened for modification	C:\Program Files (x86)\MYPGNotes\AppleNote.exe	rpuesutkpa.tmp
File opened for modification	C:\Program Files (x86)\MYPGNotes\Qt5Concurrent.dll	rpuesutkpa.tmp
File created	C:\Program Files (x86)\MYPGNotes\unins000.dat	rpuesutkpa.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-BR1JH.tmp	rpuesutkpa.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-4A56T.tmp	rpuesutkpa.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-RRHDE.tmp	rpuesutkpa.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d583fdd6786cfe15b704ee6a4bd224c320520abab0e2d19682b0b8761bc0e3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpuesutkpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpuesutkpa.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1724	4d583fdd6786cfe15b704ee6a4bd224c320520abab0e2d19682b0b8761bc0e3e.exe
1724	4d583fdd6786cfe15b704ee6a4bd224c320520abab0e2d19682b0b8761bc0e3e.exe
2704	rpuesutkpa.tmp
2704	rpuesutkpa.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2704	rpuesutkpa.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2516	1724	4d583fdd6786cfe15b704ee6a4bd224c320520abab0e2d19682b0b8761bc0e3e.exe	30
PID 1724 wrote to memory of 2516	1724	4d583fdd6786cfe15b704ee6a4bd224c320520abab0e2d19682b0b8761bc0e3e.exe	30
PID 1724 wrote to memory of 2516	1724	4d583fdd6786cfe15b704ee6a4bd224c320520abab0e2d19682b0b8761bc0e3e.exe	30
PID 1724 wrote to memory of 2516	1724	4d583fdd6786cfe15b704ee6a4bd224c320520abab0e2d19682b0b8761bc0e3e.exe	30
PID 2516 wrote to memory of 1848	2516	cmd.exe	32
PID 2516 wrote to memory of 1848	2516	cmd.exe	32
PID 2516 wrote to memory of 1848	2516	cmd.exe	32
PID 2516 wrote to memory of 1848	2516	cmd.exe	32
PID 2516 wrote to memory of 1848	2516	cmd.exe	32
PID 2516 wrote to memory of 1848	2516	cmd.exe	32
PID 2516 wrote to memory of 1848	2516	cmd.exe	32
PID 1848 wrote to memory of 2704	1848	rpuesutkpa.exe	33
PID 1848 wrote to memory of 2704	1848	rpuesutkpa.exe	33
PID 1848 wrote to memory of 2704	1848	rpuesutkpa.exe	33
PID 1848 wrote to memory of 2704	1848	rpuesutkpa.exe	33
PID 1848 wrote to memory of 2704	1848	rpuesutkpa.exe	33
PID 1848 wrote to memory of 2704	1848	rpuesutkpa.exe	33
PID 1848 wrote to memory of 2704	1848	rpuesutkpa.exe	33

C:\Users\Admin\AppData\Local\Temp\4d583fdd6786cfe15b704ee6a4bd224c320520abab0e2d19682b0b8761bc0e3e.exe
"C:\Users\Admin\AppData\Local\Temp\4d583fdd6786cfe15b704ee6a4bd224c320520abab0e2d19682b0b8761bc0e3e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\rpuesutkpa.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\rpuesutkpa.exe
    "C:\Users\Admin\AppData\Local\Temp\rpuesutkpa.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\is-I04LP.tmp\rpuesutkpa.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-I04LP.tmp\rpuesutkpa.tmp" /SL5="$401CA,232785,54272,C:\Users\Admin\AppData\Local\Temp\rpuesutkpa.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rpuesutkpa.exe

Filesize
526KB

MD5
9beea33ea128fd25ad509ae7ff7bcff3

SHA1
3a87a124b47d68bf8eb1d1a4f9695fb2b2a52660

SHA256
e0634bc21490c472b233aaec047438feae557f0d57ea5b78b3b48260916e2b4e

SHA512
292996177bbb804ea3f6ad51fdb74707f1a1a35d50d8ae7b082d88cbb476bae1a883133c9e1dc4cefce78bc71f8d65276e5cdaeeef03088bc54beb41269dc5b3

Download Submit
\Program Files (x86)\MYPGNotes\AppleNote.exe

Filesize
355KB

MD5
b9f2020458f930f4ca42b1476646eba4

SHA1
9c083e6c51efd1889e9d3022166f8107cd72f2b4

SHA256
3faaf4c99a96bc7d65ed14d2684856e0daf2573541d576d6f4ad4164f888553e

SHA512
034324c4c2f189212ea4002cd3ec7342d665b1cc644268a4b1af78ba7b7893cb8443ffe56909d813756a59dc237c4248467b705667e7a01e7e3912641198995f

Download Submit
\Program Files (x86)\MYPGNotes\unins000.exe

Filesize
907KB

MD5
54be4f878781796c5a7b4635b343c4ef

SHA1
16b9a435221f5f49284f56142a7bbf22c8f0c9f7

SHA256
ec61e41d7aff21b1b473530a6c86f4cafaf24ad6dc659d20283e081e472c51fd

SHA512
48bce9ea6003de2cf3bc273da3e941212f93840608cbb4c114ea0eeeb6616fde8aa448430e2daf8729893a3b4cb8d8c5dc3a6e5316c9ef6bd453ee7b6f14df08

Download Submit
\Users\Admin\AppData\Local\Temp\is-0EP1E.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-I04LP.tmp\rpuesutkpa.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
memory/1724-0-0x0000000010000000-0x0000000010297000-memory.dmp

Filesize
2.6MB

Download
memory/1848-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1848-10-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1848-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2704-19-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2704-49-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing