09fb84692b1187cb56814a2ed4e3e74b1d52427f93819913fb82bb6542efb692

Analysis

max time kernel
145s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bd3791ecdf513698f2cafb1a70ef302.exe
Size

4.8MB
MD5

7bd3791ecdf513698f2cafb1a70ef302
SHA1

c345e8ee4a840af8e68946d6672e57b5122c222b
SHA256

09fb84692b1187cb56814a2ed4e3e74b1d52427f93819913fb82bb6542efb692
SHA512

e2c20a325ea68200dfd24980e1897fb040c5418b6f2007d8e5693af468b9158b4b60dd90564b5f202a2d58a268c48135e7860739c26c62d28a8d18faef2dab09
SSDEEP

98304:PX4NBSj2gsoIYWOpw96Pacl+7YFS8HTnPFATLi7s8BDXg1yazx14:vVsoIYW6lhUYjzn6LnK4ya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2804	7bd3791ecdf513698f2cafb1a70ef302.tmp
2640	Consequatur.exe

Loads dropped DLL 10 IoCs

pid	Process
3048	7bd3791ecdf513698f2cafb1a70ef302.exe
2804	7bd3791ecdf513698f2cafb1a70ef302.tmp
2804	7bd3791ecdf513698f2cafb1a70ef302.tmp
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Dolore\dolores\is-OCO67.tmp	7bd3791ecdf513698f2cafb1a70ef302.tmp
File created	C:\Program Files (x86)\Dolore\is-M4GEC.tmp	7bd3791ecdf513698f2cafb1a70ef302.tmp
File created	C:\Program Files (x86)\Dolore\is-08MKL.tmp	7bd3791ecdf513698f2cafb1a70ef302.tmp
File created	C:\Program Files (x86)\Dolore\dolores\is-1N65H.tmp	7bd3791ecdf513698f2cafb1a70ef302.tmp
File created	C:\Program Files (x86)\Dolore\dolores\is-KJ1DJ.tmp	7bd3791ecdf513698f2cafb1a70ef302.tmp
File created	C:\Program Files (x86)\Dolore\ea\is-9DQIF.tmp	7bd3791ecdf513698f2cafb1a70ef302.tmp
File created	C:\Program Files (x86)\Dolore\ut\is-DI3OS.tmp	7bd3791ecdf513698f2cafb1a70ef302.tmp
File opened for modification	C:\Program Files (x86)\Dolore\Consequatur.exe	7bd3791ecdf513698f2cafb1a70ef302.tmp
File created	C:\Program Files (x86)\Dolore\unins000.dat	7bd3791ecdf513698f2cafb1a70ef302.tmp
File created	C:\Program Files (x86)\Dolore\cupiditate\is-JO0ME.tmp	7bd3791ecdf513698f2cafb1a70ef302.tmp
File created	C:\Program Files (x86)\Dolore\dolores\is-IDT4I.tmp	7bd3791ecdf513698f2cafb1a70ef302.tmp
File created	C:\Program Files (x86)\Dolore\ut\is-VUFN4.tmp	7bd3791ecdf513698f2cafb1a70ef302.tmp
File opened for modification	C:\Program Files (x86)\Dolore\sqlite3.dll	7bd3791ecdf513698f2cafb1a70ef302.tmp
File created	C:\Program Files (x86)\Dolore\is-265BH.tmp	7bd3791ecdf513698f2cafb1a70ef302.tmp
File created	C:\Program Files (x86)\Dolore\is-AF161.tmp	7bd3791ecdf513698f2cafb1a70ef302.tmp
File opened for modification	C:\Program Files (x86)\Dolore\unins000.dat	7bd3791ecdf513698f2cafb1a70ef302.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2536	2640	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2804	7bd3791ecdf513698f2cafb1a70ef302.tmp
2804	7bd3791ecdf513698f2cafb1a70ef302.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2804	7bd3791ecdf513698f2cafb1a70ef302.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2804	3048	7bd3791ecdf513698f2cafb1a70ef302.exe	28
PID 3048 wrote to memory of 2804	3048	7bd3791ecdf513698f2cafb1a70ef302.exe	28
PID 3048 wrote to memory of 2804	3048	7bd3791ecdf513698f2cafb1a70ef302.exe	28
PID 3048 wrote to memory of 2804	3048	7bd3791ecdf513698f2cafb1a70ef302.exe	28
PID 3048 wrote to memory of 2804	3048	7bd3791ecdf513698f2cafb1a70ef302.exe	28
PID 3048 wrote to memory of 2804	3048	7bd3791ecdf513698f2cafb1a70ef302.exe	28
PID 3048 wrote to memory of 2804	3048	7bd3791ecdf513698f2cafb1a70ef302.exe	28
PID 2804 wrote to memory of 2640	2804	7bd3791ecdf513698f2cafb1a70ef302.tmp	29
PID 2804 wrote to memory of 2640	2804	7bd3791ecdf513698f2cafb1a70ef302.tmp	29
PID 2804 wrote to memory of 2640	2804	7bd3791ecdf513698f2cafb1a70ef302.tmp	29
PID 2804 wrote to memory of 2640	2804	7bd3791ecdf513698f2cafb1a70ef302.tmp	29
PID 2640 wrote to memory of 2536	2640	Consequatur.exe	30
PID 2640 wrote to memory of 2536	2640	Consequatur.exe	30
PID 2640 wrote to memory of 2536	2640	Consequatur.exe	30
PID 2640 wrote to memory of 2536	2640	Consequatur.exe	30

C:\Users\Admin\AppData\Local\Temp\7bd3791ecdf513698f2cafb1a70ef302.exe
"C:\Users\Admin\AppData\Local\Temp\7bd3791ecdf513698f2cafb1a70ef302.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\is-V69E9.tmp\7bd3791ecdf513698f2cafb1a70ef302.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-V69E9.tmp\7bd3791ecdf513698f2cafb1a70ef302.tmp" /SL5="$70120,4309022,721408,C:\Users\Admin\AppData\Local\Temp\7bd3791ecdf513698f2cafb1a70ef302.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Program Files (x86)\Dolore\Consequatur.exe
    "C:\Program Files (x86)\Dolore/\Consequatur.exe" c9c4f0214e00a57c8a3f7a2df6ee8b7c
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 500
      4⤵
      Loads dropped DLL
      Program crash
      PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Dolore\Consequatur.exe

Filesize
4.9MB

MD5
4e33be4a279622f315182d4d12a61f9c

SHA1
e24061f059248cb2930c50be2b33f3ebcf9d4b86

SHA256
48ab80b78f4d919a6d2937a4cad0308752e19ff9fa497e13d6c51df9ff691dc0

SHA512
bf144e8b3a9ff371aa4b0ffda3acfe222ac7b1c3c4e4e2a1c087d5ac229c8956f1de498751309b5b87420fe60ed3b7734c9afab4f7a7b17dc0c6e8668c00c13f

Download Submit
\Program Files (x86)\Dolore\Consequatur.exe

Filesize
640KB

MD5
8d92a0ba1f7fc2947b56606464833698

SHA1
0f8758b3778fc7a6c23b5d675688a97dcc04d568

SHA256
71a7a760a7d21964aae07745e30ab9fbfc45f3ef998df2cb1f3c88ab9a325b39

SHA512
d51cdcab066256d3ce75b1e492eae7b8680293fb924b7dd0e546a11c9369772909e7e78678049d5a8727f9688646fa35ec06ff633570774d8e275bb10356ddbb

Download Submit
\Program Files (x86)\Dolore\Consequatur.exe

Filesize
704KB

MD5
fa677919dbe7e270023d20271242b6e2

SHA1
eda95fa0f2b982d0803babc86dcf9e4792576542

SHA256
752ddf74b997694d39a668d275bb356f027cb4e39981f7ce39846f6b4d19c992

SHA512
aa04081c5294e46d0534824399c9d41d3dc0f41a222e2c188fcdf6a0c36af164f3217748d42d988e32cf53bf2af44f7307d8898c4ef3ed66c81fb15c4513cae0

Download Submit
\Program Files (x86)\Dolore\Consequatur.exe

Filesize
1.6MB

MD5
54bd7666cbbcb466888a490e5de156d5

SHA1
28aebdce9fdcffdb04ee334892e4a8ea2317b376

SHA256
637ee39ddb4a74249eb3b412cd6655e301baa17425149d8b51c9c3321bbf13d7

SHA512
0527761059ddfbb8980a839716b6364e2a4529023ca1c5a8fd7af28a86a782922ba73b092fb648c7c4391811553fea7cbfa9adce335135c4ff173b8f83684c9c

Download Submit
\Program Files (x86)\Dolore\Consequatur.exe

Filesize
1.5MB

MD5
ea9b4df1aa58fa2c4d883645f00c9f0b

SHA1
b7de94e339c7cae64c4b933653e6f753a149f70d

SHA256
36501be5be800341b94d02316a40ab6209411a5d9530bc66c29270a061e7f4ff

SHA512
bd74bd390230c3e6541250786347c27b4ba77451c5e5d0a676196350d062fd3c7b6fcaa8f6dc76b0842ba23f51893f20fc2f4e5f7262428e4aacf5faf437b184

Download Submit
\Program Files (x86)\Dolore\Consequatur.exe

Filesize
1.3MB

MD5
69c78fb841d914cb8ea4f862214a340a

SHA1
a52d839eed50622c8a9bc4467744e408a09e60ca

SHA256
7fb5d3af518287d2bb0c6c74654ab5e92a4022c38e02fba0cdb079834190c7ee

SHA512
50177e193c290a8a65de19432ae07e11a1dbc72bcfc98df19d5822405094ac284ed9c4bbc58b226c9944b64be3a9beb3eb8111172c3fa741c89478e6d655d36d

Download Submit
\Program Files (x86)\Dolore\Consequatur.exe

Filesize
192KB

MD5
040f04fb77d2147e34d11784a23a363a

SHA1
ff75af2911d472922a9155613a2dae7023ea6e5f

SHA256
3d882f1654f654cc3e1c9d452fe18abeb9f57872952a89dac3f5c5011f26867e

SHA512
8d3279c16a4efc4f76f4a740dccc99fd035a72e3e22004c64e8df0d544046ea8148a61f04074dec61de4dfd2f044859251d57a55465b5ea2ceb0690640b6316f

Download Submit
\Users\Admin\AppData\Local\Temp\is-PJ21P.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-V69E9.tmp\7bd3791ecdf513698f2cafb1a70ef302.tmp

Filesize
2.4MB

MD5
3fddfbaa9d029821152e746edbabf7ce

SHA1
703690b3a2377047f6755e9b5274d608791b8062

SHA256
787cef456bd60075199c04ac38dd5e65291bd3a930b132538889e4dafb76fa1a

SHA512
fd50e763c6523022f1be02a6a690d2a2dec4e9a73c941314b4a810bbd7605d4058c5c49c53dcbdd8fde5e6c4d2c78fcec52b5bca087cbf552bc1ce90819c4903

Download Submit
memory/2640-43-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/2640-54-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/2640-47-0x00000000017D0000-0x00000000017D1000-memory.dmp

Filesize
4KB

Download
memory/2640-46-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/2804-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2804-45-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2804-58-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3048-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3048-44-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download