acdada170f375d782d71ba45ca4021c904d9369de3f6460d25f8e1af380e9af1

General

Target

050ed4cab9086901e2949a763af72b44.exe
Size

3.7MB
MD5

050ed4cab9086901e2949a763af72b44
SHA1

420ea54d7af4c52070a9206dbd37afe05272be7e
SHA256

acdada170f375d782d71ba45ca4021c904d9369de3f6460d25f8e1af380e9af1
SHA512

242f3e646360924085bcca557518cad0fc3939b71a0a88280188562eb4b4a3503832ce46b3bc18d3f62e496a185a2cd90c55d67bcfb3599edff86a473bebb1ec
SSDEEP

98304:PX4UCOsip5zWoW7d5OJQ8e0vDMFyWN/KQyazx14:vZ5aX81AMWBBya0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2988	050ed4cab9086901e2949a763af72b44.tmp
2840	Libero.exe

Loads dropped DLL 4 IoCs

pid	Process
2892	050ed4cab9086901e2949a763af72b44.exe
2988	050ed4cab9086901e2949a763af72b44.tmp
2988	050ed4cab9086901e2949a763af72b44.tmp
2840	Libero.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000133a9-41.dat	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Facilis\maxime\is-D7G1D.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\quae\is-TQHPF.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\ab\is-F7NPE.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\illum\is-TB31E.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\maxime\is-H591F.tmp	050ed4cab9086901e2949a763af72b44.tmp
File opened for modification	C:\Program Files (x86)\Facilis\unins000.dat	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\is-RLHA5.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\illum\is-RNNQI.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\maxime\is-R1BUD.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\maxime\is-T25RP.tmp	050ed4cab9086901e2949a763af72b44.tmp
File opened for modification	C:\Program Files (x86)\Facilis\maxime\sqlite3.dll	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\illum\is-CRMEG.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\maxime\is-CPDCJ.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\maxime\is-F75QR.tmp	050ed4cab9086901e2949a763af72b44.tmp
File opened for modification	C:\Program Files (x86)\Facilis\maxime\Libero.exe	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\unins000.dat	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\is-35U1G.tmp	050ed4cab9086901e2949a763af72b44.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2988	050ed4cab9086901e2949a763af72b44.tmp
2988	050ed4cab9086901e2949a763af72b44.tmp
2840	Libero.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2988	050ed4cab9086901e2949a763af72b44.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2988	2892	050ed4cab9086901e2949a763af72b44.exe	18
PID 2892 wrote to memory of 2988	2892	050ed4cab9086901e2949a763af72b44.exe	18
PID 2892 wrote to memory of 2988	2892	050ed4cab9086901e2949a763af72b44.exe	18
PID 2892 wrote to memory of 2988	2892	050ed4cab9086901e2949a763af72b44.exe	18
PID 2892 wrote to memory of 2988	2892	050ed4cab9086901e2949a763af72b44.exe	18
PID 2892 wrote to memory of 2988	2892	050ed4cab9086901e2949a763af72b44.exe	18
PID 2892 wrote to memory of 2988	2892	050ed4cab9086901e2949a763af72b44.exe	18
PID 2988 wrote to memory of 2840	2988	050ed4cab9086901e2949a763af72b44.tmp	25
PID 2988 wrote to memory of 2840	2988	050ed4cab9086901e2949a763af72b44.tmp	25
PID 2988 wrote to memory of 2840	2988	050ed4cab9086901e2949a763af72b44.tmp	25
PID 2988 wrote to memory of 2840	2988	050ed4cab9086901e2949a763af72b44.tmp	25

C:\Users\Admin\AppData\Local\Temp\050ed4cab9086901e2949a763af72b44.exe
"C:\Users\Admin\AppData\Local\Temp\050ed4cab9086901e2949a763af72b44.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\is-63LUP.tmp\050ed4cab9086901e2949a763af72b44.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-63LUP.tmp\050ed4cab9086901e2949a763af72b44.tmp" /SL5="$40016,3221685,721408,C:\Users\Admin\AppData\Local\Temp\050ed4cab9086901e2949a763af72b44.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Program Files (x86)\Facilis\maxime\Libero.exe
    "C:\Program Files (x86)\Facilis/\maxime\Libero.exe" bc93afcf73c0c6cf2f0f1146193a73ae
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-63LUP.tmp\050ed4cab9086901e2949a763af72b44.tmp

Filesize
382KB

MD5
87a3b02d203d1c69ef3b4f9a50f848ce

SHA1
a621ca18c711e03f4c8f1deb06d7aa07c1b3d1c0

SHA256
1aad33314da6b332f3c71df86d61216bf5cb4331c53b4894ef6d48059bf4effe

SHA512
6c777ad8be8fb29d7a0813442b0b7b6d99fc9f1c14a592535f4208d0b0d49866d54801bdc47a81190875c142b4e35252453a141c30ccd0bf8bd72b764350f5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63LUP.tmp\050ed4cab9086901e2949a763af72b44.tmp

Filesize
889KB

MD5
7670dd738f7c6b6546ff4617e1f576af

SHA1
705d0a42220cef73774d8ddb40ba78a0e769cfe1

SHA256
c81f867b90c842ae87676ac3a1e81803fe6f199d53235e538f6e45de1995fe1e

SHA512
e5bfbb9398e89c655eb7d597281c94142aaf4055dc8c0cfccbc6f6dcd17273a0dc17d2caf886a92b104e3d27cbe811819c102eef0a6fced0b8032a2d3a5498c0

Download Submit
\Program Files (x86)\Facilis\maxime\Libero.exe

Filesize
92KB

MD5
0efb9c0f438caa82ab9943bce310be6d

SHA1
fc26ab92156891bdbf5def860ab4775ec2ccc2cd

SHA256
1a938d69fce8d8cfd680072fcf011e7531ed0483a42613b935ad46fa2e2757aa

SHA512
aedd9745fa3d60449a773276c49f0e15a0987581ab08e854f79de8a4cef625751ac6b23b8250eb78fdb32d535c3547400f41d5b5313470270b7a41c78b4297cf

Download Submit
\Users\Admin\AppData\Local\Temp\is-63LUP.tmp\050ed4cab9086901e2949a763af72b44.tmp

Filesize
887KB

MD5
31f8614bca6ec546a1fca2d0f742988d

SHA1
bef4ce8d59eeac9b8139f31f19871f9893631f60

SHA256
3397c88fc8874f6cfb63446db72c414291d9f963cd143e19ff19c3a4125a07a3

SHA512
c7516232aa10088c638235af7b5cf65f9a977372a7b1e11e2104448d67ecb92cb0fb866d95b88eb7816a61f71b037a22e532e00955fcc3ee701d900ebe5358e5

Download Submit
\Users\Admin\AppData\Local\Temp\is-CP6H5.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2840-47-0x0000000000400000-0x000000000149F000-memory.dmp

Filesize
16.6MB

Download
memory/2840-49-0x00000000015B0000-0x00000000015B1000-memory.dmp

Filesize
4KB

Download
memory/2840-48-0x0000000000400000-0x000000000149F000-memory.dmp

Filesize
16.6MB

Download
memory/2840-53-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2840-52-0x0000000000400000-0x000000000149F000-memory.dmp

Filesize
16.6MB

Download
memory/2840-56-0x0000000000400000-0x000000000149F000-memory.dmp

Filesize
16.6MB

Download
memory/2840-89-0x0000000000400000-0x000000000149F000-memory.dmp

Filesize
16.6MB

Download
memory/2892-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2892-50-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2988-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2988-51-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2988-58-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing