4019bcf2d677385d6bd196bc374dc541a8b50273552443755a51b9f09e012692

Analysis

max time kernel
145s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b1c467e20a0d23115b37da34c1155c6.exe
Size

4.8MB
MD5

3b1c467e20a0d23115b37da34c1155c6
SHA1

39d97bdb774c2d0e382e7e6fbeb408f47872f7f0
SHA256

4019bcf2d677385d6bd196bc374dc541a8b50273552443755a51b9f09e012692
SHA512

a704c53792527afc2b5f9896ad5178e1b7b5a24b83a7e4506e2cb20281f78da3d88e1a2dfdffb1d626deca8917b7cff3654bcd9ea88a246f4b10af937237ae2b
SSDEEP

98304:PX4MSUZpvWi484a6NNtZhxLqA9IhkMNpHwSNmljrz5yazx14:vpJZF484/NNtZhxLqACnfHwSNOX5ya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1072	3b1c467e20a0d23115b37da34c1155c6.tmp
2392	In.exe

Loads dropped DLL 10 IoCs

pid	Process
1696	3b1c467e20a0d23115b37da34c1155c6.exe
1072	3b1c467e20a0d23115b37da34c1155c6.tmp
1072	3b1c467e20a0d23115b37da34c1155c6.tmp
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Optio\is-HC53K.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-FJU0A.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-8OOQ2.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-GBHV8.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-53SEG.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File opened for modification	C:\Program Files (x86)\Optio\In.exe	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-V23A1.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-0B9IF.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-VR350.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File opened for modification	C:\Program Files (x86)\Optio\unins000.dat	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-1R8CK.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-KSH3N.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\is-H1IHK.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\unins000.dat	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\is-KL3JD.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-ATVLO.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-6R1KE.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\is-TIKR7.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-FH9SP.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-2OAOC.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\is-5D2JJ.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\is-TCE32.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\is-9THCH.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\consequatur\is-R0KL4.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp
File opened for modification	C:\Program Files (x86)\Optio\sqlite3.dll	3b1c467e20a0d23115b37da34c1155c6.tmp
File created	C:\Program Files (x86)\Optio\is-1LPP2.tmp	3b1c467e20a0d23115b37da34c1155c6.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2332	2392	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1072	3b1c467e20a0d23115b37da34c1155c6.tmp
1072	3b1c467e20a0d23115b37da34c1155c6.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1072	3b1c467e20a0d23115b37da34c1155c6.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1072	1696	3b1c467e20a0d23115b37da34c1155c6.exe	28
PID 1696 wrote to memory of 1072	1696	3b1c467e20a0d23115b37da34c1155c6.exe	28
PID 1696 wrote to memory of 1072	1696	3b1c467e20a0d23115b37da34c1155c6.exe	28
PID 1696 wrote to memory of 1072	1696	3b1c467e20a0d23115b37da34c1155c6.exe	28
PID 1696 wrote to memory of 1072	1696	3b1c467e20a0d23115b37da34c1155c6.exe	28
PID 1696 wrote to memory of 1072	1696	3b1c467e20a0d23115b37da34c1155c6.exe	28
PID 1696 wrote to memory of 1072	1696	3b1c467e20a0d23115b37da34c1155c6.exe	28
PID 1072 wrote to memory of 2392	1072	3b1c467e20a0d23115b37da34c1155c6.tmp	29
PID 1072 wrote to memory of 2392	1072	3b1c467e20a0d23115b37da34c1155c6.tmp	29
PID 1072 wrote to memory of 2392	1072	3b1c467e20a0d23115b37da34c1155c6.tmp	29
PID 1072 wrote to memory of 2392	1072	3b1c467e20a0d23115b37da34c1155c6.tmp	29
PID 2392 wrote to memory of 2332	2392	In.exe	30
PID 2392 wrote to memory of 2332	2392	In.exe	30
PID 2392 wrote to memory of 2332	2392	In.exe	30
PID 2392 wrote to memory of 2332	2392	In.exe	30

C:\Users\Admin\AppData\Local\Temp\3b1c467e20a0d23115b37da34c1155c6.exe
"C:\Users\Admin\AppData\Local\Temp\3b1c467e20a0d23115b37da34c1155c6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\is-GORG4.tmp\3b1c467e20a0d23115b37da34c1155c6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GORG4.tmp\3b1c467e20a0d23115b37da34c1155c6.tmp" /SL5="$5014C,4371046,721408,C:\Users\Admin\AppData\Local\Temp\3b1c467e20a0d23115b37da34c1155c6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Program Files (x86)\Optio\In.exe
    "C:\Program Files (x86)\Optio/\In.exe" 774f9be4d00642e36f7fad3c92b13887
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 500
      4⤵
      Loads dropped DLL
      Program crash
      PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Optio\In.exe

Filesize
107KB

MD5
98858c5d5768a6c870667e82a67f2a48

SHA1
9894bbec840d3589c5c2c027041ca6e57e7cf77e

SHA256
b04a2ff3a93b07c6fcf033e2f10a096ab86f8de92d6cb8195873f11f99164b8d

SHA512
19a6afe3a04b365384199cbb3c2631724a6a2751e116bd7c038f5e78f3c7849c51b7dec2cdb9bea71645c3609978d6f7608b3f76b29237103ef4c8d6bf05f2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GORG4.tmp\3b1c467e20a0d23115b37da34c1155c6.tmp

Filesize
1.7MB

MD5
6e3ca135721194f677e04898d18a88c1

SHA1
8a4a6b52efd776448737ca36e5f842d8cf98379a

SHA256
20fbf34fd1654ad50cc1d485411a8c1e8346cc9af2268d9e848e5b4d39e91c84

SHA512
67fedb4269aa9779b9b72bc429c83ce2414943212a44eeb0fee0993a7e8ebcde2cb02e914ca8dcb48fd240964ea31cde5f60515020842321e57eb3c7ec0c200f

Download Submit
\Program Files (x86)\Optio\In.exe

Filesize
199KB

MD5
144ad0928c0f9cbb71fbe97df9ea2106

SHA1
70fc728005b2f25756b64945fd4f38008067b157

SHA256
8bb41ed62c318f4104c30194417514597145e1af9c8956da0f87007ab1fcf622

SHA512
4414be4a1d0e5173810c16b6d0499424fe6b941b7f84cf4c98b4572d162ca9b23c220d8efd58a243c1049ca744e8246c8ba8b4d5d0a84826fe9b409648d0700c

Download Submit
\Program Files (x86)\Optio\In.exe

Filesize
753KB

MD5
21141c15ad8e134f11acd4a741734cb3

SHA1
ab88f5a5659c5621ff323c0ed1e893bdbec0ec29

SHA256
f96b287325b4f54640e2758367b4680473a11e1d173358e19ff8bc86174d323d

SHA512
d4f69f741fa036d030bbaab904a8b144e2f51bdeddc28413c23942c2a9341588dd3c2716cfbb6d3c5bde4625e76005ced219ab446683d9efa4e99a747592a793

Download Submit
\Program Files (x86)\Optio\In.exe

Filesize
1.1MB

MD5
6c919fcbdcffdcc1b478f220f90799b0

SHA1
9ecf41e4a15eb9b73712e8a6c516f369751accd0

SHA256
588a4091cbee5dfd74202c869a96af8ba56cfd2a3b744219beabdb5aa7e126c1

SHA512
1641c831b9a421360a586d8a18d473ccb3c22417a54ae468e68cf41b6c0989a6b85d4bf64bd4887cd5bd1e271c7c6714afc917dc43cd6a1c8e99c3fbe78b3f2c

Download Submit
\Program Files (x86)\Optio\In.exe

Filesize
1.3MB

MD5
502f6db4a18ce0a00e0c47ee412ba77c

SHA1
92595c4e9698bf7c746d4d1eabe8ce4ee39f2278

SHA256
df7ce1d2685d42bc0df045de3c35a54e439da93662c4135cb83f8686359d91d7

SHA512
d05b068e5e4e2823abdc43f44c26746196d1ad11a2b11fa7bf86792917790ff3aba72f614d483cda10a1f226a62fbece03874d56705f8b94ba95906adaabf34c

Download Submit
\Program Files (x86)\Optio\In.exe

Filesize
565KB

MD5
3993303929d9868c49eb7984bc13645a

SHA1
e50220c2934146bf98a4e0bbf3da0727cb940324

SHA256
132328bcc4a1655f0de8f092665654b3b50a520cc663b7e826930a35ea09abdb

SHA512
fa42f12b966b3bc1a40ac1f590d45a3b2563ab9e09221f2d6e945e7f3b7bf182c9049a52ba19fee5a62efd821579f791d5b4343e22a56a8f872acf68d2fe9601

Download Submit
\Program Files (x86)\Optio\In.exe

Filesize
527KB

MD5
63ce0c0a5444a7676f712cff90d866cf

SHA1
305baa29220aad4b874be05d6b87fa0615365b8f

SHA256
fb9c2348f0650f154c68b652e5bc62804e61d89e201d4eb21bac4c8a3dc3b42a

SHA512
d902a666e85abc3a253cd076d00235a9b9334eb4ad831be2ddf26e3dab04b364f0eddd01e150cfb58f0992189fbd83d010e3c6390ef9860bb4e01751b84400e8

Download Submit
\Program Files (x86)\Optio\In.exe

Filesize
602KB

MD5
4bd0639c33a9c6dac99c4d2ca2d22312

SHA1
2bc5f8a34176b4004c51eb9e26d3ceb12599e76a

SHA256
812f6ec411821e29b363f54bd04e0b02ca8089bb9754e82bf3ac1cec511f7f83

SHA512
42b0e8fc0fe40797ce14ab396c0dd7a7d3e68acccbf0e24d2315572694c73f622cc9e4a11da910a754a6eed0508bbb064e5519b869e9384029272cba51273813

Download Submit
\Program Files (x86)\Optio\In.exe

Filesize
813KB

MD5
e2215d40ce0f8cc15b0afd3e3879633d

SHA1
bffefaf3b2dc17eb4cac1bc6962d5bb93a0be099

SHA256
ebbd7147ac329c8df2c7cdf47843fa0cc4312be43264d4c6682f95e15006f964

SHA512
c04f48a8b8ea3e9071a42b6d81f19a47f5529da2321ac518fdc4e26905e5a958ea12bc3d5ed04d898016d866204e07f5298e8bb9d0982d4fdb7d56bd3b3e0f3b

Download Submit
\Users\Admin\AppData\Local\Temp\is-GORG4.tmp\3b1c467e20a0d23115b37da34c1155c6.tmp

Filesize
2.4MB

MD5
3fddfbaa9d029821152e746edbabf7ce

SHA1
703690b3a2377047f6755e9b5274d608791b8062

SHA256
787cef456bd60075199c04ac38dd5e65291bd3a930b132538889e4dafb76fa1a

SHA512
fd50e763c6523022f1be02a6a690d2a2dec4e9a73c941314b4a810bbd7605d4058c5c49c53dcbdd8fde5e6c4d2c78fcec52b5bca087cbf552bc1ce90819c4903

Download Submit
\Users\Admin\AppData\Local\Temp\is-RNERG.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1072-72-0x0000000003DB0000-0x00000000050D7000-memory.dmp

Filesize
19.2MB

Download
memory/1072-63-0x0000000003DB0000-0x00000000050D7000-memory.dmp

Filesize
19.2MB

Download
memory/1072-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1072-71-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1072-67-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/1696-66-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1696-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2392-68-0x0000000000400000-0x0000000001727000-memory.dmp

Filesize
19.2MB

Download
memory/2392-64-0x0000000000400000-0x0000000001727000-memory.dmp

Filesize
19.2MB

Download
memory/2392-70-0x00000000017A0000-0x00000000017A1000-memory.dmp

Filesize
4KB

Download
memory/2392-69-0x0000000000400000-0x0000000001727000-memory.dmp

Filesize
19.2MB

Download
memory/2392-74-0x0000000000400000-0x0000000001727000-memory.dmp

Filesize
19.2MB

Download
memory/2392-65-0x0000000000400000-0x0000000001727000-memory.dmp

Filesize
19.2MB

Download
memory/2392-83-0x0000000000400000-0x0000000001727000-memory.dmp

Filesize
19.2MB

Download