3e64dd75ba3f7f79bf4b94c3d04bc0caeee986f684227def5e7f4d23641ca369

General

Target

APOS_Trainer484.exe
Size

33.0MB
MD5

ca75e711bc5877cf6e2b797851641049
SHA1

76e413e19300f18874fa4997907ec3626c15f8c8
SHA256

3e64dd75ba3f7f79bf4b94c3d04bc0caeee986f684227def5e7f4d23641ca369
SHA512

d944350619686e0f17a7060c4d4c9a1519c8d6c9d777d0715f016c4c073e16fae70206ab851c5a74fdc1d797b060f3b56ee7662c0238614504ef2c121e3855e4
SSDEEP

786432:oW6rtcsHVdhZ9iiREk8whhy9l9hBQomCmnGGCUJb3TCacUW50:oWOtVHrhZ0CEkvyr7BQOsJ3CGWe

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
2356	APOS_Trainer484.exe
2356	APOS_Trainer484.exe
2356	APOS_Trainer484.exe
2356	APOS_Trainer484.exe
2356	APOS_Trainer484.exe
2356	APOS_Trainer484.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setEB2D.tmp	APOS_Trainer484.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ispEB2C.tmp\temp.000	APOS_Trainer484.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ispEC19.tmp\temp.000	APOS_Trainer484.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKe95.tmp	APOS_Trainer484.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKe95.tmp	APOS_Trainer484.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	APOS_Trainer484.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	APOS_Trainer484.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2356	2320	APOS_Trainer484.exe	31
PID 2320 wrote to memory of 2356	2320	APOS_Trainer484.exe	31
PID 2320 wrote to memory of 2356	2320	APOS_Trainer484.exe	31
PID 2320 wrote to memory of 2356	2320	APOS_Trainer484.exe	31
PID 2320 wrote to memory of 2356	2320	APOS_Trainer484.exe	31
PID 2320 wrote to memory of 2356	2320	APOS_Trainer484.exe	31
PID 2320 wrote to memory of 2356	2320	APOS_Trainer484.exe	31

C:\Users\Admin\AppData\Local\Temp\APOS_Trainer484.exe
"C:\Users\Admin\AppData\Local\Temp\APOS_Trainer484.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\APOS_Trainer484.exe
  C:\Users\Admin\AppData\Local\Temp\APOS_Trainer484.exe -deleter
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ispEC19.tmp\IGdi.dll

Filesize
196KB

MD5
0b6da8c55767737445e2c2063ce1dfbe

SHA1
a578bf3f7b48ec35f711c7c3440ba5082293195f

SHA256
eff99ecd79a1995e7ccccb94a8debfe4a5bf4e08c4a82a22b3366a8b22d110e1

SHA512
496242257290dc50b3b021d91c4ce5164320acacf36b028cf71c9ce5e958bc6bb891591c902f749e66e83044979ba416fd9ba19194403cb8617a378a063b2b75

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll

Filesize
324KB

MD5
02c379d028f8e5d6409f613b7b5c17fd

SHA1
bba7aa60292c31fddb606ed3240aa473f3769150

SHA256
47b4e860b81058cff4d52de76764ec801d0a26549214d80356d05fcbeaa3cc60

SHA512
a2bf75219beee1ae855ea8b5687cb5f6bde630d884198e74e09a2dc23f057a46dedf77e540f0a660274f28dae5b6bb0d792459ac75249b6b81485cef11720010

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISPackFiles.ini

Filesize
889B

MD5
88a19c4ea5677e749402e911ee8af305

SHA1
89b651d75e38c1233491938cd10085b404e82ac5

SHA256
8dd862894113935fab731e9c6146e174a936eb01a467f5ed4c450e2e5b64e180

SHA512
623ecfc988aa07c674d4d2e1efad908e3ec6753c85bfaafa677da8d67535dc8250265be1be9f07d6c740340ffaf416b19ffa144a38f8415afc48dee5fd472ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isdelet.ini

Filesize
155B

MD5
2cce88e8bcd0f76e0ec833561f3fc076

SHA1
b05e0b51899193fc5af626698c269b4b06ced68a

SHA256
11fd3c84aa3cd93d2fc88d4df0819ae87636dd3e0a7946f4e74749c935a9a57d

SHA512
9e2866a7c805e521623eeda2a24e00ba5ae1c9aa001d7ec593cb1325ac56f556fa974afaa679fddef0db9f8bd14aacd1966df0945b2c747533da248adf565316

Download Submit
C:\Users\Admin\AppData\Local\Temp\byeE994.tmp\Disk1\setup.ibt

Filesize
373KB

MD5
7a64aa80d101f1ab55f7c3242a14eeb8

SHA1
9fd6c957fd3c1a26d2e531329286c56a47356205

SHA256
9e60c5239d7adcba3f4c1b83be97dcd19906abe09d8d1a05715dfb66f1d7fac7

SHA512
c382c1f5c7712e51370cb21269e068f1f39b597835e5b89211fbbdcd8a2a3f0e68593b551c1c444740f8793778a7fa1660f0b5028a9b785c9c399d4ecd04e41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\issE9C4.tmp\setup.ini

Filesize
488B

MD5
2c9eeb417e6c2e237fba5b18115ebd0f

SHA1
7933688853034c4133296c139496ba179422792c

SHA256
85b82f610dbe47b9391aee1b596ca9c9eff9154b797543963f9a0e8f65e39bc3

SHA512
cd11dbe9f8cb8d4c3d8ef30b3ee9114a34b1ca09bb977e1cac20ca17bcbe4c32f40ca14c38ba679e28eaf8677a749d5633968b6863d5e83709eaa3506c2cbffd

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKe95.tmp

Filesize
740KB

MD5
1c42f686d6f68db9f2f29188f64ad750

SHA1
31b4a5444b6ed032d33c51bae20b839c97d11e10

SHA256
e59d7041586709d8e1f32ef62231e20bfaf246f68b277c32e3232bab3f239f33

SHA512
4d0d4b8134f2c7c56223760c58ec2bdb33f0a45eb6e36477a8bc8bf98ae3cb6e5a64c499c4db366fe2dec4dc9cf33c7062e92be86923a8b290c05b8058671974

Download Submit
\Users\Admin\AppData\Local\Temp\ispEC18.tmp\_Setup.dll

Filesize
144KB

MD5
1f558e51dc12eb5159144ceea298fc4e

SHA1
d77deb439f7d12b0bd69f8c27916a260276dd45d

SHA256
3f6a7508859d0c3f462252f26e27b2d36282c7fddbc637bdb75fe9406afc6be7

SHA512
2d05f5dfad5ea64834ef38e7c4584decbb1c0ac1a53d253d7b249104e08ef1391cbb6ba85a1925a8a78c30392518633880e2ee16bf0d67b031d23295b620bcb6

Download Submit

Analysis

Sharing