acdada170f375d782d71ba45ca4021c904d9369de3f6460d25f8e1af380e9af1

General

Target

050ed4cab9086901e2949a763af72b44.exe
Size

3.7MB
MD5

050ed4cab9086901e2949a763af72b44
SHA1

420ea54d7af4c52070a9206dbd37afe05272be7e
SHA256

acdada170f375d782d71ba45ca4021c904d9369de3f6460d25f8e1af380e9af1
SHA512

242f3e646360924085bcca557518cad0fc3939b71a0a88280188562eb4b4a3503832ce46b3bc18d3f62e496a185a2cd90c55d67bcfb3599edff86a473bebb1ec
SSDEEP

98304:PX4UCOsip5zWoW7d5OJQ8e0vDMFyWN/KQyazx14:vZ5aX81AMWBBya0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3244	050ed4cab9086901e2949a763af72b44.tmp
5076	Libero.exe

Loads dropped DLL 2 IoCs

pid	Process
3244	050ed4cab9086901e2949a763af72b44.tmp
5076	Libero.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002323c-40.dat	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Facilis\ab\is-ERHJR.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\illum\is-5V4PD.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\maxime\is-BCD3G.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\maxime\is-RCFNV.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\unins000.dat	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\is-M1MCC.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\illum\is-G53ME.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\maxime\is-AME22.tmp	050ed4cab9086901e2949a763af72b44.tmp
File opened for modification	C:\Program Files (x86)\Facilis\unins000.dat	050ed4cab9086901e2949a763af72b44.tmp
File opened for modification	C:\Program Files (x86)\Facilis\maxime\Libero.exe	050ed4cab9086901e2949a763af72b44.tmp
File opened for modification	C:\Program Files (x86)\Facilis\maxime\sqlite3.dll	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\maxime\is-ITA0H.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\maxime\is-1DMMK.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\is-UL48B.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\illum\is-8G1DQ.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\maxime\is-F0CT8.tmp	050ed4cab9086901e2949a763af72b44.tmp
File created	C:\Program Files (x86)\Facilis\quae\is-V1LNN.tmp	050ed4cab9086901e2949a763af72b44.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5664	5076	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3244	050ed4cab9086901e2949a763af72b44.tmp
3244	050ed4cab9086901e2949a763af72b44.tmp
5076	Libero.exe
5076	Libero.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3244	050ed4cab9086901e2949a763af72b44.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 3244	5008	050ed4cab9086901e2949a763af72b44.exe	18
PID 5008 wrote to memory of 3244	5008	050ed4cab9086901e2949a763af72b44.exe	18
PID 5008 wrote to memory of 3244	5008	050ed4cab9086901e2949a763af72b44.exe	18
PID 3244 wrote to memory of 5076	3244	050ed4cab9086901e2949a763af72b44.tmp	31
PID 3244 wrote to memory of 5076	3244	050ed4cab9086901e2949a763af72b44.tmp	31
PID 3244 wrote to memory of 5076	3244	050ed4cab9086901e2949a763af72b44.tmp	31

C:\Users\Admin\AppData\Local\Temp\050ed4cab9086901e2949a763af72b44.exe
"C:\Users\Admin\AppData\Local\Temp\050ed4cab9086901e2949a763af72b44.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\is-00SEK.tmp\050ed4cab9086901e2949a763af72b44.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-00SEK.tmp\050ed4cab9086901e2949a763af72b44.tmp" /SL5="$E0040,3221685,721408,C:\Users\Admin\AppData\Local\Temp\050ed4cab9086901e2949a763af72b44.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Program Files (x86)\Facilis\maxime\Libero.exe
    "C:\Program Files (x86)\Facilis/\maxime\Libero.exe" bc93afcf73c0c6cf2f0f1146193a73ae
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 860
      4⤵
      Program crash
      PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5076 -ip 5076
1⤵
PID:6052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Facilis\maxime\Libero.exe

Filesize
381KB

MD5
eee96630e0477c553056a3c2c01ef6eb

SHA1
b4e0efe39ec2d232b48d254e685e806ff1f1fa3c

SHA256
90a5cc23c8f19bc702d20d9eaa908ae9efbf0ae9038eac04100922859d5ab772

SHA512
e9a5afcf78a6bd13651dcf570f8751710e49cbaa6370622ba4c63676ba9cd70655b176981a45883ef1de61b7fbd33b645490089a01a2926ab994a3e70a7c11cd

Download Submit
C:\Program Files (x86)\Facilis\maxime\sqlite3.dll

Filesize
381KB

MD5
fd8b0b35a57a9fb904dc35235e0a2b51

SHA1
b0276264641c6cc6186d4e4cf934b36aba01a5c8

SHA256
7cea74cc89330e9071107a857fc407c7efe30e6fd24e1fc05f1a8ed02c65f588

SHA512
e4692b6f375ff1098670f15c69e6a65f310b82751300da14146a87fd471c82e83e2036a7a2666a551cefc64c37fb1edaf14789b2b9bb9c78f28cf1c38806d6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-00SEK.tmp\050ed4cab9086901e2949a763af72b44.tmp

Filesize
93KB

MD5
636dac01e993b7933bd563bd8d2215e2

SHA1
2510b6336bd5bf2e1eef681133d82bf25733418a

SHA256
12a176f9601f23c1523f8193cd93e84033585d76708f2c3d9379ca7954a7685c

SHA512
2e943c783ca737cda38b608025be63d8ee21e7cef9ae37ffab8124a4669b572f5056bdc9e13a3d85fe45a1443283b52d3acf46f4682f8cd267b304244aa1a483

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MHM36.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/3244-47-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/3244-54-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3244-6-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/5008-46-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5008-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5008-2-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5076-45-0x00000000045C0000-0x00000000045C1000-memory.dmp

Filesize
4KB

Download
memory/5076-44-0x0000000000400000-0x000000000149F000-memory.dmp

Filesize
16.6MB

Download
memory/5076-43-0x0000000000400000-0x000000000149F000-memory.dmp

Filesize
16.6MB

Download
memory/5076-49-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/5076-48-0x0000000000400000-0x000000000149F000-memory.dmp

Filesize
16.6MB

Download
memory/5076-57-0x0000000000400000-0x000000000149F000-memory.dmp

Filesize
16.6MB

Download
memory/5076-61-0x0000000000400000-0x000000000149F000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing