b98e26e7f20370266127bb174027ac529ed6029ce410a51e0f75ee4b0d3bb0f4

General

Target

41797794e9727e3ab0b7ecdc8a8f804d.exe
Size

4.8MB
MD5

41797794e9727e3ab0b7ecdc8a8f804d
SHA1

9a80fb84ebcc3bd1500394254cb553bd23e397d0
SHA256

b98e26e7f20370266127bb174027ac529ed6029ce410a51e0f75ee4b0d3bb0f4
SHA512

aa2c0d810b3977084d6833291715d28b515b4e4ebd6757721217b834a6194e1d620ae938e917e211394cb8209a7ad57dc91f68ff817312de30296cabf3de4972
SSDEEP

98304:PX4ouvgkswFADRHW6RET61GjbtCnkwPh69uvGDxSmtQeyXudKr3Eyazx14:vX4zFADde+1Gvte5P09uvwkpedKIya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2792	41797794e9727e3ab0b7ecdc8a8f804d.tmp
2280	Porro.exe

Loads dropped DLL 7 IoCs

pid	Process
1244	41797794e9727e3ab0b7ecdc8a8f804d.exe
2792	41797794e9727e3ab0b7ecdc8a8f804d.tmp
2792	41797794e9727e3ab0b7ecdc8a8f804d.tmp
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Aut\is-8G481.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\harum\is-VJQ5G.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\iusto\is-EHCVM.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File opened for modification	C:\Program Files (x86)\Aut\unins000.dat	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\iusto\is-JLOR1.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\quia\is-HR47P.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\quia\is-2CIGM.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File opened for modification	C:\Program Files (x86)\Aut\iusto\sqlite3.dll	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\is-2JRAL.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\harum\is-ERRE1.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\harum\is-D9CCD.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\harum\is-CJ497.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\suscipit\is-RR37D.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\unins000.dat	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\iusto\is-O6E7Q.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\quia\is-F6N15.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\quia\is-VM51O.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\suscipit\is-JRU6T.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File opened for modification	C:\Program Files (x86)\Aut\iusto\Porro.exe	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\iusto\is-B8HG9.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\iusto\is-VTQ2A.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\quia\is-NAAS9.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp
File created	C:\Program Files (x86)\Aut\quia\is-N0TIL.tmp	41797794e9727e3ab0b7ecdc8a8f804d.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2760	2280	WerFault.exe	24

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2792	41797794e9727e3ab0b7ecdc8a8f804d.tmp
2792	41797794e9727e3ab0b7ecdc8a8f804d.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2792	41797794e9727e3ab0b7ecdc8a8f804d.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2792	1244	41797794e9727e3ab0b7ecdc8a8f804d.exe	18
PID 1244 wrote to memory of 2792	1244	41797794e9727e3ab0b7ecdc8a8f804d.exe	18
PID 1244 wrote to memory of 2792	1244	41797794e9727e3ab0b7ecdc8a8f804d.exe	18
PID 1244 wrote to memory of 2792	1244	41797794e9727e3ab0b7ecdc8a8f804d.exe	18
PID 1244 wrote to memory of 2792	1244	41797794e9727e3ab0b7ecdc8a8f804d.exe	18
PID 1244 wrote to memory of 2792	1244	41797794e9727e3ab0b7ecdc8a8f804d.exe	18
PID 1244 wrote to memory of 2792	1244	41797794e9727e3ab0b7ecdc8a8f804d.exe	18
PID 2792 wrote to memory of 2280	2792	41797794e9727e3ab0b7ecdc8a8f804d.tmp	24
PID 2792 wrote to memory of 2280	2792	41797794e9727e3ab0b7ecdc8a8f804d.tmp	24
PID 2792 wrote to memory of 2280	2792	41797794e9727e3ab0b7ecdc8a8f804d.tmp	24
PID 2792 wrote to memory of 2280	2792	41797794e9727e3ab0b7ecdc8a8f804d.tmp	24
PID 2280 wrote to memory of 2760	2280	Porro.exe	30
PID 2280 wrote to memory of 2760	2280	Porro.exe	30
PID 2280 wrote to memory of 2760	2280	Porro.exe	30
PID 2280 wrote to memory of 2760	2280	Porro.exe	30

C:\Users\Admin\AppData\Local\Temp\41797794e9727e3ab0b7ecdc8a8f804d.exe
"C:\Users\Admin\AppData\Local\Temp\41797794e9727e3ab0b7ecdc8a8f804d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\is-IAC79.tmp\41797794e9727e3ab0b7ecdc8a8f804d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IAC79.tmp\41797794e9727e3ab0b7ecdc8a8f804d.tmp" /SL5="$30142,4345138,721408,C:\Users\Admin\AppData\Local\Temp\41797794e9727e3ab0b7ecdc8a8f804d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Program Files (x86)\Aut\iusto\Porro.exe
    "C:\Program Files (x86)\Aut/\iusto\Porro.exe" c804188eab29f5f1667ff06a13fe3780
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 496
      4⤵
      Loads dropped DLL
      Program crash
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-IAC79.tmp\41797794e9727e3ab0b7ecdc8a8f804d.tmp

Filesize
92KB

MD5
ea98a4041fd44572e2b42550878b4b97

SHA1
b193c81d784d52b2c4e7b3ed1a71d9eefab4f50f

SHA256
a2fac310df70f48069976c76816b4bb36f29f1fabf5c9c031f7666607658eabd

SHA512
e0472c18ada339b4f7f1c0f90795bb98664419c4b1b59a1ac1ac892ba626c9412ebc1d0b5bf8b1659a377446836a3aeaf854dc677c79f0f69d999b5187916bd9

Download Submit
memory/1244-2-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1244-64-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2280-57-0x0000000000400000-0x000000000170A000-memory.dmp

Filesize
19.0MB

Download
memory/2280-59-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2280-58-0x0000000000400000-0x000000000170A000-memory.dmp

Filesize
19.0MB

Download
memory/2280-66-0x0000000000400000-0x000000000170A000-memory.dmp

Filesize
19.0MB

Download
memory/2792-8-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2792-65-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2792-70-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing