b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20

General

Target

b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.exe
Size

1.7MB
MD5

74e0b51784cbfb8e6dceaa6a5832ea50
SHA1

7f42b811bf293c4bce9e9903bfe3133e75f503f3
SHA256

b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20
SHA512

8c2151af85519c2f877dbc22ef475d979ce0cfc2feaacc46a17a6fd56dd5508169389800f4978a78d8bbbc2c43b30f3b93e62da9bb481b5936efb503f9ea4c45
SSDEEP

24576:u7FUDowAyrTVE3U5FQrVigPvdWV2oIbfyKU8L3nnf9q8Io9b86OISVJ2ei15vy:uBuZrEUqPvAfMfFf9JI8tTSaemVy

Score

6^/10

discovery

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\AVAST Software\Avast	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\AVG\AV\Dir	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
716	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 716	3544	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.exe	83
PID 3544 wrote to memory of 716	3544	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.exe	83
PID 3544 wrote to memory of 716	3544	b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.exe	83

C:\Users\Admin\AppData\Local\Temp\b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.exe
"C:\Users\Admin\AppData\Local\Temp\b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Local\Temp\is-EHMMH.tmp\b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EHMMH.tmp\b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp" /SL5="$50222,869225,844288,C:\Users\Admin\AppData\Local\Temp\b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-EHMMH.tmp\b56821652dc06bcbc96f123c67840d83abb7b33696be713560b21fefc4258d20N.tmp

Filesize
3.0MB

MD5
25d6c5db882dcd22205ce0c0b0198845

SHA1
e63768015bad4ed2c2affb13b0cb9a94a195a5cb

SHA256
6be5f2712e2db7eaabac6c0f60b9cc0a1fa298de01ffe71de31a5a231f74a66c

SHA512
2cd5a96e0506fee688e0fa14a20ff0f592022214bc1363b14869366aecebfdbe8930964eef0168febe5edff7ff04ec042a53b5b3fcdde76e0e95aa90b2899dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S8CJP.tmp\AVG_AV.png

Filesize
70KB

MD5
b582d76d71da0734a777fc8376fd0150

SHA1
687de4b5b0844bd720619b39c65f9078ae72e7cf

SHA256
1ce2b90c05299026d66af72b8d1fbf4c2abdbcbbd03959b8f05986a48f9034c6

SHA512
0d9e2680bcf159446704c82c514320f76af962281dd5e5738c6e56b93c900a43bf2fc5cd5792977ae7bee5ca904774ecd0ff95dab7470901997af4fb6a666053

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S8CJP.tmp\Opera_new.png

Filesize
65KB

MD5
ca01cd3778c987f64633d8af840ccccb

SHA1
85ecea538314c4c09ce79ce554a32331d83bb4f1

SHA256
3c1235a59c023bad329532d2c559350b40536ef859c00fb36425f76f348e82ab

SHA512
ddb561140f22c874b35849553314e034fc4a0b792486fca09f46cba947d0438cea73f84a1775f035d0c344a9a2745a9e10f610375da4948256ee249999b21cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S8CJP.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
memory/716-18-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/716-28-0x00000000075F0000-0x0000000007730000-memory.dmp

Filesize
1.2MB

Download
memory/716-19-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/716-42-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/716-23-0x00000000075F0000-0x0000000007730000-memory.dmp

Filesize
1.2MB

Download
memory/716-24-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/716-6-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/716-40-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/716-29-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/716-31-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/716-37-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/716-35-0x00000000075F0000-0x0000000007730000-memory.dmp

Filesize
1.2MB

Download
memory/716-36-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3544-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3544-0-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3544-17-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing