0291aeb2d4f73bfa69ef1bbd9d7b6763bfbcfb441f7925ce5942e0375d3399fa

General

Target

145917cdae271c6485a5c2a3b7638b0d.exe
Size

4.8MB
MD5

145917cdae271c6485a5c2a3b7638b0d
SHA1

c092c7d6fb98cbae6f7399bad96e2b0390ebf615
SHA256

0291aeb2d4f73bfa69ef1bbd9d7b6763bfbcfb441f7925ce5942e0375d3399fa
SHA512

839a0fb8c7c209072b73ea317621ae240a9d3a181a050b0ac2bd339c2e6a1a7468cc28b5a289df69f37bfb15d8beb742840afa4d768d72b4de6c61d6e8fb4d2e
SSDEEP

98304:PX4tLbkrIMp58YXSV6jt8gWi3LfMxVHjpyazx14:vocMM8sJ8gWEExrya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4740	145917cdae271c6485a5c2a3b7638b0d.tmp
1784	Et.exe

Loads dropped DLL 1 IoCs

pid	Process
4740	145917cdae271c6485a5c2a3b7638b0d.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Culpa\veritatis\is-8SGQG.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\veritatis\is-087CK.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\is-6DC6N.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\aut\is-BP21F.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\aut\is-4RGR3.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\et\is-JUVE4.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File opened for modification	C:\Program Files (x86)\Culpa\unins000.dat	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\et\is-KD65J.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\sit\is-4JE5C.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File opened for modification	C:\Program Files (x86)\Culpa\et\sqlite3.dll	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\is-66TN0.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\et\is-DOER3.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\sit\is-16CA3.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\sit\is-4CTC3.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\sit\is-7HFI4.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\veritatis\is-4PHGG.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\unins000.dat	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\is-KMKGK.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\sit\is-L8JG2.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\sit\is-ODD2M.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\et\is-I29BU.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\veritatis\is-0JAI5.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\et\is-97UQB.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File opened for modification	C:\Program Files (x86)\Culpa\et\Et.exe	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\is-O31O0.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\aut\is-KJCF7.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp
File created	C:\Program Files (x86)\Culpa\et\is-1CHIC.tmp	145917cdae271c6485a5c2a3b7638b0d.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
808	1784	WerFault.exe	37

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4740	145917cdae271c6485a5c2a3b7638b0d.tmp
4740	145917cdae271c6485a5c2a3b7638b0d.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4740	145917cdae271c6485a5c2a3b7638b0d.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 4740	2168	145917cdae271c6485a5c2a3b7638b0d.exe	24
PID 2168 wrote to memory of 4740	2168	145917cdae271c6485a5c2a3b7638b0d.exe	24
PID 2168 wrote to memory of 4740	2168	145917cdae271c6485a5c2a3b7638b0d.exe	24
PID 4740 wrote to memory of 1784	4740	145917cdae271c6485a5c2a3b7638b0d.tmp	37
PID 4740 wrote to memory of 1784	4740	145917cdae271c6485a5c2a3b7638b0d.tmp	37
PID 4740 wrote to memory of 1784	4740	145917cdae271c6485a5c2a3b7638b0d.tmp	37

C:\Users\Admin\AppData\Local\Temp\145917cdae271c6485a5c2a3b7638b0d.exe
"C:\Users\Admin\AppData\Local\Temp\145917cdae271c6485a5c2a3b7638b0d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\is-SPQL5.tmp\145917cdae271c6485a5c2a3b7638b0d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SPQL5.tmp\145917cdae271c6485a5c2a3b7638b0d.tmp" /SL5="$90058,4386546,721408,C:\Users\Admin\AppData\Local\Temp\145917cdae271c6485a5c2a3b7638b0d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Program Files (x86)\Culpa\et\Et.exe
    "C:\Program Files (x86)\Culpa/\et\Et.exe" 084ee52947bb4e189d3cd934e85d6163
    3⤵
    - Executes dropped EXE
    PID:1784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 872
      4⤵
      Program crash
      PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1784 -ip 1784
1⤵
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Culpa\et\Et.exe

Filesize
1KB

MD5
bd942fe4c38494d654313fd4a1a23fea

SHA1
a7fb50d28c3164acc4eb074493c81a4cbbbbdc98

SHA256
6b8bbe4ffc899d2c164f4c857eeb65e44e99754d2f8ff1c0cf6def39585e9522

SHA512
f09401f7e2dcd546b1aed66fbe7933a89f8ebfdda21dee5941278cd7115365545752305f9fe24ebf0782f61c68dac34aa5f6aeffd683a0ce1d4e64dd45a8c03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C76IN.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SPQL5.tmp\145917cdae271c6485a5c2a3b7638b0d.tmp

Filesize
48KB

MD5
e9d08131d21ea9afb7b1af118f1ebed5

SHA1
7bfbada194b5b901c8936b37516c913aa046e69c

SHA256
b9782c49f82d3988a8b2f1d6d41b82a0b65b3d4307ddb922a579801d966f8b6c

SHA512
7ae875dd5755f7ef67a3175d11b7839967e22122a18310f34ddfd8e352551f5c18195908767124c665a93a79b46ca94d2315aa04be0e9231fbb2890fea90794a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SPQL5.tmp\145917cdae271c6485a5c2a3b7638b0d.tmp

Filesize
8KB

MD5
1a545768624baf19a8ec7942cabf6581

SHA1
52de295f9046408b5dae18779e05d7462a0f1125

SHA256
aa77b4a40377f44a08c268c35c3b2b8e9d3f9184d24fdff1e9745a45a5e3ee2d

SHA512
2ae5a8dff0b9fcd16812a11ef204c96b24198ccc2673f8d973397a325f19ca285c75238f65369bad602354f8955e7605278fbf557ad0a7d7fc30ffb8a741af8f

Download Submit
memory/1784-63-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/1784-62-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/1784-61-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/1784-64-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/1784-65-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2168-2-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2168-67-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4740-6-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4740-66-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing