382a040cad6beda3e363a0bc564f341bd92d3d3592175d449599ca877dab6ee9

General

Target

3abaf7302682abb2c7d851a7f9f600b3.exe
Size

4.8MB
MD5

3abaf7302682abb2c7d851a7f9f600b3
SHA1

c6d1571fd40320dbd5322827fe9f1c4b25a73520
SHA256

382a040cad6beda3e363a0bc564f341bd92d3d3592175d449599ca877dab6ee9
SHA512

db11ca34134ff57237453a8f8f9dfdacd2a9a808bba45bfd083252099e63b8377181eb64b0035fb8be6e098c7bb6f7114d2bb7c1fee5163f32902daafb20bb3f
SSDEEP

98304:PX4Nwhsxua0GgTReHnDjBDYwSGWeIAAWC8yazx14:v8WsGRiF0wSigWya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4768	3abaf7302682abb2c7d851a7f9f600b3.tmp
3292	Qui.exe

Loads dropped DLL 1 IoCs

pid	Process
4768	3abaf7302682abb2c7d851a7f9f600b3.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Ut\is-KSDHQ.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-C4S1Q.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\rerum\is-DOUQD.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\rerum\is-R6MEH.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File opened for modification	C:\Program Files (x86)\Ut\Qui.exe	3abaf7302682abb2c7d851a7f9f600b3.tmp
File opened for modification	C:\Program Files (x86)\Ut\sqlite3.dll	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-I4AP8.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\adipisci\is-G3TFD.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\rerum\is-KUQGR.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-5G0Q7.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-CIFB0.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\rerum\is-KCKOC.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\unins000.dat	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-0D4DV.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\adipisci\is-RGF21.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\adipisci\is-TOQFF.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\adipisci\is-98S23.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\rerum\is-5BQS7.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-EF6FE.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File opened for modification	C:\Program Files (x86)\Ut\unins000.dat	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-MBUCI.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp
File created	C:\Program Files (x86)\Ut\is-07OHK.tmp	3abaf7302682abb2c7d851a7f9f600b3.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4768	3abaf7302682abb2c7d851a7f9f600b3.tmp
4768	3abaf7302682abb2c7d851a7f9f600b3.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4768	3abaf7302682abb2c7d851a7f9f600b3.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4768	4820	3abaf7302682abb2c7d851a7f9f600b3.exe	20
PID 4820 wrote to memory of 4768	4820	3abaf7302682abb2c7d851a7f9f600b3.exe	20
PID 4820 wrote to memory of 4768	4820	3abaf7302682abb2c7d851a7f9f600b3.exe	20
PID 4768 wrote to memory of 3292	4768	3abaf7302682abb2c7d851a7f9f600b3.tmp	31
PID 4768 wrote to memory of 3292	4768	3abaf7302682abb2c7d851a7f9f600b3.tmp	31
PID 4768 wrote to memory of 3292	4768	3abaf7302682abb2c7d851a7f9f600b3.tmp	31

C:\Users\Admin\AppData\Local\Temp\3abaf7302682abb2c7d851a7f9f600b3.exe
"C:\Users\Admin\AppData\Local\Temp\3abaf7302682abb2c7d851a7f9f600b3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\is-967J4.tmp\3abaf7302682abb2c7d851a7f9f600b3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-967J4.tmp\3abaf7302682abb2c7d851a7f9f600b3.tmp" /SL5="$A0040,4315556,721408,C:\Users\Admin\AppData\Local\Temp\3abaf7302682abb2c7d851a7f9f600b3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Program Files (x86)\Ut\Qui.exe
    "C:\Program Files (x86)\Ut/\Qui.exe" af5733f5dbedd236941f32dcfc6054b3
    3⤵
    - Executes dropped EXE
    PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-967J4.tmp\3abaf7302682abb2c7d851a7f9f600b3.tmp

Filesize
93KB

MD5
636dac01e993b7933bd563bd8d2215e2

SHA1
2510b6336bd5bf2e1eef681133d82bf25733418a

SHA256
12a176f9601f23c1523f8193cd93e84033585d76708f2c3d9379ca7954a7685c

SHA512
2e943c783ca737cda38b608025be63d8ee21e7cef9ae37ffab8124a4669b572f5056bdc9e13a3d85fe45a1443283b52d3acf46f4682f8cd267b304244aa1a483

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BGRGA.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/3292-52-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/3292-51-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/3292-53-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/3292-56-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/3292-59-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/3292-72-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/3292-84-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/4768-6-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/4768-55-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/4768-60-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/4820-2-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4820-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4820-54-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing