6c5ebd2b8cac3b53298122da85e163df0007eca7d8fcb5357b250ad0b36ef916

General

Target

406e390c04f7e44489d9fccc11d052be.exe
Size

4.8MB
MD5

406e390c04f7e44489d9fccc11d052be
SHA1

6ed88d399fc6db8493cdbdabbfca3c575d075972
SHA256

6c5ebd2b8cac3b53298122da85e163df0007eca7d8fcb5357b250ad0b36ef916
SHA512

685a80a6862ef650c0695644c92662e5f27d23e20476cace1ffe15e394c86424ab13ef08c5b0b20ac3f262b254a11cd13cbe4f2492cecde79bb06fcb813fc0fd
SSDEEP

98304:PX40aAlHVvAK3fIbDZi9/nbSpDqs6D7+yazx14:vjlHOK3fcZuSkX+ya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1824	406e390c04f7e44489d9fccc11d052be.tmp
2940	Exercitationem.exe

Loads dropped DLL 10 IoCs

pid	Process
2392	406e390c04f7e44489d9fccc11d052be.exe
1824	406e390c04f7e44489d9fccc11d052be.tmp
1824	406e390c04f7e44489d9fccc11d052be.tmp
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Porro\ut\is-HJH0M.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File opened for modification	C:\Program Files (x86)\Porro\unins000.dat	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-IECC1.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-QEUDE.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\vero\is-Q4KG5.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File opened for modification	C:\Program Files (x86)\Porro\ut\sqlite3.dll	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-1BM6Q.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-GA8O8.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File opened for modification	C:\Program Files (x86)\Porro\ut\Exercitationem.exe	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-OA910.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-PORDA.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-45PAE.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-FF5A4.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-LTE8R.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\vero\is-QBKA6.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\vero\is-JGTB6.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\unins000.dat	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-M815L.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-3L5D6.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-DJ5VC.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-04LNN.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-7Q2NQ.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-1IVB2.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-DS8OG.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-6E7SH.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-DFMC6.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\possimus\is-08686.tmp	406e390c04f7e44489d9fccc11d052be.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2568	2940	WerFault.exe	24

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1824	406e390c04f7e44489d9fccc11d052be.tmp
1824	406e390c04f7e44489d9fccc11d052be.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1824	406e390c04f7e44489d9fccc11d052be.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1824	2392	406e390c04f7e44489d9fccc11d052be.exe	16
PID 2392 wrote to memory of 1824	2392	406e390c04f7e44489d9fccc11d052be.exe	16
PID 2392 wrote to memory of 1824	2392	406e390c04f7e44489d9fccc11d052be.exe	16
PID 2392 wrote to memory of 1824	2392	406e390c04f7e44489d9fccc11d052be.exe	16
PID 2392 wrote to memory of 1824	2392	406e390c04f7e44489d9fccc11d052be.exe	16
PID 2392 wrote to memory of 1824	2392	406e390c04f7e44489d9fccc11d052be.exe	16
PID 2392 wrote to memory of 1824	2392	406e390c04f7e44489d9fccc11d052be.exe	16
PID 1824 wrote to memory of 2940	1824	406e390c04f7e44489d9fccc11d052be.tmp	24
PID 1824 wrote to memory of 2940	1824	406e390c04f7e44489d9fccc11d052be.tmp	24
PID 1824 wrote to memory of 2940	1824	406e390c04f7e44489d9fccc11d052be.tmp	24
PID 1824 wrote to memory of 2940	1824	406e390c04f7e44489d9fccc11d052be.tmp	24
PID 2940 wrote to memory of 2568	2940	Exercitationem.exe	30
PID 2940 wrote to memory of 2568	2940	Exercitationem.exe	30
PID 2940 wrote to memory of 2568	2940	Exercitationem.exe	30
PID 2940 wrote to memory of 2568	2940	Exercitationem.exe	30

C:\Users\Admin\AppData\Local\Temp\406e390c04f7e44489d9fccc11d052be.exe
"C:\Users\Admin\AppData\Local\Temp\406e390c04f7e44489d9fccc11d052be.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\is-PIL0K.tmp\406e390c04f7e44489d9fccc11d052be.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PIL0K.tmp\406e390c04f7e44489d9fccc11d052be.tmp" /SL5="$4001C,4331755,721408,C:\Users\Admin\AppData\Local\Temp\406e390c04f7e44489d9fccc11d052be.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Program Files (x86)\Porro\ut\Exercitationem.exe
    "C:\Program Files (x86)\Porro/\ut\Exercitationem.exe" 2c01271b758834e432ce522b824c5313
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 496
      4⤵
      Loads dropped DLL
      Program crash
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-PIL0K.tmp\406e390c04f7e44489d9fccc11d052be.tmp

Filesize
381KB

MD5
5fe40677b50096692706255b5c62727e

SHA1
e4b97631628b7551ba4f495de3e004c675779479

SHA256
cc14ece6975fdb016b2cc5766ab8365a6e81564e4021c17f564ca797926fd407

SHA512
8b31fd227170d7f907122dc43750ac003bd0eba46dadd24935a3b9940661857a4a4d26af0d1cfe1e026aaa965e204202e363309def3e66509dae29596f6f9e30

Download Submit
\Users\Admin\AppData\Local\Temp\is-M4PP8.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-PIL0K.tmp\406e390c04f7e44489d9fccc11d052be.tmp

Filesize
382KB

MD5
87a3b02d203d1c69ef3b4f9a50f848ce

SHA1
a621ca18c711e03f4c8f1deb06d7aa07c1b3d1c0

SHA256
1aad33314da6b332f3c71df86d61216bf5cb4331c53b4894ef6d48059bf4effe

SHA512
6c777ad8be8fb29d7a0813442b0b7b6d99fc9f1c14a592535f4208d0b0d49866d54801bdc47a81190875c142b4e35252453a141c30ccd0bf8bd72b764350f5ab

Download Submit
memory/1824-76-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/1824-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1824-81-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2392-75-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2392-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2940-66-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/2940-67-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2940-77-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/2940-65-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download

Analysis

Sharing