8433fe414ef00a0c1eabb4c12a9274f736715ecb0f73bcc28d7ead059f5f0bc4

General

Target

Install.exe
Size

381KB
MD5

58c203a58312c6121c932e9a59079064
SHA1

f57f41180fbe8e5dffafef79ea88f707c5cb748a
SHA256

3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
SHA512

e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406
SSDEEP

6144:x/QiQXCjoL8+Ee0CYDTAsdRnhOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7f:pQi3joL8+iDNdRhlL//plmW9bTXeVhD4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Install.tmp

pid process

1884 Install.tmp
Loads dropped DLL 5 IoCs

Processes:

Install.exeInstall.tmp

pid process

1204 Install.exe
1884 Install.tmp
1884 Install.tmp
1884 Install.tmp
1884 Install.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ipinfo.io
4 ipinfo.io

pid	process
1884	Install.tmp

pid	process
1204	Install.exe
1884	Install.tmp
1884	Install.tmp
1884	Install.tmp
1884	Install.tmp

flow	ioc
2	ipinfo.io
4	ipinfo.io

Drops file in Program Files directory 3 IoCs

Processes:

Install.tmp

description	ioc	process
File created	C:\Program Files (x86)\AskFinder\unins000.dat	Install.tmp
File created	C:\Program Files (x86)\AskFinder\is-7E0QN.tmp	Install.tmp
File opened for modification	C:\Program Files (x86)\AskFinder\unins000.dat	Install.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Install.exeInstall.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.tmp

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Install.tmp

pid process

1884 Install.tmp
1884 Install.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Install.tmp

pid process

1884 Install.tmp

pid	process
1884	Install.tmp
1884	Install.tmp

pid	process
1884	Install.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Install.exe

description	pid	process	target process
PID 1204 wrote to memory of 1884	1204	Install.exe	Install.tmp
PID 1204 wrote to memory of 1884	1204	Install.exe	Install.tmp
PID 1204 wrote to memory of 1884	1204	Install.exe	Install.tmp
PID 1204 wrote to memory of 1884	1204	Install.exe	Install.tmp
PID 1204 wrote to memory of 1884	1204	Install.exe	Install.tmp
PID 1204 wrote to memory of 1884	1204	Install.exe	Install.tmp
PID 1204 wrote to memory of 1884	1204	Install.exe	Install.tmp

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\is-UNBGR.tmp\Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UNBGR.tmp\Install.tmp" /SL5="$400E0,138429,56832,C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\AskFinder\unins000.exe

Filesize
705KB

MD5
e838042d7af3186550417a8dd588a2e1

SHA1
785b7da17fec27400eebc6336973c36fc7ac5305

SHA256
a73d9825393fce8026e6e1eecbe95706a76f305b37fead6263f614d0559dfb2a

SHA512
8a5075f4a8b6c1b9e230ba2550321bbec272cbf6a26f5f7c8c1d3b4bcaa8e44b1ce21eacfefcee95cd377544bfbe5bae93ff7d63d4d2333a5f5af7e885c6c263

Download Submit
\Users\Admin\AppData\Local\Temp\is-F204V.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-F204V.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-UNBGR.tmp\Install.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
memory/1204-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1204-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1204-45-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1204-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1884-23-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1884-21-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1884-20-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1884-22-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1884-19-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1884-25-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1884-26-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1884-29-0x00000000008A0000-0x00000000008DC000-memory.dmp

Filesize
240KB

Download
memory/1884-17-0x00000000008A0000-0x00000000008DC000-memory.dmp

Filesize
240KB

Download
memory/1884-39-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1884-44-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1884-14-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads