645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a

General

Target

saleforce_offline_installer.exe
Size

8.9MB
MD5

aa1ec7571a7e45ee718fd35136abb2cc
SHA1

354b52630cd08560aefe7b78efe5e0c0e9cc12a5
SHA256

645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a
SHA512

c00bce637b1d2f5e28d34da816b0d0d3f1d81cc9fe59c953514b65c70c0e3f8b79c9677d4b928447b14829f884e8524b7966df5fd9d6d18bb87e580026e909c7
SSDEEP

196608:9hjidJFvglcIAtzyRxJugLjygdnyYQ8X+uPOStz73vK:9QdJ1glxAFyRFjycnJnPt73vK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2100	saleforce_offline_installer.tmp

Loads dropped DLL 2 IoCs

pid	Process
1780	saleforce_offline_installer.exe
2100	saleforce_offline_installer.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\salesforce.com\is-A6M27.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\3rd Party\is-2GHO1.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\common\is-65SSQ.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\common\is-83M8M.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\res\is-QD895.tmp	saleforce_offline_installer.tmp
File opened for modification	C:\Program Files (x86)\salesforce.com\unins000.dat	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\unins000.dat	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\common\is-228FA.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\bin\is-G4P3L.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\conf\is-JPFJT.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\common\is-7UC8P.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\common\is-I1VQ5.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\OfficeToolkit\3.0\is-2DUDM.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\bin\is-PQEMO.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\res\is-DKOLM.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\3rd Party\is-RBE19.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\common\is-URJ19.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\bin\is-D5JGD.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\res\is-RCSFT.tmp	saleforce_offline_installer.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2628	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saleforce_offline_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saleforce_offline_installer.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2628	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2100	saleforce_offline_installer.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2100	1780	saleforce_offline_installer.exe	30
PID 1780 wrote to memory of 2100	1780	saleforce_offline_installer.exe	30
PID 1780 wrote to memory of 2100	1780	saleforce_offline_installer.exe	30
PID 1780 wrote to memory of 2100	1780	saleforce_offline_installer.exe	30
PID 1780 wrote to memory of 2100	1780	saleforce_offline_installer.exe	30
PID 1780 wrote to memory of 2100	1780	saleforce_offline_installer.exe	30
PID 1780 wrote to memory of 2100	1780	saleforce_offline_installer.exe	30
PID 2100 wrote to memory of 2628	2100	saleforce_offline_installer.tmp	32
PID 2100 wrote to memory of 2628	2100	saleforce_offline_installer.tmp	32
PID 2100 wrote to memory of 2628	2100	saleforce_offline_installer.tmp	32
PID 2100 wrote to memory of 2628	2100	saleforce_offline_installer.tmp	32

C:\Users\Admin\AppData\Local\Temp\saleforce_offline_installer.exe
"C:\Users\Admin\AppData\Local\Temp\saleforce_offline_installer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\is-FAKNF.tmp\saleforce_offline_installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FAKNF.tmp\saleforce_offline_installer.tmp" /SL5="$30144,1997786,793600,C:\Users\Admin\AppData\Local\Temp\saleforce_offline_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-EMNAG.tmp\Content.ps1"
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-EMNAG.tmp\Content.ps1

Filesize
7.7MB

MD5
e9b8abe35cac28d8b49782c5c8eceac9

SHA1
b01460a1d72b4cf02460a4756431f0c048e44b52

SHA256
efd04c82dd0838cf7cb22ac8081bc0dafcf8bc34e778795a7ca608a9ab02148b

SHA512
8ed1be382d9e4d624e524640739aa67ae7aa4c14c52f30a87d88b82c30bdf580560f1736e009583318b056a719f8040bc9774d9342e9eebc9798e811c8733b6c

Download Submit
\Program Files (x86)\salesforce.com\Offline2\bin\Offline 2 Runtime.exe

Filesize
789KB

MD5
49ac8d0f65073360c7ba56e9f732f8e7

SHA1
25d9db2b04652e88227aea3e15f849a1161c97d2

SHA256
a2e649a1338792bd100034ff8566391c327167be4377518ba92c757fd2619c62

SHA512
99a0fc5ba7b2567f998e470e4e3f358f3f46080bff088745f528bc2f822d9a3f031f560864e0ade5eb826864ad35824653669e6f9608f75ca190932e1843a649

Download Submit
\Users\Admin\AppData\Local\Temp\is-FAKNF.tmp\saleforce_offline_installer.tmp

Filesize
3.3MB

MD5
1fe979e33257ace3388bc7e809e24379

SHA1
b3971ba1930fa75335d82c72e19939bbbad8a342

SHA256
7b7aaf4dd5e9bb0a3e18a1d948e5283953122da43ea6a42244d3550ffffac3a0

SHA512
7533a960dfb56977955ac2d0521ef5ba8642ec0e6f1a3e18c0e19c75498a113bbd2f4dc97b56250d98aac53cc27176b912afc8435bf0792e91007e913a993135

Download Submit
memory/1780-0-0x0000000000250000-0x0000000000320000-memory.dmp

Filesize
832KB

Download
memory/1780-2-0x0000000000251000-0x00000000002F9000-memory.dmp

Filesize
672KB

Download
memory/1780-10-0x0000000000250000-0x0000000000320000-memory.dmp

Filesize
832KB

Download
memory/1780-63-0x0000000000250000-0x0000000000320000-memory.dmp

Filesize
832KB

Download
memory/2100-8-0x00000000000B0000-0x0000000000407000-memory.dmp

Filesize
3.3MB

Download
memory/2100-12-0x00000000000B0000-0x0000000000407000-memory.dmp

Filesize
3.3MB

Download
memory/2100-14-0x00000000000B0000-0x0000000000407000-memory.dmp

Filesize
3.3MB

Download
memory/2100-16-0x00000000000B0000-0x0000000000407000-memory.dmp

Filesize
3.3MB

Download
memory/2100-62-0x00000000000B0000-0x0000000000407000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing