bd20ddd34d178d08736818991be6d5d8e4d62d81180d1d293ffafb1418bf2781

General

Target

Software-update-patc_579570356.exe
Size

4.7MB
MD5

c027026e244f74549a49e1f98216719c
SHA1

9e9b4459e9225a432eef8f97b9193707dd7247b5
SHA256

bd20ddd34d178d08736818991be6d5d8e4d62d81180d1d293ffafb1418bf2781
SHA512

68953341f9dc46daae4e738bd4418bca5edb22035958ddba46de86cf6e44c8731f49f52763f3addc6e4d5a6cfcb48ee5b1345a2727ba7983b07a9322ae2713d7

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Software-update-patc_579570356.tmpVoluptatem.exe

pid process

1704 Software-update-patc_579570356.tmp
304 Voluptatem.exe

pid	process
1704	Software-update-patc_579570356.tmp
304	Voluptatem.exe

Loads dropped DLL 5 IoCs

Processes:

Software-update-patc_579570356.exeSoftware-update-patc_579570356.tmp

pid	process
108	Software-update-patc_579570356.exe
1704	Software-update-patc_579570356.tmp
1704	Software-update-patc_579570356.tmp
1704	Software-update-patc_579570356.tmp
1704	Software-update-patc_579570356.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 20 IoCs

Processes:

Software-update-patc_579570356.tmp

description	ioc	process
File created	C:\Program Files (x86)\Autem\is-MAT5C.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\is-49ML6.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\is-04PSS.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\eaque\is-QAOCV.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\eaque\is-1AER1.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\rerum\is-TK71K.tmp	Software-update-patc_579570356.tmp
File opened for modification	C:\Program Files (x86)\Autem\unins000.dat	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\is-0SC2K.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\rerum\is-5STBK.tmp	Software-update-patc_579570356.tmp
File opened for modification	C:\Program Files (x86)\Autem\rerum\Voluptatem.exe	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\is-8T86K.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\is-2GGNK.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\eaque\is-D1IUU.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\rerum\is-JLTOB.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\unins000.dat	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\is-TU2OA.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\eaque\is-NRAJQ.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\eaque\is-ETUIL.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\rerum\is-LAFNB.tmp	Software-update-patc_579570356.tmp
File created	C:\Program Files (x86)\Autem\rerum\is-GRBF4.tmp	Software-update-patc_579570356.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Software-update-patc_579570356.tmpVoluptatem.exe

pid process

1704 Software-update-patc_579570356.tmp
1704 Software-update-patc_579570356.tmp
304 Voluptatem.exe
304 Voluptatem.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Software-update-patc_579570356.tmp

pid process

1704 Software-update-patc_579570356.tmp

pid	process
1704	Software-update-patc_579570356.tmp
1704	Software-update-patc_579570356.tmp
304	Voluptatem.exe
304	Voluptatem.exe

pid	process
1704	Software-update-patc_579570356.tmp

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Software-update-patc_579570356.exeSoftware-update-patc_579570356.tmp

description	pid	process	target process
PID 108 wrote to memory of 1704	108	Software-update-patc_579570356.exe	Software-update-patc_579570356.tmp
PID 108 wrote to memory of 1704	108	Software-update-patc_579570356.exe	Software-update-patc_579570356.tmp
PID 108 wrote to memory of 1704	108	Software-update-patc_579570356.exe	Software-update-patc_579570356.tmp
PID 108 wrote to memory of 1704	108	Software-update-patc_579570356.exe	Software-update-patc_579570356.tmp
PID 108 wrote to memory of 1704	108	Software-update-patc_579570356.exe	Software-update-patc_579570356.tmp
PID 108 wrote to memory of 1704	108	Software-update-patc_579570356.exe	Software-update-patc_579570356.tmp
PID 108 wrote to memory of 1704	108	Software-update-patc_579570356.exe	Software-update-patc_579570356.tmp
PID 1704 wrote to memory of 304	1704	Software-update-patc_579570356.tmp	Voluptatem.exe
PID 1704 wrote to memory of 304	1704	Software-update-patc_579570356.tmp	Voluptatem.exe
PID 1704 wrote to memory of 304	1704	Software-update-patc_579570356.tmp	Voluptatem.exe
PID 1704 wrote to memory of 304	1704	Software-update-patc_579570356.tmp	Voluptatem.exe

C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe
"C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108

C:\Users\Admin\AppData\Local\Temp\is-C2PN7.tmp\Software-update-patc_579570356.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C2PN7.tmp\Software-update-patc_579570356.tmp" /SL5="$4010A,4499537,466944,C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1704

C:\Program Files (x86)\Autem\rerum\Voluptatem.exe
"C:\Program Files (x86)\Autem/\rerum\Voluptatem.exe" b0ad3d01dc1c01fd7e87a06144c12f59
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Autem\rerum\Voluptatem.exe
MD5
0c56ac590273d1feb7c0564c809915a5

SHA1
2a17747673000c17634113e634e4166152a88688

SHA256
850f46f685e44dcbafd8a61fa5881b0f4471cf3441342b3fe8c0a2559ec4c15e

SHA512
95a86884d2950687064ddb348184133e26c56c617297ee992daefa05ff7f1cf8e544208048462ac173d66ed5eb291fd6d860d324721a1441d76a11a62df8ebc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C2PN7.tmp\Software-update-patc_579570356.tmp
MD5
4caf2ca22417bb2cd44c0d0daf5fdd8b

SHA1
bdb2b86d9c033785c9b1db5618986030b2852ffd

SHA256
a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

SHA512
ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C2PN7.tmp\Software-update-patc_579570356.tmp
MD5
4caf2ca22417bb2cd44c0d0daf5fdd8b

SHA1
bdb2b86d9c033785c9b1db5618986030b2852ffd

SHA256
a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

SHA512
ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

Download Submit
\Program Files (x86)\Autem\rerum\Voluptatem.exe
MD5
0c56ac590273d1feb7c0564c809915a5

SHA1
2a17747673000c17634113e634e4166152a88688

SHA256
850f46f685e44dcbafd8a61fa5881b0f4471cf3441342b3fe8c0a2559ec4c15e

SHA512
95a86884d2950687064ddb348184133e26c56c617297ee992daefa05ff7f1cf8e544208048462ac173d66ed5eb291fd6d860d324721a1441d76a11a62df8ebc4

Download Submit
\Users\Admin\AppData\Local\Temp\is-07T5B.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-07T5B.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-07T5B.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-C2PN7.tmp\Software-update-patc_579570356.tmp
MD5
4caf2ca22417bb2cd44c0d0daf5fdd8b

SHA1
bdb2b86d9c033785c9b1db5618986030b2852ffd

SHA256
a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

SHA512
ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

Download Submit
memory/108-64-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/108-54-0x0000000076291000-0x0000000076293000-memory.dmp

Filesize
8KB

Download
memory/304-69-0x0000000000000000-mapping.dmp

Download
memory/304-71-0x0000000000400000-0x0000000001860000-memory.dmp

Filesize
20.4MB

Download
memory/304-73-0x0000000000400000-0x0000000001860000-memory.dmp

Filesize
20.4MB

Download
memory/304-74-0x00000000018D0000-0x00000000018D1000-memory.dmp

Filesize
4KB

Download
memory/1704-66-0x0000000074651000-0x0000000074653000-memory.dmp

Filesize
8KB

Download
memory/1704-65-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1704-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads