982de5fb844c74f708b0bcfff37b573614176cd311feebaa429ca0e5bb3550c5

General

Target

2c7c53cc215cbc87b9d0fdd03a4a13ce.exe
Size

4.8MB
MD5

2c7c53cc215cbc87b9d0fdd03a4a13ce
SHA1

ed49a3baf836e3c0c27cb1d575b48a2676e42b4f
SHA256

982de5fb844c74f708b0bcfff37b573614176cd311feebaa429ca0e5bb3550c5
SHA512

1ed85a115a200e31c3f286e4089a785c33d6265798eaf615188e8b89c8b45454c8579cc71a447552780b3bb2f3f3b4bb36a1567f9b0414520d73b4319e44516f
SSDEEP

98304:PX4kkWgiZ+zf/jghmMGqfvmP1/rO8ix0OhgJIXi49koyazx14:vZkWBZ+/gcqHW1/LPO6JIXi49koya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2040	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
2720	Magni.exe

Loads dropped DLL 3 IoCs

pid	Process
2216	2c7c53cc215cbc87b9d0fdd03a4a13ce.exe
2040	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
2040	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Quas\aut\is-2GCON.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\qui\is-HJ1P7.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\qui\is-MOI0L.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\qui\is-L815P.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\unins000.dat	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\is-T9OSV.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\is-2NH4V.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\aut\is-M6200.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\qui\is-QBTG2.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\is-K9LOP.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\aut\is-1R7R5.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\aut\is-B3AMF.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\qui\is-J04T2.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\aut\is-URTBG.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\aut\is-IBVOQ.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\qui\is-DNQAV.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\is-KN57I.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\qui\is-72RE8.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File opened for modification	C:\Program Files (x86)\Quas\unins000.dat	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File opened for modification	C:\Program Files (x86)\Quas\Magni.exe	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File opened for modification	C:\Program Files (x86)\Quas\sqlite3.dll	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\is-KSEO3.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
File created	C:\Program Files (x86)\Quas\is-E0EVH.tmp	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2040	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
2040	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2040	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2040	2216	2c7c53cc215cbc87b9d0fdd03a4a13ce.exe	18
PID 2216 wrote to memory of 2040	2216	2c7c53cc215cbc87b9d0fdd03a4a13ce.exe	18
PID 2216 wrote to memory of 2040	2216	2c7c53cc215cbc87b9d0fdd03a4a13ce.exe	18
PID 2216 wrote to memory of 2040	2216	2c7c53cc215cbc87b9d0fdd03a4a13ce.exe	18
PID 2216 wrote to memory of 2040	2216	2c7c53cc215cbc87b9d0fdd03a4a13ce.exe	18
PID 2216 wrote to memory of 2040	2216	2c7c53cc215cbc87b9d0fdd03a4a13ce.exe	18
PID 2216 wrote to memory of 2040	2216	2c7c53cc215cbc87b9d0fdd03a4a13ce.exe	18
PID 2040 wrote to memory of 2720	2040	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp	24
PID 2040 wrote to memory of 2720	2040	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp	24
PID 2040 wrote to memory of 2720	2040	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp	24
PID 2040 wrote to memory of 2720	2040	2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp	24

C:\Users\Admin\AppData\Local\Temp\2c7c53cc215cbc87b9d0fdd03a4a13ce.exe
"C:\Users\Admin\AppData\Local\Temp\2c7c53cc215cbc87b9d0fdd03a4a13ce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\is-8Q6PC.tmp\2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8Q6PC.tmp\2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp" /SL5="$5014C,4341601,721408,C:\Users\Admin\AppData\Local\Temp\2c7c53cc215cbc87b9d0fdd03a4a13ce.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Program Files (x86)\Quas\Magni.exe
    "C:\Program Files (x86)\Quas/\Magni.exe" 4dfbcb6392e4e82dec956a1f358df8ce
    3⤵
    - Executes dropped EXE
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-8Q6PC.tmp\2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp

Filesize
381KB

MD5
5fe40677b50096692706255b5c62727e

SHA1
e4b97631628b7551ba4f495de3e004c675779479

SHA256
cc14ece6975fdb016b2cc5766ab8365a6e81564e4021c17f564ca797926fd407

SHA512
8b31fd227170d7f907122dc43750ac003bd0eba46dadd24935a3b9940661857a4a4d26af0d1cfe1e026aaa965e204202e363309def3e66509dae29596f6f9e30

Download Submit
\Users\Admin\AppData\Local\Temp\is-8Q6PC.tmp\2c7c53cc215cbc87b9d0fdd03a4a13ce.tmp

Filesize
382KB

MD5
87a3b02d203d1c69ef3b4f9a50f848ce

SHA1
a621ca18c711e03f4c8f1deb06d7aa07c1b3d1c0

SHA256
1aad33314da6b332f3c71df86d61216bf5cb4331c53b4894ef6d48059bf4effe

SHA512
6c777ad8be8fb29d7a0813442b0b7b6d99fc9f1c14a592535f4208d0b0d49866d54801bdc47a81190875c142b4e35252453a141c30ccd0bf8bd72b764350f5ab

Download Submit
\Users\Admin\AppData\Local\Temp\is-I288D.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2040-66-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2040-61-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2040-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2216-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2216-60-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2720-62-0x0000000000400000-0x00000000016AC000-memory.dmp

Filesize
18.7MB

Download
memory/2720-58-0x0000000000400000-0x00000000016AC000-memory.dmp

Filesize
18.7MB

Download
memory/2720-59-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/2720-57-0x0000000000400000-0x00000000016AC000-memory.dmp

Filesize
18.7MB

Download
memory/2720-65-0x0000000000400000-0x00000000016AC000-memory.dmp

Filesize
18.7MB

Download
memory/2720-67-0x0000000000400000-0x00000000016AC000-memory.dmp

Filesize
18.7MB

Download
memory/2720-94-0x0000000000400000-0x00000000016AC000-memory.dmp

Filesize
18.7MB

Download
memory/2720-97-0x0000000000400000-0x00000000016AC000-memory.dmp

Filesize
18.7MB

Download
memory/2720-103-0x0000000000400000-0x00000000016AC000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing