a259ff8565749be84eb91c94fc1aff4804decc196e4f257f627b2ce58a10c9e0

General

Target

setup.exe
Size

557KB
MD5

ff2e819fc3b2b15a53aae37f5f50de12
SHA1

03387bdb2d873b06c4cea0017cc514e21df804a1
SHA256

197b5c9f1c34886c5ba3856fa17ad6a50ce2e89b822a5485a317494f14fdbbdf
SHA512

45befbd0c1b8c2f5ec75b74be45ed8df557a64685db1fd2668156082d69ff0b02200315c56cd1024417ba7cb9ebbc60d163d391dcb24e32212189339e9b0d45c
SSDEEP

12288:/bsZtHriY7bmbOOv9BRxoMGbnV1o0Kj3ASGaH4W2dJf/s2ul:QjLXbmjVlotbw0Kj3avf/sLl

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2808	is-IL2U5.tmp

Loads dropped DLL 5 IoCs

pid	Process
2664	setup.exe
2808	is-IL2U5.tmp
2808	is-IL2U5.tmp
2808	is-IL2U5.tmp
2808	is-IL2U5.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PDF Image Extract Software\unins000.dat	is-IL2U5.tmp
File created	C:\Program Files (x86)\PDF Image Extract Software\is-LKH4B.tmp	is-IL2U5.tmp
File created	C:\Program Files (x86)\PDF Image Extract Software\is-8L863.tmp	is-IL2U5.tmp
File created	C:\Program Files (x86)\PDF Image Extract Software\is-5JPP3.tmp	is-IL2U5.tmp
File created	C:\Program Files (x86)\PDF Image Extract Software\is-O5HBD.tmp	is-IL2U5.tmp
File created	C:\Program Files (x86)\PDF Image Extract Software\is-4MD75.tmp	is-IL2U5.tmp
File created	C:\Program Files (x86)\PDF Image Extract Software\is-SBUJ9.tmp	is-IL2U5.tmp
File opened for modification	C:\Program Files (x86)\PDF Image Extract Software\unins000.dat	is-IL2U5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-IL2U5.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2808	is-IL2U5.tmp
Token: SeBackupPrivilege	2808	is-IL2U5.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2808	2664	setup.exe	30
PID 2664 wrote to memory of 2808	2664	setup.exe	30
PID 2664 wrote to memory of 2808	2664	setup.exe	30
PID 2664 wrote to memory of 2808	2664	setup.exe	30
PID 2664 wrote to memory of 2808	2664	setup.exe	30
PID 2664 wrote to memory of 2808	2664	setup.exe	30
PID 2664 wrote to memory of 2808	2664	setup.exe	30

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\is-P9BQO.tmp\is-IL2U5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-P9BQO.tmp\is-IL2U5.tmp" /SL4 $4010A C:\Users\Admin\AppData\Local\Temp\setup.exe 347082 51200
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\PDF Image Extract Software\PDF Image Extract Software.exe

Filesize
96KB

MD5
9bb21dce09f5cf688adbe140866af93e

SHA1
fbab81d114d5bda4f922bfedbae04e46e7ad1c91

SHA256
37ba9a21d3427d34ca084e78316fb18836b8349652f260a47fecacfb33bc80a9

SHA512
9f6c2760cf9de7cf5f8f0d8fd31e5d053b935238dc94431d14544ea45b2f9d2a96d93d45635aa2633b966ed91fca094c30799cdf26705eb9e15788e791faa894

Download Submit
\Users\Admin\AppData\Local\Temp\is-8O4EK.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-P9BQO.tmp\is-IL2U5.tmp

Filesize
615KB

MD5
667555fc8d80c030ed5de256404df5c5

SHA1
44a4ea8240378905cf40527b0bd9da7ffb22416f

SHA256
74ef33e3b3298d8ca7166c2b07a490a74c5a9a26b08b9478a524096208d5600a

SHA512
88aee726e41cf4e2635deaea68a374a8eda14e82bc65babb566ec60a93fcea823bde67f9d47e69af946b3d1c8c9fb2ea9003fe83b5c401384c64977dfebcc998

Download Submit
memory/2664-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2664-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2664-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2664-45-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2808-15-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2808-17-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2808-19-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2808-44-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download

Analysis

Sharing