382a040cad6beda3e363a0bc564f341bd92d3d3592175d449599ca877dab6ee9

General

Target

3abaf7302682abb2c7d851a7f9f600b3.exe
Size

4.8MB
MD5

3abaf7302682abb2c7d851a7f9f600b3
SHA1

c6d1571fd40320dbd5322827fe9f1c4b25a73520
SHA256

382a040cad6beda3e363a0bc564f341bd92d3d3592175d449599ca877dab6ee9
SHA512

db11ca34134ff57237453a8f8f9dfdacd2a9a808bba45bfd083252099e63b8377181eb64b0035fb8be6e098c7bb6f7114d2bb7c1fee5163f32902daafb20bb3f
SSDEEP

98304:PX4Nwhsxua0GgTReHnDjBDYwSGWeIAAWC8yazx14:v8WsGRiF0wSigWya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3012	3abaf7302682abb2c7d851a7f9f600b3.tmp
2728	Qui.exe

Loads dropped DLL 3 IoCs

pid	Process
2672	3abaf7302682abb2c7d851a7f9f600b3.exe
3012	3abaf7302682abb2c7d851a7f9f600b3.tmp
3012	3abaf7302682abb2c7d851a7f9f600b3.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Ut\adipisci\is-OMLS3.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-JMAOL.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-C49A7.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-24D7N.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-FCQPI.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File opened for modification	C:\Program Files (x86)\Ut\Qui.exe	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-0BK68.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\rerum\is-IOQ6S.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-KBJK8.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\adipisci\is-8IU2S.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\rerum\is-SCU70.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\rerum\is-9F2EB.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File opened for modification	C:\Program Files (x86)\Ut\unins000.dat	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\unins000.dat	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-61VPB.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-4GF4J.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-CP0T7.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\rerum\is-KIERF.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File opened for modification	C:\Program Files (x86)\Ut\sqlite3.dll	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\adipisci\is-H69DH.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\adipisci\is-P3SGJ.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\rerum\is-TOMUJ.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3012	3abaf7302682abb2c7d851a7f9f600b3.tmp
3012	3abaf7302682abb2c7d851a7f9f600b3.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3012	3abaf7302682abb2c7d851a7f9f600b3.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3012	2672	3abaf7302682abb2c7d851a7f9f600b3.exe	28
PID 2672 wrote to memory of 3012	2672	3abaf7302682abb2c7d851a7f9f600b3.exe	28
PID 2672 wrote to memory of 3012	2672	3abaf7302682abb2c7d851a7f9f600b3.exe	28
PID 2672 wrote to memory of 3012	2672	3abaf7302682abb2c7d851a7f9f600b3.exe	28
PID 2672 wrote to memory of 3012	2672	3abaf7302682abb2c7d851a7f9f600b3.exe	28
PID 2672 wrote to memory of 3012	2672	3abaf7302682abb2c7d851a7f9f600b3.exe	28
PID 2672 wrote to memory of 3012	2672	3abaf7302682abb2c7d851a7f9f600b3.exe	28
PID 3012 wrote to memory of 2728	3012	3abaf7302682abb2c7d851a7f9f600b3.tmp	29
PID 3012 wrote to memory of 2728	3012	3abaf7302682abb2c7d851a7f9f600b3.tmp	29
PID 3012 wrote to memory of 2728	3012	3abaf7302682abb2c7d851a7f9f600b3.tmp	29
PID 3012 wrote to memory of 2728	3012	3abaf7302682abb2c7d851a7f9f600b3.tmp	29

C:\Users\Admin\AppData\Local\Temp\3abaf7302682abb2c7d851a7f9f600b3.exe
"C:\Users\Admin\AppData\Local\Temp\3abaf7302682abb2c7d851a7f9f600b3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\is-16K9C.tmp\3abaf7302682abb2c7d851a7f9f600b3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-16K9C.tmp\3abaf7302682abb2c7d851a7f9f600b3.tmp" /SL5="$A0154,4315556,721408,C:\Users\Admin\AppData\Local\Temp\3abaf7302682abb2c7d851a7f9f600b3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Program Files (x86)\Ut\Qui.exe
    "C:\Program Files (x86)\Ut/\Qui.exe" af5733f5dbedd236941f32dcfc6054b3
    3⤵
    - Executes dropped EXE
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ut\Qui.exe

Filesize
261KB

MD5
6a4ccea746c1c6b07bb8f6d4e10c0d6b

SHA1
0668851940eb0244a1add330c40e503728af153c

SHA256
c54f318950c9607a00ee92623da0b57eb5f1c223a35f613b490c005246728ac1

SHA512
efb89f3c4e428b367e64db1b77d1b4ed80f8793ec4517afe59e9ae4d031fa6c23d9d77efe053c6854f26c27ef1c3b38046f6ef5cd260ae2e4f15423ed281a878

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16K9C.tmp\3abaf7302682abb2c7d851a7f9f600b3.tmp

Filesize
543KB

MD5
8753e6fd8301a7ca7cad20251f002df6

SHA1
1d1bb2bc6cdaae770e2e7f1c99e69ef3de04ea22

SHA256
2b233f8a2608357a7f8a804cda4dcfbf75082b5f8d9df82f762857aa6f9ca083

SHA512
8efb4d2d380a76e3ff16b06b9292789436c6534f338d9b84c69a544cb31b40c9021c8737d6a4e59c36adedfc1111dca437e474f6eb41dc812216aa817fa090ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16K9C.tmp\3abaf7302682abb2c7d851a7f9f600b3.tmp

Filesize
33KB

MD5
55c6a396adb1f3d1bdbd4ef106779b73

SHA1
15403614654f6a25df6159ae699405722b6f7da0

SHA256
294fdffb1b00836139a4765a909a7e8d7127a47abd155ea1cf86f8f7841d3d95

SHA512
8a1387fad65c432f272fba5dae18258dc0a3d92bce4c1bdc055c760ec62a62433f95c6c2c01185ebb6a18eec868baaf3ed6dc7bac647abd9d5bb92c3edb7f721

Download Submit
\Program Files (x86)\Ut\Qui.exe

Filesize
249KB

MD5
44b6bb998c24e1a8ed59da3261b68bf1

SHA1
2bf4c3b57b4c847f9acde720cb8ff8d0025dd653

SHA256
c08ab5974f72d32f3ead865a701e313330e699b9fcfb2d8fa226444c689c9bdd

SHA512
b2aac200e6039c27e2f371ae00d512d9e778a3743eaad36a809a319903e6a2587474c9d784aab3d8d15a539cc4ae6497372a92e06dde9e3bd3d735cddfc9559b

Download Submit
\Users\Admin\AppData\Local\Temp\is-16K9C.tmp\3abaf7302682abb2c7d851a7f9f600b3.tmp

Filesize
21KB

MD5
f0d2b23caef509bb1ff64c76c5551cd5

SHA1
3398e9a6f25d800fe2f082da697f3fe1adc7506a

SHA256
850f40c799baa411c6648aa669d2ca60d6ae569a765b1511e3c05af2cc4cae91

SHA512
9a3ad97ab4caa15bf39efe2b87d717aba0518ae4b79005cb783f2e21f4e75de80f68593ea3b4e421bd1277a3a4480e3d2688aab59b785b591299b5e35648aad4

Download Submit
\Users\Admin\AppData\Local\Temp\is-VQLMJ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2672-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2672-2-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2672-58-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2728-57-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/2728-55-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/2728-56-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/2728-60-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/2728-63-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/2728-67-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/2728-73-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/2728-79-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/3012-59-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/3012-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3012-64-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing