Analysis
-
max time kernel
28s -
max time network
64s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-10-2021 15:33
Static task
static1
Behavioral task
behavioral1
Sample
Software updated by Dylox.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Software updated by Dylox.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Software-update-patc_828811790.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Software-update-patc_828811790.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
open this if the doesn't work.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
open this if the doesn't work.exe
Resource
win10-en-20211014
General
-
Target
Software-update-patc_828811790.exe
-
Size
3.6MB
-
MD5
6e9eb03a3eb0f09e4080d9c8ab1912d4
-
SHA1
f9c72350b8daa26d9305588ed6012d0282db70a8
-
SHA256
cc87d298ec17242a0cdb49c08067af27b51b97ac386c7955c04799e9d8770049
-
SHA512
d3d2df27be23aa68646753da2bff49bb4328fa7fefb8d5bcce80ea795b89bd16af12d409953ee374ea4240423598f6777de98f5030e60b9d64e55f0a43a7b8e1
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Software-update-patc_828811790.tmpAssumenda.exepid process 1512 Software-update-patc_828811790.tmp 752 Assumenda.exe -
Loads dropped DLL 5 IoCs
Processes:
Software-update-patc_828811790.exeSoftware-update-patc_828811790.tmppid process 1200 Software-update-patc_828811790.exe 1512 Software-update-patc_828811790.tmp 1512 Software-update-patc_828811790.tmp 1512 Software-update-patc_828811790.tmp 1512 Software-update-patc_828811790.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 14 IoCs
Processes:
Software-update-patc_828811790.tmpdescription ioc process File opened for modification C:\Program Files (x86)\Accusantium\tempore\Assumenda.exe Software-update-patc_828811790.tmp File created C:\Program Files (x86)\Accusantium\is-ITTQN.tmp Software-update-patc_828811790.tmp File created C:\Program Files (x86)\Accusantium\maiores\is-QCOHA.tmp Software-update-patc_828811790.tmp File created C:\Program Files (x86)\Accusantium\tempore\is-4145P.tmp Software-update-patc_828811790.tmp File created C:\Program Files (x86)\Accusantium\is-BRK8R.tmp Software-update-patc_828811790.tmp File created C:\Program Files (x86)\Accusantium\tempore\is-E3S7A.tmp Software-update-patc_828811790.tmp File opened for modification C:\Program Files (x86)\Accusantium\unins000.dat Software-update-patc_828811790.tmp File created C:\Program Files (x86)\Accusantium\unins000.dat Software-update-patc_828811790.tmp File created C:\Program Files (x86)\Accusantium\is-DDTNI.tmp Software-update-patc_828811790.tmp File created C:\Program Files (x86)\Accusantium\is-D1SSN.tmp Software-update-patc_828811790.tmp File created C:\Program Files (x86)\Accusantium\itaque\is-TSUA7.tmp Software-update-patc_828811790.tmp File created C:\Program Files (x86)\Accusantium\maiores\is-0IBM0.tmp Software-update-patc_828811790.tmp File created C:\Program Files (x86)\Accusantium\tempore\is-R83JM.tmp Software-update-patc_828811790.tmp File created C:\Program Files (x86)\Accusantium\is-4F461.tmp Software-update-patc_828811790.tmp -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Software-update-patc_828811790.tmpAssumenda.exepid process 1512 Software-update-patc_828811790.tmp 1512 Software-update-patc_828811790.tmp 752 Assumenda.exe 752 Assumenda.exe 752 Assumenda.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Software-update-patc_828811790.tmppid process 1512 Software-update-patc_828811790.tmp -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Software-update-patc_828811790.exeSoftware-update-patc_828811790.tmpdescription pid process target process PID 1200 wrote to memory of 1512 1200 Software-update-patc_828811790.exe Software-update-patc_828811790.tmp PID 1200 wrote to memory of 1512 1200 Software-update-patc_828811790.exe Software-update-patc_828811790.tmp PID 1200 wrote to memory of 1512 1200 Software-update-patc_828811790.exe Software-update-patc_828811790.tmp PID 1200 wrote to memory of 1512 1200 Software-update-patc_828811790.exe Software-update-patc_828811790.tmp PID 1200 wrote to memory of 1512 1200 Software-update-patc_828811790.exe Software-update-patc_828811790.tmp PID 1200 wrote to memory of 1512 1200 Software-update-patc_828811790.exe Software-update-patc_828811790.tmp PID 1200 wrote to memory of 1512 1200 Software-update-patc_828811790.exe Software-update-patc_828811790.tmp PID 1512 wrote to memory of 752 1512 Software-update-patc_828811790.tmp Assumenda.exe PID 1512 wrote to memory of 752 1512 Software-update-patc_828811790.tmp Assumenda.exe PID 1512 wrote to memory of 752 1512 Software-update-patc_828811790.tmp Assumenda.exe PID 1512 wrote to memory of 752 1512 Software-update-patc_828811790.tmp Assumenda.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software-update-patc_828811790.exe"C:\Users\Admin\AppData\Local\Temp\Software-update-patc_828811790.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-TG015.tmp\Software-update-patc_828811790.tmp"C:\Users\Admin\AppData\Local\Temp\is-TG015.tmp\Software-update-patc_828811790.tmp" /SL5="$40118,3377883,240640,C:\Users\Admin\AppData\Local\Temp\Software-update-patc_828811790.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Accusantium\tempore\Assumenda.exe"C:\Program Files (x86)\Accusantium/\tempore\Assumenda.exe" d3b0aed80a2fbfbbd35503deae29785f3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Accusantium\tempore\Assumenda.exeMD5
cf8c93518bc76bd27b8d1ecb082be2f1
SHA1873c20fd50df777775884b5e428ac77770faa342
SHA256431cee50177d918a68251b7816bfcddac8d3f94a8d0ac129b7d1bb2698b61cd6
SHA512bdaeb5e49ec341eb191842752aecb98569ab8f28711ce27a84902876501e0c16eabde1cb0952d2d4461756c7f6aba9031e08676b8ed95af4a3f41a4ff0fc1f38
-
C:\Users\Admin\AppData\Local\Temp\is-TG015.tmp\Software-update-patc_828811790.tmpMD5
0f1c4126626a086cae867c2df9a56040
SHA131f024a4013976458502ec45739eac11a1d0595d
SHA25634fe3e23223976b89c48ae03587dd077e70bb9a65e501894924b6173b557fff6
SHA512eef50dfd3854815086d561b92dbcfba7fcd6b6e4a8f96f495419b0adc608e22cbd7d57b788b3034e340e5f3fd39de09404f77b52d748562fce67b0e251d09cdf
-
C:\Users\Admin\AppData\Local\Temp\is-TG015.tmp\Software-update-patc_828811790.tmpMD5
0f1c4126626a086cae867c2df9a56040
SHA131f024a4013976458502ec45739eac11a1d0595d
SHA25634fe3e23223976b89c48ae03587dd077e70bb9a65e501894924b6173b557fff6
SHA512eef50dfd3854815086d561b92dbcfba7fcd6b6e4a8f96f495419b0adc608e22cbd7d57b788b3034e340e5f3fd39de09404f77b52d748562fce67b0e251d09cdf
-
\Program Files (x86)\Accusantium\tempore\Assumenda.exeMD5
cf8c93518bc76bd27b8d1ecb082be2f1
SHA1873c20fd50df777775884b5e428ac77770faa342
SHA256431cee50177d918a68251b7816bfcddac8d3f94a8d0ac129b7d1bb2698b61cd6
SHA512bdaeb5e49ec341eb191842752aecb98569ab8f28711ce27a84902876501e0c16eabde1cb0952d2d4461756c7f6aba9031e08676b8ed95af4a3f41a4ff0fc1f38
-
\Users\Admin\AppData\Local\Temp\is-MFD4P.tmp\_isetup\_iscrypt.dllMD5
a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-MFD4P.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-MFD4P.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-TG015.tmp\Software-update-patc_828811790.tmpMD5
0f1c4126626a086cae867c2df9a56040
SHA131f024a4013976458502ec45739eac11a1d0595d
SHA25634fe3e23223976b89c48ae03587dd077e70bb9a65e501894924b6173b557fff6
SHA512eef50dfd3854815086d561b92dbcfba7fcd6b6e4a8f96f495419b0adc608e22cbd7d57b788b3034e340e5f3fd39de09404f77b52d748562fce67b0e251d09cdf
-
memory/752-68-0x0000000000000000-mapping.dmp
-
memory/752-71-0x0000000000400000-0x00000000016D8000-memory.dmpFilesize
18.8MB
-
memory/752-72-0x0000000000400000-0x00000000016D8000-memory.dmpFilesize
18.8MB
-
memory/752-73-0x0000000002FD0000-0x0000000002FD1000-memory.dmpFilesize
4KB
-
memory/1200-63-0x0000000000400000-0x0000000000445000-memory.dmpFilesize
276KB
-
memory/1200-53-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB
-
memory/1512-65-0x0000000074351000-0x0000000074353000-memory.dmpFilesize
8KB
-
memory/1512-64-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1512-57-0x0000000000000000-mapping.dmp