298cc1141228a02177e17e0784616a8fdc65ede6c5e19d31c747406341a6699d

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a0117738a1b34b2f1a8963596bb0d25.exe
Size

4.8MB
MD5

2a0117738a1b34b2f1a8963596bb0d25
SHA1

1b137d97f462e0647693c5522bbcd2defabc0346
SHA256

298cc1141228a02177e17e0784616a8fdc65ede6c5e19d31c747406341a6699d
SHA512

9f3db105c1dd6550beef53a195bbeaa633b4cdac169999ef8e134133f38f00f70e8242eb9fd73885ca067b86579f42740a9a3a22807948f5b93b134a134d067f
SSDEEP

98304:PX4KdW3dkXx1OAAx1NKiIeRCovBrnxT1Dl9288iyazx14:ve3dUOAAxBLRCovBbpxTya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2704	2a0117738a1b34b2f1a8963596bb0d25.tmp
2588	In.exe

Loads dropped DLL 10 IoCs

pid	Process
1972	2a0117738a1b34b2f1a8963596bb0d25.exe
2704	2a0117738a1b34b2f1a8963596bb0d25.tmp
2704	2a0117738a1b34b2f1a8963596bb0d25.tmp
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Eos\rerum\is-D5FI0.tmp	2a0117738a1b34b2f1a8963596bb0d25.tmp
File created	C:\Program Files (x86)\Eos\facere\is-KLQFE.tmp	2a0117738a1b34b2f1a8963596bb0d25.tmp
File created	C:\Program Files (x86)\Eos\facere\is-C11EE.tmp	2a0117738a1b34b2f1a8963596bb0d25.tmp
File created	C:\Program Files (x86)\Eos\facere\is-AO2M4.tmp	2a0117738a1b34b2f1a8963596bb0d25.tmp
File created	C:\Program Files (x86)\Eos\rerum\is-94QSO.tmp	2a0117738a1b34b2f1a8963596bb0d25.tmp
File created	C:\Program Files (x86)\Eos\rerum\is-FCLV8.tmp	2a0117738a1b34b2f1a8963596bb0d25.tmp
File opened for modification	C:\Program Files (x86)\Eos\unins000.dat	2a0117738a1b34b2f1a8963596bb0d25.tmp
File created	C:\Program Files (x86)\Eos\is-19QEH.tmp	2a0117738a1b34b2f1a8963596bb0d25.tmp
File created	C:\Program Files (x86)\Eos\is-MS8OC.tmp	2a0117738a1b34b2f1a8963596bb0d25.tmp
File created	C:\Program Files (x86)\Eos\unins000.dat	2a0117738a1b34b2f1a8963596bb0d25.tmp
File created	C:\Program Files (x86)\Eos\is-FCES7.tmp	2a0117738a1b34b2f1a8963596bb0d25.tmp
File created	C:\Program Files (x86)\Eos\is-LCUGR.tmp	2a0117738a1b34b2f1a8963596bb0d25.tmp
File created	C:\Program Files (x86)\Eos\facere\is-9PPTI.tmp	2a0117738a1b34b2f1a8963596bb0d25.tmp
File opened for modification	C:\Program Files (x86)\Eos\facere\In.exe	2a0117738a1b34b2f1a8963596bb0d25.tmp
File opened for modification	C:\Program Files (x86)\Eos\facere\sqlite3.dll	2a0117738a1b34b2f1a8963596bb0d25.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2924	2588	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2704	2a0117738a1b34b2f1a8963596bb0d25.tmp
2704	2a0117738a1b34b2f1a8963596bb0d25.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2704	2a0117738a1b34b2f1a8963596bb0d25.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2704	1972	2a0117738a1b34b2f1a8963596bb0d25.exe	28
PID 1972 wrote to memory of 2704	1972	2a0117738a1b34b2f1a8963596bb0d25.exe	28
PID 1972 wrote to memory of 2704	1972	2a0117738a1b34b2f1a8963596bb0d25.exe	28
PID 1972 wrote to memory of 2704	1972	2a0117738a1b34b2f1a8963596bb0d25.exe	28
PID 1972 wrote to memory of 2704	1972	2a0117738a1b34b2f1a8963596bb0d25.exe	28
PID 1972 wrote to memory of 2704	1972	2a0117738a1b34b2f1a8963596bb0d25.exe	28
PID 1972 wrote to memory of 2704	1972	2a0117738a1b34b2f1a8963596bb0d25.exe	28
PID 2704 wrote to memory of 2588	2704	2a0117738a1b34b2f1a8963596bb0d25.tmp	29
PID 2704 wrote to memory of 2588	2704	2a0117738a1b34b2f1a8963596bb0d25.tmp	29
PID 2704 wrote to memory of 2588	2704	2a0117738a1b34b2f1a8963596bb0d25.tmp	29
PID 2704 wrote to memory of 2588	2704	2a0117738a1b34b2f1a8963596bb0d25.tmp	29
PID 2588 wrote to memory of 2924	2588	In.exe	32
PID 2588 wrote to memory of 2924	2588	In.exe	32
PID 2588 wrote to memory of 2924	2588	In.exe	32
PID 2588 wrote to memory of 2924	2588	In.exe	32

C:\Users\Admin\AppData\Local\Temp\2a0117738a1b34b2f1a8963596bb0d25.exe
"C:\Users\Admin\AppData\Local\Temp\2a0117738a1b34b2f1a8963596bb0d25.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\is-QUR11.tmp\2a0117738a1b34b2f1a8963596bb0d25.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QUR11.tmp\2a0117738a1b34b2f1a8963596bb0d25.tmp" /SL5="$E0154,4359667,721408,C:\Users\Admin\AppData\Local\Temp\2a0117738a1b34b2f1a8963596bb0d25.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Program Files (x86)\Eos\facere\In.exe
    "C:\Program Files (x86)\Eos/\facere\In.exe" a793ac5e706ee9ba57753663540b5f53
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 500
      4⤵
      Loads dropped DLL
      Program crash
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Eos\facere\In.exe

Filesize
2.1MB

MD5
9477be35d36dcfda4c8459f9f656839f

SHA1
c571962e6fe1ed218227db0f98a41e3d02a64a8c

SHA256
d76dc972b60f64729553fe30139c5d9e2a117a996f3954d49626b2b5df0ab35e

SHA512
858201cdf0073aeb680aeb9815f11518838bee924aa29f7b852e4a641e6815eb02e1aa4eaebf1e5e2a62ae0509f9217db846d3737e54f167eb91a10cba6e02d1

Download Submit
\Program Files (x86)\Eos\facere\In.exe

Filesize
2.3MB

MD5
eaa90c1a90d10d34abc69aa6f6f45f51

SHA1
cbdad1f9f6738b3de35f3f7669055e9d8f66909f

SHA256
b10f52778ab2c2a0ccf608d66d636d42c706e6125e12b17bd3680b4187635051

SHA512
7df3ab3294a53211b66cae5d593f11ed7083a03e9a176753b15db3c63e30caa11b5051299f15f7633e34a31e982aa0625e43b76a714ef17d622fa430d50be3b3

Download Submit
\Program Files (x86)\Eos\facere\In.exe

Filesize
31KB

MD5
fc7e51ae3cc8ce5fdf8938c5e4e9dc4d

SHA1
b2f67a4ef27389a6334504dec6c21ec4d93b65e2

SHA256
acf181ba33f64d802d2b9e1703725a2400eebca26e97d54abb777c0206683209

SHA512
36733fe47faf56f0cb9a9fc5c331cd99105d638f273c30ee3723013782cb375d1a6999cd383c29db811547db15a2b8bfb0ef9c11c3d8f0acb580b8917eb567b1

Download Submit
\Program Files (x86)\Eos\facere\In.exe

Filesize
78KB

MD5
fd4ad8c1a83bc90f00f08eddc41fa4fa

SHA1
69c3229df0afc6b319e2dcb198d8cebad4e51c81

SHA256
ead0833f31d1af22f19810ae59177fea135951ab26a94b1ae385767bd7efe040

SHA512
a123238c4e737aa26a846d51334224e35f6500458c7b4a6ec58fd2398a8f9d566d1d8b042dab0c7e4ae90dbb411345d7363461ad0ec0396ea2f428d4e88454fe

Download Submit
\Program Files (x86)\Eos\facere\In.exe

Filesize
24KB

MD5
d374e74f26325818515247e507766409

SHA1
81ed0909a03b2a51a4100a42e0ddde54e17549fd

SHA256
56b75bb691411677e52f300aa38dbfa667f478c8985177e4afc3de32d704fe55

SHA512
ddc93c8d072e72d56789e180194540d9ae644a23788622b0714d2e3024895e0ff893bb5343f82652641ba0d029662032d2c57a57af12706adf6984e40c4c6e4a

Download Submit
\Program Files (x86)\Eos\facere\In.exe

Filesize
23KB

MD5
34a308b747299ee3faf3040a28936888

SHA1
50733cbb3532aa40a30ba96cd64f6bdef986136f

SHA256
b80753f59e7035a9a66907a79b9cbaed45c10bace141a18271f1fe44203542c4

SHA512
f91ff4fd0517b5204d8103687f9c04e51bc9a68479b3fa9a93b0aa275d9be935eb49d1068071457603c5f7cf0b92bcc25a3545d8b322b2faeb85ebbe5ee7b868

Download Submit
\Program Files (x86)\Eos\facere\In.exe

Filesize
97KB

MD5
82b336d78a6039d661a4828b2f020d81

SHA1
327a4ded34d85ac1aa111c0c04c918b24fc9a29c

SHA256
2781e78b166ae0bfd878f8795fcc147c188bdd43ac0f0ecc864287b3b32d769c

SHA512
62531890e7d0ec7ac49b1846384a85709d9b4699466d6603f3dd83998a8d617caec4f605331855fa8bae89d74bd362db2ec56658e28698b530df664047baa3d2

Download Submit
\Program Files (x86)\Eos\facere\In.exe

Filesize
40KB

MD5
e5e88f757d8679940666edacbd927d31

SHA1
7ce10585efaca5cd315f33ddc0698353ab75224b

SHA256
2ee96f0c97c05e6b6ed23c557107636eadc02cd767e0dc1699276171fac35c89

SHA512
17ddc6f77df21a05c9fcf52cbd7792742a4267bce4081e52b65259f1f82a2c4707bade1f6db711423d4d25c4184dbe1118160b96d9db34174d0b1b28e5a77a8d

Download Submit
\Program Files (x86)\Eos\facere\In.exe

Filesize
172KB

MD5
e685af7203d5e2ec7db84a69054a073f

SHA1
fa559fc9f4eb911870a114b06b91882ab380b9f7

SHA256
6e16657934db6d5bb3aa3abecae1a8691254c0b21faa271e32379a16726768f6

SHA512
e04da58622568fc2d4f789b6b5d3ad22ab479c909a28372dccf940e3bc74e49105973f0bcf354ab86bd5513eefbceed12c6b8b1ab104ca5eaa91571c9a1ce656

Download Submit
\Users\Admin\AppData\Local\Temp\is-QUR11.tmp\2a0117738a1b34b2f1a8963596bb0d25.tmp

Filesize
2.4MB

MD5
3fddfbaa9d029821152e746edbabf7ce

SHA1
703690b3a2377047f6755e9b5274d608791b8062

SHA256
787cef456bd60075199c04ac38dd5e65291bd3a930b132538889e4dafb76fa1a

SHA512
fd50e763c6523022f1be02a6a690d2a2dec4e9a73c941314b4a810bbd7605d4058c5c49c53dcbdd8fde5e6c4d2c78fcec52b5bca087cbf552bc1ce90819c4903

Download Submit
\Users\Admin\AppData\Local\Temp\is-RP2QD.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1972-3-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1972-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1972-6-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1972-46-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2588-49-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2588-44-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2588-47-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2588-48-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2588-57-0x0000000000400000-0x0000000001729000-memory.dmp

Filesize
19.2MB

Download
memory/2704-45-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2704-43-0x0000000003DB0000-0x00000000050D9000-memory.dmp

Filesize
19.2MB

Download
memory/2704-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2704-60-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2704-61-0x0000000003DB0000-0x00000000050D9000-memory.dmp

Filesize
19.2MB

Download