9240885fe680d2213cd80e26a75ef9f10973a5663d16d18298ca0a31b076ffd1

General

Target

08c45624cc3df519da2007debc50b600N.exe
Size

1.5MB
MD5

08c45624cc3df519da2007debc50b600
SHA1

1bb5d8e26a8da3b74dc54694105cf7959fb0f7ba
SHA256

9240885fe680d2213cd80e26a75ef9f10973a5663d16d18298ca0a31b076ffd1
SHA512

3ee2c4dc4198e51b95610250faf96179815da3a70dc4774116f5a49b637804aadaad99f8480190bc5de11297f73577540b8892a03c0754b48228de36585c0182
SSDEEP

24576:ZFx6viSMhZDx1QnjKu+YY648YW7nzZrA7YZW0lPVluibaO8tX6Ro8VmsXaYT1V2U:ZzZDxqnRH483wYZW0ldlxVSIXVmsKh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2684	adysajparh.exe
2164	adysajparh.tmp

Loads dropped DLL 6 IoCs

pid	Process
2788	cmd.exe
2684	adysajparh.exe
2164	adysajparh.tmp
2164	adysajparh.tmp
2164	adysajparh.tmp
2164	adysajparh.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2648-0-0x0000000000C70000-0x0000000000EFE000-memory.dmp	upx
behavioral1/memory/2648-7-0x0000000000C70000-0x0000000000EFE000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WIFIInspector\unins000.dat	adysajparh.tmp
File created	C:\Program Files (x86)\WIFIInspector\is-21SPQ.tmp	adysajparh.tmp
File created	C:\Program Files (x86)\WIFIInspector\is-9KM90.tmp	adysajparh.tmp
File opened for modification	C:\Program Files (x86)\WIFIInspector\EGL.dll	adysajparh.tmp
File opened for modification	C:\Program Files (x86)\WIFIInspector\WIFIInspector.exe	adysajparh.tmp
File created	C:\Program Files (x86)\WIFIInspector\is-TL18U.tmp	adysajparh.tmp
File created	C:\Program Files (x86)\WIFIInspector\is-7QCBI.tmp	adysajparh.tmp
File created	C:\Program Files (x86)\WIFIInspector\is-AIVME.tmp	adysajparh.tmp
File created	C:\Program Files (x86)\WIFIInspector\is-HV485.tmp	adysajparh.tmp
File opened for modification	C:\Program Files (x86)\WIFIInspector\unins000.dat	adysajparh.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adysajparh.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08c45624cc3df519da2007debc50b600N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adysajparh.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2648	08c45624cc3df519da2007debc50b600N.exe
2648	08c45624cc3df519da2007debc50b600N.exe
2164	adysajparh.tmp
2164	adysajparh.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2164	adysajparh.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2788	2648	08c45624cc3df519da2007debc50b600N.exe	30
PID 2648 wrote to memory of 2788	2648	08c45624cc3df519da2007debc50b600N.exe	30
PID 2648 wrote to memory of 2788	2648	08c45624cc3df519da2007debc50b600N.exe	30
PID 2648 wrote to memory of 2788	2648	08c45624cc3df519da2007debc50b600N.exe	30
PID 2788 wrote to memory of 2684	2788	cmd.exe	32
PID 2788 wrote to memory of 2684	2788	cmd.exe	32
PID 2788 wrote to memory of 2684	2788	cmd.exe	32
PID 2788 wrote to memory of 2684	2788	cmd.exe	32
PID 2788 wrote to memory of 2684	2788	cmd.exe	32
PID 2788 wrote to memory of 2684	2788	cmd.exe	32
PID 2788 wrote to memory of 2684	2788	cmd.exe	32
PID 2684 wrote to memory of 2164	2684	adysajparh.exe	33
PID 2684 wrote to memory of 2164	2684	adysajparh.exe	33
PID 2684 wrote to memory of 2164	2684	adysajparh.exe	33
PID 2684 wrote to memory of 2164	2684	adysajparh.exe	33
PID 2684 wrote to memory of 2164	2684	adysajparh.exe	33
PID 2684 wrote to memory of 2164	2684	adysajparh.exe	33
PID 2684 wrote to memory of 2164	2684	adysajparh.exe	33

C:\Users\Admin\AppData\Local\Temp\08c45624cc3df519da2007debc50b600N.exe
"C:\Users\Admin\AppData\Local\Temp\08c45624cc3df519da2007debc50b600N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\adysajparh.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\adysajparh.exe
    "C:\Users\Admin\AppData\Local\Temp\adysajparh.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\is-5HKD6.tmp\adysajparh.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-5HKD6.tmp\adysajparh.tmp" /SL5="$401C6,90766,54272,C:\Users\Admin\AppData\Local\Temp\adysajparh.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adysajparh.exe

Filesize
387KB

MD5
8f49472ed2ec6b48b3e17200e35a6cc2

SHA1
2cd6519d99614e7f6450d4e24fc9b5796dd78233

SHA256
7b9c5ed5f1c101fd42c207025ce61311bb8c6c49037a574a66352c3c21f7ba0d

SHA512
3fdda6ca38b83edc7bc77f3d6f63ae953b33ee38b870a5dbab72da2867767211352cb5d15076c073b9b8546b3844b3b180876537f78f2385d0160b3091bb57f9

Download Submit
\Program Files (x86)\WIFIInspector\WIFIInspector.exe

Filesize
120KB

MD5
2c696683de59829065ae122599fc1fd2

SHA1
54927573be3ac1a4cf3fe6e9b33e6f67b304593c

SHA256
04fa3531613072eca2091bcd81a4e71b6a73ef212734a3a5ad6e4942b2bb8c5a

SHA512
0008550d6e14bb9887b087ff673e7298ba42976b7d4edbaa5ae43f6e0762c3f646f7a64b6a124a293a07a6e9ff34526763cf09bd7f078c18caebd237d2a923df

Download Submit
\Program Files (x86)\WIFIInspector\unins000.exe

Filesize
907KB

MD5
d42e7c4ae7bfdb34e658e0c81df2401b

SHA1
624bcd5304f65e386d053a45f747f5ceae273d1a

SHA256
f0be063625e0eb3011de5ee7ced1feb7a3054f7583828e3cec1ea6a9f9412849

SHA512
860e4e2d2cf4de739dc472e57db6464253255d05d54e393776cf668b76849ba258681dffb9957fe32df50203fd8abd8b2569260d0ab1bf41ce95446ee432c784

Download Submit
\Users\Admin\AppData\Local\Temp\is-3U4KQ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-5HKD6.tmp\adysajparh.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
memory/2164-22-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2164-53-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2648-7-0x0000000000C70000-0x0000000000EFE000-memory.dmp

Filesize
2.6MB

Download
memory/2648-1-0x0000000010000000-0x0000000010274000-memory.dmp

Filesize
2.5MB

Download
memory/2648-0-0x0000000000C70000-0x0000000000EFE000-memory.dmp

Filesize
2.6MB

Download
memory/2684-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2684-13-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2684-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing