f799be183c8bdc70a4b7559dbba3067d6eec4155913477902a0a7d5de3eb814f

General

Target

f767a3497d399db7888c6cca825caf23.exe
Size

2.8MB
MD5

f767a3497d399db7888c6cca825caf23
SHA1

d5f883b41d83138eb8dd86a96bf1a024955679a9
SHA256

f799be183c8bdc70a4b7559dbba3067d6eec4155913477902a0a7d5de3eb814f
SHA512

17764831a8d2fa24015884b978adda05b0a577cff75225db59fa1cd8c83745878485ef6377da31f07d58e8d9e778159a192d7ec78451688b73e4cef24126ce28
SSDEEP

49152:COyLMf6GLw2kwKSAklUYfHStpoDtbZ3gcUlWnb4x53PL7YXb/6sRNXHctMfm9Y:RyGdXKSGNtpg3gcUlw4/3PL7YXz1TQBY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
924	f767a3497d399db7888c6cca825caf23.tmp
4924	Optio.exe

Loads dropped DLL 2 IoCs

pid	Process
924	f767a3497d399db7888c6cca825caf23.tmp
4924	Optio.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Quia\is-ARD7H.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-ET7GD.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-HL048.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\unins000.dat	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\ut\is-TSFDP.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\is-J2M9H.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\is-B3C7G.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-HPNQN.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-4A25P.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-7QF0C.tmp	f767a3497d399db7888c6cca825caf23.tmp
File opened for modification	C:\Program Files (x86)\Quia\ut\sqlite3.dll	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-30JRG.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\ut\is-RH7H7.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\ut\is-4GGB1.tmp	f767a3497d399db7888c6cca825caf23.tmp
File opened for modification	C:\Program Files (x86)\Quia\ut\Optio.exe	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-5QTH8.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\ut\is-M6MF1.tmp	f767a3497d399db7888c6cca825caf23.tmp
File opened for modification	C:\Program Files (x86)\Quia\unins000.dat	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\ut\is-VEM8F.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\ut\is-DO94I.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\is-T5QHS.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\is-LTEFP.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\is-2IIGO.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-859N4.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\fugit\is-Q2BID.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\is-8HOBS.tmp	f767a3497d399db7888c6cca825caf23.tmp
File created	C:\Program Files (x86)\Quia\ut\is-2TLV9.tmp	f767a3497d399db7888c6cca825caf23.tmp

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4872	4924	WerFault.exe	92
4108	4924	WerFault.exe	92
5108	4924	WerFault.exe	92
4880	4924	WerFault.exe	92
1296	4924	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
924	f767a3497d399db7888c6cca825caf23.tmp
924	f767a3497d399db7888c6cca825caf23.tmp
4924	Optio.exe
4924	Optio.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
924	f767a3497d399db7888c6cca825caf23.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 924	732	f767a3497d399db7888c6cca825caf23.exe	88
PID 732 wrote to memory of 924	732	f767a3497d399db7888c6cca825caf23.exe	88
PID 732 wrote to memory of 924	732	f767a3497d399db7888c6cca825caf23.exe	88
PID 924 wrote to memory of 4924	924	f767a3497d399db7888c6cca825caf23.tmp	92
PID 924 wrote to memory of 4924	924	f767a3497d399db7888c6cca825caf23.tmp	92
PID 924 wrote to memory of 4924	924	f767a3497d399db7888c6cca825caf23.tmp	92

C:\Users\Admin\AppData\Local\Temp\f767a3497d399db7888c6cca825caf23.exe
"C:\Users\Admin\AppData\Local\Temp\f767a3497d399db7888c6cca825caf23.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:732
- C:\Users\Admin\AppData\Local\Temp\is-1KSG8.tmp\f767a3497d399db7888c6cca825caf23.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1KSG8.tmp\f767a3497d399db7888c6cca825caf23.tmp" /SL5="$50066,2569358,118784,C:\Users\Admin\AppData\Local\Temp\f767a3497d399db7888c6cca825caf23.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Program Files (x86)\Quia\ut\Optio.exe
    "C:\Program Files (x86)\Quia/\ut\Optio.exe" b3571eccb954ee7b5be0e85bd60ce7c1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 960
      4⤵
      Program crash
      PID:4872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1028
      4⤵
      Program crash
      PID:4108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1120
      4⤵
      Program crash
      PID:5108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 968
      4⤵
      Program crash
      PID:4880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1152
      4⤵
      Program crash
      PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4924 -ip 4924
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4924 -ip 4924
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4924 -ip 4924
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4924 -ip 4924
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4924 -ip 4924
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Quia\ut\Optio.exe

Filesize
92KB

MD5
e035acd212fdeae7c967be25ef2b6725

SHA1
f636aebd88b47d3e1e39c40c5e0a1da35dfbf9a6

SHA256
319312bd44f96f53f224dc74e214ee3511433825d96c2b90a517e6d3e4693fff

SHA512
bc077481c82e507f2fc40250335a7449f72b932fd83d9a30a66fb2c8933e75a2d77ad2a36abe267f8096f794ab60432f0336a82c4e095b8cc948bd88a76370c3

Download Submit
C:\Program Files (x86)\Quia\ut\sqlite3.dll

Filesize
92KB

MD5
9265633f26a4bff077e8dcc05be2de04

SHA1
8fe2380f98dd4dea477e8ade695334b7b2106b52

SHA256
132b382458eb3729661de636e56a468d18729f6673daae3f071e0e56e3d495d3

SHA512
f8f3681dc9436a281592418e14b8f82768a941c396ae7a074a3db18bbee4f55db847269a2c98d95e7db5082af2513f74ad2a91132216198c8fff7448b6b3d41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1KSG8.tmp\f767a3497d399db7888c6cca825caf23.tmp

Filesize
1024KB

MD5
28c7aaf1ff7c4d6884a3a4dfbd2b369b

SHA1
a562bddaad1880be83195263bc60fca696d84848

SHA256
3d3a1d607c185ba798b41438c31a6c145f6642eac43faf3e95e141c2f85dd829

SHA512
316c9ed33cbcd236587c8480db00a724d4d9ef3fb3785936e9d833d708e20379561a153a044291fb2c3ba0829b81361c09c9e46dfb7ff784acd6e86bd61c329d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1KSG8.tmp\f767a3497d399db7888c6cca825caf23.tmp

Filesize
392KB

MD5
09f2e354416da10a9f238068d2fb9c6d

SHA1
bc0d205253613422a364937fec7e98c9fbf30a15

SHA256
1b73aaaa3ad4b9c6bd6644ab53041b7f370a898949560b217f545786024f0d86

SHA512
8bb2ae305d472d32a4c8c50799d070b4e3b156241978275d98021c2c13af0c68d6066348e215b99ba9bccf5275a76bb2ff6b6f311c2a34a8ce7a2265d5b909f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K5M1O.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/732-70-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/732-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/732-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/924-7-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/924-71-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/924-76-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4924-69-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/4924-68-0x0000000000400000-0x000000000146A000-memory.dmp

Filesize
16.4MB

Download
memory/4924-67-0x0000000000400000-0x000000000146A000-memory.dmp

Filesize
16.4MB

Download
memory/4924-73-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4924-72-0x0000000000400000-0x000000000146A000-memory.dmp

Filesize
16.4MB

Download
memory/4924-81-0x0000000000400000-0x000000000146A000-memory.dmp

Filesize
16.4MB

Download
memory/4924-125-0x0000000000400000-0x000000000146A000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing