d1417e0d3d1ba7bc2f09ab3978eeea63dab99458665eb22801e974f2cf478685

General

Target

138587f78f2991ec368f7d0d2b9d5dce.exe
Size

4.7MB
MD5

138587f78f2991ec368f7d0d2b9d5dce
SHA1

8d129927a7882c26713979b1f66fc316602c0dbd
SHA256

d1417e0d3d1ba7bc2f09ab3978eeea63dab99458665eb22801e974f2cf478685
SHA512

451b077bebff82fbd432e1c35bd58765b546f6fad57f8fdba03024a1a9008db78f68da236aba01054b28cad64da444c5544228b24c4cd2d77405e06a2592ee68
SSDEEP

98304:PX4rycBuMbfJFGrp6r2kTfwWGc/NYEEYmNJyazx14:vdCbxFGN6XTwWGc2dJya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2792	138587f78f2991ec368f7d0d2b9d5dce.tmp
2668	Mollitia.exe

Loads dropped DLL 10 IoCs

pid	Process
2436	138587f78f2991ec368f7d0d2b9d5dce.exe
2792	138587f78f2991ec368f7d0d2b9d5dce.tmp
2792	138587f78f2991ec368f7d0d2b9d5dce.tmp
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Placeat\ullam\is-P9UKE.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\ullam\is-3E4IM.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File opened for modification	C:\Program Files (x86)\Placeat\ullam\Mollitia.exe	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\is-0GRE5.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\is-4HRC8.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\is-H2O0T.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\ullam\is-JF9KT.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\ullam\is-OP76J.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\ullam\is-M2GFD.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\ullam\is-8L860.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\unins000.dat	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\is-96R0D.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File opened for modification	C:\Program Files (x86)\Placeat\unins000.dat	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\ullam\is-M6UQF.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\ullam\is-0OHKB.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\ullam\is-EEQ38.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\is-8OVVH.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\ullam\is-0GBCQ.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\is-T6MLM.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp
File opened for modification	C:\Program Files (x86)\Placeat\ullam\sqlite3.dll	138587f78f2991ec368f7d0d2b9d5dce.tmp
File created	C:\Program Files (x86)\Placeat\is-C1590.tmp	138587f78f2991ec368f7d0d2b9d5dce.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2464	2668	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2792	138587f78f2991ec368f7d0d2b9d5dce.tmp
2792	138587f78f2991ec368f7d0d2b9d5dce.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2792	138587f78f2991ec368f7d0d2b9d5dce.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2792	2436	138587f78f2991ec368f7d0d2b9d5dce.exe	28
PID 2436 wrote to memory of 2792	2436	138587f78f2991ec368f7d0d2b9d5dce.exe	28
PID 2436 wrote to memory of 2792	2436	138587f78f2991ec368f7d0d2b9d5dce.exe	28
PID 2436 wrote to memory of 2792	2436	138587f78f2991ec368f7d0d2b9d5dce.exe	28
PID 2436 wrote to memory of 2792	2436	138587f78f2991ec368f7d0d2b9d5dce.exe	28
PID 2436 wrote to memory of 2792	2436	138587f78f2991ec368f7d0d2b9d5dce.exe	28
PID 2436 wrote to memory of 2792	2436	138587f78f2991ec368f7d0d2b9d5dce.exe	28
PID 2792 wrote to memory of 2668	2792	138587f78f2991ec368f7d0d2b9d5dce.tmp	29
PID 2792 wrote to memory of 2668	2792	138587f78f2991ec368f7d0d2b9d5dce.tmp	29
PID 2792 wrote to memory of 2668	2792	138587f78f2991ec368f7d0d2b9d5dce.tmp	29
PID 2792 wrote to memory of 2668	2792	138587f78f2991ec368f7d0d2b9d5dce.tmp	29
PID 2668 wrote to memory of 2464	2668	Mollitia.exe	30
PID 2668 wrote to memory of 2464	2668	Mollitia.exe	30
PID 2668 wrote to memory of 2464	2668	Mollitia.exe	30
PID 2668 wrote to memory of 2464	2668	Mollitia.exe	30

C:\Users\Admin\AppData\Local\Temp\138587f78f2991ec368f7d0d2b9d5dce.exe
"C:\Users\Admin\AppData\Local\Temp\138587f78f2991ec368f7d0d2b9d5dce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\is-APBTA.tmp\138587f78f2991ec368f7d0d2b9d5dce.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-APBTA.tmp\138587f78f2991ec368f7d0d2b9d5dce.tmp" /SL5="$7011E,4198798,721408,C:\Users\Admin\AppData\Local\Temp\138587f78f2991ec368f7d0d2b9d5dce.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Program Files (x86)\Placeat\ullam\Mollitia.exe
    "C:\Program Files (x86)\Placeat/\ullam\Mollitia.exe" e2caa4f2d468e183121ff04e12684330
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 500
      4⤵
      Loads dropped DLL
      Program crash
      PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-APBTA.tmp\138587f78f2991ec368f7d0d2b9d5dce.tmp

Filesize
2.4MB

MD5
3fddfbaa9d029821152e746edbabf7ce

SHA1
703690b3a2377047f6755e9b5274d608791b8062

SHA256
787cef456bd60075199c04ac38dd5e65291bd3a930b132538889e4dafb76fa1a

SHA512
fd50e763c6523022f1be02a6a690d2a2dec4e9a73c941314b4a810bbd7605d4058c5c49c53dcbdd8fde5e6c4d2c78fcec52b5bca087cbf552bc1ce90819c4903

Download Submit
\Program Files (x86)\Placeat\ullam\Mollitia.exe

Filesize
4.4MB

MD5
7f21426eed79daf8f8b7f2fac26256e8

SHA1
0ad8225dd98fdea065c71124ce6cc5d1800c7790

SHA256
7887f4c5bab81920134c28b6ec86538aa1457a8c52ed0cd0ef9e864eca1d4946

SHA512
efbab038d061e408d04a6e66b254eacf4cad3978946665d5474c588947d75a519a652ad05ea342ae2e3885b409b204c2ce3c45c5f4f3cff8ef3d38e6bfca88ee

Download Submit
\Program Files (x86)\Placeat\ullam\Mollitia.exe

Filesize
116KB

MD5
d24f377d9be7db15f76e84050f6b4952

SHA1
12d8932d4594774997028908b8da725b30ab45c6

SHA256
3bbb785f9087d04caf6ffd40b328915f6c5ddc97a90d03c3ff188a0376767e1d

SHA512
fb84e3e6106d9138257ef86f8528f7d219b835bb634a11acd68892d14f902a5a1606b6751bed05d1aeafc949ff4d6bdd4143f4b4d48e9d3aa1da506d5af2617f

Download Submit
\Program Files (x86)\Placeat\ullam\Mollitia.exe

Filesize
448KB

MD5
f0cd993731ec0b98bbe327d8f69b9b0e

SHA1
232080e35fd82d46d79e8d6c6c428bc811b9d225

SHA256
d14816faa1c404124990123d4b9df30797300b48ab83461d1e3d1052709dc076

SHA512
2f408359df50a6562667cba2c36e5be481a04a027158d34e74d8ecdeb5627a0fbec50ceb6a396e55ac46353ab9db2857d7e554703d99c2e65b9a4eebb5b9e982

Download Submit
\Program Files (x86)\Placeat\ullam\Mollitia.exe

Filesize
86KB

MD5
0cc596ba6049129c46cb1bfa320c0d34

SHA1
32e058d710e6911c6291a7e45112472dfb86c33a

SHA256
e29b3defe60e234766d8503b2a06f5da622e98823083564e4df31c4032708fca

SHA512
93532e73a9d161ccafa1e3c6a34147d74ffa3880e4045438321c020d3fcd17f76d26970900e4f9397baacdcf5aa74ffad41452074d8a6e517cae921bebf9e616

Download Submit
\Program Files (x86)\Placeat\ullam\Mollitia.exe

Filesize
64KB

MD5
f9fcd6171c40330bfae5cfeceebb40d8

SHA1
07b0aa3638169a7a6b518cc7fd6275ae1497ccfb

SHA256
c4f496b9186f58a1a41b1034cca1993b560cf1bc1da3c78da327f4b08629eac0

SHA512
d042a7446851350d8b8c5022c678b9c90e0711c1e77415b52b3407659b5cca07473644d6132f6b4d9ae58236d7075599e7eae193d1dcb2a6fb62d22526813b6a

Download Submit
\Users\Admin\AppData\Local\Temp\is-APBTA.tmp\138587f78f2991ec368f7d0d2b9d5dce.tmp

Filesize
226KB

MD5
2898174e33563a019ed27a51278a9c46

SHA1
040aa5e05285dcff44dad14e0b81b42a8223177b

SHA256
035df5e78f24abc4c8ed23bf465ba62817fbb10621af633b47bb0f8a1ddd0c75

SHA512
aaceb3ca8eddf2d9e2564cdbfe4d17bd4f78e8c7d2f4670250bcb0453472b2b1fe4a73d7dae28df65979371f2e2e3e0a3e7a80f903a2082a6eea0387853d58ae

Download Submit
\Users\Admin\AppData\Local\Temp\is-R3L6T.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2436-53-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2436-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2668-55-0x0000000000400000-0x000000000167A000-memory.dmp

Filesize
18.5MB

Download
memory/2668-57-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2668-56-0x0000000000400000-0x000000000167A000-memory.dmp

Filesize
18.5MB

Download
memory/2668-58-0x0000000000400000-0x000000000167A000-memory.dmp

Filesize
18.5MB

Download
memory/2792-54-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2792-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2792-68-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing