8433fe414ef00a0c1eabb4c12a9274f736715ecb0f73bcc28d7ead059f5f0bc4

General

Target

Install.exe
Size

381KB
MD5

58c203a58312c6121c932e9a59079064
SHA1

f57f41180fbe8e5dffafef79ea88f707c5cb748a
SHA256

3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
SHA512

e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406
SSDEEP

6144:x/QiQXCjoL8+Ee0CYDTAsdRnhOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7f:pQi3joL8+iDNdRhlL//plmW9bTXeVhD4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5012	Install.tmp

Loads dropped DLL 2 IoCs

pid	Process
5012	Install.tmp
5012	Install.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io
7	ipinfo.io

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\AskFinder\unins000.dat	Install.tmp
File created	C:\Program Files (x86)\AskFinder\unins000.dat	Install.tmp
File created	C:\Program Files (x86)\AskFinder\is-H6T0V.tmp	Install.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.tmp

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5012	Install.tmp
5012	Install.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5012	Install.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 5012	4120	Install.exe	84
PID 4120 wrote to memory of 5012	4120	Install.exe	84
PID 4120 wrote to memory of 5012	4120	Install.exe	84

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\AppData\Local\Temp\is-T7AGM.tmp\Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-T7AGM.tmp\Install.tmp" /SL5="$50238,138429,56832,C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-Q0AVT.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T7AGM.tmp\Install.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
memory/4120-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4120-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4120-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4120-43-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5012-17-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5012-18-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5012-20-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5012-19-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5012-21-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5012-22-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5012-6-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5012-25-0x0000000003A80000-0x0000000003ABC000-memory.dmp

Filesize
240KB

Download
memory/5012-27-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5012-37-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5012-42-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5012-15-0x0000000003A80000-0x0000000003ABC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing