f799be183c8bdc70a4b7559dbba3067d6eec4155913477902a0a7d5de3eb814f

General

Target

f767a3497d399db7888c6cca825caf23.exe
Size

2.8MB
MD5

f767a3497d399db7888c6cca825caf23
SHA1

d5f883b41d83138eb8dd86a96bf1a024955679a9
SHA256

f799be183c8bdc70a4b7559dbba3067d6eec4155913477902a0a7d5de3eb814f
SHA512

17764831a8d2fa24015884b978adda05b0a577cff75225db59fa1cd8c83745878485ef6377da31f07d58e8d9e778159a192d7ec78451688b73e4cef24126ce28
SSDEEP

49152:COyLMf6GLw2kwKSAklUYfHStpoDtbZ3gcUlWnb4x53PL7YXb/6sRNXHctMfm9Y:RyGdXKSGNtpg3gcUlw4/3PL7YXz1TQBY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2312	f767a3497d399db7888c6cca825caf23.tmp
2612	Optio.exe

Loads dropped DLL 6 IoCs

pid	Process
2856	f767a3497d399db7888c6cca825caf23.exe
2312	f767a3497d399db7888c6cca825caf23.tmp
2312	f767a3497d399db7888c6cca825caf23.tmp
2312	f767a3497d399db7888c6cca825caf23.tmp
2312	f767a3497d399db7888c6cca825caf23.tmp
2612	Optio.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Quia\ut\is-5J443.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\ut\is-DLT70.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\ut\is-3985L.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\is-S310O.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\is-BTH05.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\ut\is-4MJC7.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\is-UUN8A.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\is-A84NH.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\ut\is-MJMS3.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-9MKMP.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\ut\is-IF4FN.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-9CSI4.tmp	f767a3497d399db7888c6cca825caf23.tmp
File opened for modification	C:\Program Files (x86)\Quia\unins000.dat	f767a3497d399db7888c6cca825caf23.tmp
File opened for modification	C:\Program Files (x86)\Quia\ut\Optio.exe	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-USRSU.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\is-I7LSJ.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\is-5VFQM.tmp	f767a3497d399db7888c6cca825caf23.tmp
File opened for modification	C:\Program Files (x86)\Quia\ut\sqlite3.dll	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\unins000.dat	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\ut\is-GJJI8.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\is-FU2FL.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-4R6OD.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-LRA4U.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-L8J36.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-65LCI.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-BIHLE.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-5QPHI.tmp	f767a3497d399db7888c6cca825caf23.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2312	f767a3497d399db7888c6cca825caf23.tmp
2312	f767a3497d399db7888c6cca825caf23.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2312	f767a3497d399db7888c6cca825caf23.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2312	2856	f767a3497d399db7888c6cca825caf23.exe	28
PID 2856 wrote to memory of 2312	2856	f767a3497d399db7888c6cca825caf23.exe	28
PID 2856 wrote to memory of 2312	2856	f767a3497d399db7888c6cca825caf23.exe	28
PID 2856 wrote to memory of 2312	2856	f767a3497d399db7888c6cca825caf23.exe	28
PID 2856 wrote to memory of 2312	2856	f767a3497d399db7888c6cca825caf23.exe	28
PID 2856 wrote to memory of 2312	2856	f767a3497d399db7888c6cca825caf23.exe	28
PID 2856 wrote to memory of 2312	2856	f767a3497d399db7888c6cca825caf23.exe	28
PID 2312 wrote to memory of 2612	2312	f767a3497d399db7888c6cca825caf23.tmp	29
PID 2312 wrote to memory of 2612	2312	f767a3497d399db7888c6cca825caf23.tmp	29
PID 2312 wrote to memory of 2612	2312	f767a3497d399db7888c6cca825caf23.tmp	29
PID 2312 wrote to memory of 2612	2312	f767a3497d399db7888c6cca825caf23.tmp	29

C:\Users\Admin\AppData\Local\Temp\f767a3497d399db7888c6cca825caf23.exe
"C:\Users\Admin\AppData\Local\Temp\f767a3497d399db7888c6cca825caf23.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\is-J7UH5.tmp\f767a3497d399db7888c6cca825caf23.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-J7UH5.tmp\f767a3497d399db7888c6cca825caf23.tmp" /SL5="$7011E,2569358,118784,C:\Users\Admin\AppData\Local\Temp\f767a3497d399db7888c6cca825caf23.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Program Files (x86)\Quia\ut\Optio.exe
    "C:\Program Files (x86)\Quia/\ut\Optio.exe" b3571eccb954ee7b5be0e85bd60ce7c1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Quia\ut\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Program Files (x86)\Quia\ut\Optio.exe

Filesize
2.4MB

MD5
065551e097c8f56369cb8a9c9d1ffd31

SHA1
c0a4e795baaafa0db636a0ed07b0f8db85d4e4d9

SHA256
867f5cb55416cdc0caed5495b5149041f9bbeaffedbbd89472b68863e0cb5bcd

SHA512
5e15ef9a44736af862d949355cc46820ae84f02e12b98370b590144231f48afe72d12d8132e4284ab815d61177009260a2318c2ce6091342b0c72ebcbac03529

Download Submit
\Users\Admin\AppData\Local\Temp\is-J7UH5.tmp\f767a3497d399db7888c6cca825caf23.tmp

Filesize
1.1MB

MD5
b69b348d3ef2973bf1dde47370b7a393

SHA1
fea161fd274600613c5e409aa2df15fa62110532

SHA256
5caf88d958ea88ffad7493b344f5addcb3b378d735ba81bafe29903f0fa6eec4

SHA512
0a347c800e0973ed9a9693c4e58f53828c2301817b9ec1446781fa02839ad680e4122b20384ca80629c24827ccfe2028b80fb12bfeca07e1af7563e2fb89785f

Download Submit
\Users\Admin\AppData\Local\Temp\is-QBUM7.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-QBUM7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2312-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2312-72-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2612-71-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2856-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2856-73-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing