f0aad21358e5bd6dcb417eb5ba67cd12fc44d96a0e78e4539cf0c8fb092f76d1

General

Target

7b1eb3d9bd0f2bdf5a7ddde6187538f0.exe
Size

4.5MB
MD5

7b1eb3d9bd0f2bdf5a7ddde6187538f0
SHA1

94f1277f4ba0b763977fc81b0a697855dc04efbe
SHA256

f0aad21358e5bd6dcb417eb5ba67cd12fc44d96a0e78e4539cf0c8fb092f76d1
SHA512

e8e703bde4f2b9379300c267676c96faff43a7ef72476835b72e82cbd744384c1a57bb45bd370a7ee759abdf164ec54bc9f49904914deaed495b8cfd300e5691
SSDEEP

98304:PX4IgznrtSU2TbCrihayDNhMY3GIZDmQ8yazx14:vEznr4biiE89GOKQ8ya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1160	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
1668	Omnis.exe

Loads dropped DLL 3 IoCs

pid	Process
2556	7b1eb3d9bd0f2bdf5a7ddde6187538f0.exe
1160	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
1160	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Enim\is-S8QJ2.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\iste\is-UE4K5.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\minus\is-DMNFE.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\minus\is-5UJE2.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\is-NLR0F.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\is-KHJT3.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\is-O1LT6.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\qui\is-CB9N2.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\tempora\is-FDAB9.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\tempora\is-PN14J.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\qui\is-O4QBM.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\is-RV2RA.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\is-FM7SN.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\iste\is-9QOOL.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File opened for modification	C:\Program Files (x86)\Enim\unins000.dat	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\tempora\is-EQKEN.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\is-9S5KQ.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\iste\is-S01ET.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\qui\is-KQRJE.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File opened for modification	C:\Program Files (x86)\Enim\iste\Omnis.exe	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\unins000.dat	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\iste\is-82RI1.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File opened for modification	C:\Program Files (x86)\Enim\iste\sqlite3.dll	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\iste\is-LIOV8.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\iste\is-OH75U.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
File created	C:\Program Files (x86)\Enim\tempora\is-O2OOK.tmp	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1160	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
1160	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
1668	Omnis.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1160	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1160	2556	7b1eb3d9bd0f2bdf5a7ddde6187538f0.exe	28
PID 2556 wrote to memory of 1160	2556	7b1eb3d9bd0f2bdf5a7ddde6187538f0.exe	28
PID 2556 wrote to memory of 1160	2556	7b1eb3d9bd0f2bdf5a7ddde6187538f0.exe	28
PID 2556 wrote to memory of 1160	2556	7b1eb3d9bd0f2bdf5a7ddde6187538f0.exe	28
PID 2556 wrote to memory of 1160	2556	7b1eb3d9bd0f2bdf5a7ddde6187538f0.exe	28
PID 2556 wrote to memory of 1160	2556	7b1eb3d9bd0f2bdf5a7ddde6187538f0.exe	28
PID 2556 wrote to memory of 1160	2556	7b1eb3d9bd0f2bdf5a7ddde6187538f0.exe	28
PID 1160 wrote to memory of 1668	1160	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp	29
PID 1160 wrote to memory of 1668	1160	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp	29
PID 1160 wrote to memory of 1668	1160	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp	29
PID 1160 wrote to memory of 1668	1160	7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp	29

C:\Users\Admin\AppData\Local\Temp\7b1eb3d9bd0f2bdf5a7ddde6187538f0.exe
"C:\Users\Admin\AppData\Local\Temp\7b1eb3d9bd0f2bdf5a7ddde6187538f0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\is-USH64.tmp\7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-USH64.tmp\7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp" /SL5="$4010C,4052364,721408,C:\Users\Admin\AppData\Local\Temp\7b1eb3d9bd0f2bdf5a7ddde6187538f0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Program Files (x86)\Enim\iste\Omnis.exe
    "C:\Program Files (x86)\Enim/\iste\Omnis.exe" 93d81216118a8bbdd4876576de06b935
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-USH64.tmp\7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp

Filesize
1.1MB

MD5
3b81a4a6925f44d7a85a7eccabc9ab02

SHA1
f3c3629635e78ca0ef9a8ac8fe2997b461ca71cd

SHA256
9203913bdd64de90455663bee2987a2485616762937f3197e32bf3bfb3f2af06

SHA512
1840ce30c3f2dc9ccf383d78b47d2bb85ec44415f170ea5339faf44166641ede585ead28daf37664e80d4b94e7e730c337ae4e645b80ceed89dcadcbb52d150d

Download Submit
\Users\Admin\AppData\Local\Temp\is-GMD3J.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-USH64.tmp\7b1eb3d9bd0f2bdf5a7ddde6187538f0.tmp

Filesize
1.1MB

MD5
4293b04a4efb52e4feb3cd1e7519192c

SHA1
8bf7b8e21e4cb00d376452e1b466b09f69e20155

SHA256
42fa71c8001cb7b7f60393b2bd6cf4cf6982e7e39c86579d9b52646e0304a6ce

SHA512
70de945415a1df3e64c65260b565148002ad5171accabada27cdb95b390fa7c320ec7be0c1b255fe7adf47c3181deebb0825f0dc008feeff6e81eee8c9c1e28b

Download Submit
memory/1160-67-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/1160-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1160-69-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1668-64-0x0000000000400000-0x0000000001623000-memory.dmp

Filesize
18.1MB

Download
memory/1668-65-0x0000000001780000-0x0000000001781000-memory.dmp

Filesize
4KB

Download
memory/1668-63-0x0000000000400000-0x0000000001623000-memory.dmp

Filesize
18.1MB

Download
memory/1668-68-0x0000000000400000-0x0000000001623000-memory.dmp

Filesize
18.1MB

Download
memory/1668-62-0x0000000000400000-0x0000000001623000-memory.dmp

Filesize
18.1MB

Download
memory/1668-72-0x0000000000400000-0x0000000001623000-memory.dmp

Filesize
18.1MB

Download
memory/1668-75-0x0000000000400000-0x0000000001623000-memory.dmp

Filesize
18.1MB

Download
memory/1668-81-0x0000000000400000-0x0000000001623000-memory.dmp

Filesize
18.1MB

Download
memory/2556-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2556-66-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing