6c5ebd2b8cac3b53298122da85e163df0007eca7d8fcb5357b250ad0b36ef916

General

Target

406e390c04f7e44489d9fccc11d052be.exe
Size

4.8MB
MD5

406e390c04f7e44489d9fccc11d052be
SHA1

6ed88d399fc6db8493cdbdabbfca3c575d075972
SHA256

6c5ebd2b8cac3b53298122da85e163df0007eca7d8fcb5357b250ad0b36ef916
SHA512

685a80a6862ef650c0695644c92662e5f27d23e20476cace1ffe15e394c86424ab13ef08c5b0b20ac3f262b254a11cd13cbe4f2492cecde79bb06fcb813fc0fd
SSDEEP

98304:PX40aAlHVvAK3fIbDZi9/nbSpDqs6D7+yazx14:vjlHOK3fcZuSkX+ya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5104	406e390c04f7e44489d9fccc11d052be.tmp
1476	Exercitationem.exe

Loads dropped DLL 1 IoCs

pid	Process
5104	406e390c04f7e44489d9fccc11d052be.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Porro\ut\sqlite3.dll	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-CIGNP.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-PH8AJ.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\vero\is-44M6I.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\unins000.dat	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-8VJ61.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-7INE3.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-FJPS9.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-B3G0C.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\vero\is-LOMTV.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File opened for modification	C:\Program Files (x86)\Porro\unins000.dat	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-1J4BK.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\vero\is-ADSSQ.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-DDREJ.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\possimus\is-S6KQB.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-FMGPI.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-8IF5G.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-IQ933.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-EQAKA.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-09M3C.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File opened for modification	C:\Program Files (x86)\Porro\ut\Exercitationem.exe	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-8FFUU.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-QG4TH.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-PAP2R.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\is-HLNEF.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-GE321.tmp	406e390c04f7e44489d9fccc11d052be.tmp
File created	C:\Program Files (x86)\Porro\ut\is-6SQVL.tmp	406e390c04f7e44489d9fccc11d052be.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2776	1476	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5104	406e390c04f7e44489d9fccc11d052be.tmp
5104	406e390c04f7e44489d9fccc11d052be.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5104	406e390c04f7e44489d9fccc11d052be.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 5104	1616	406e390c04f7e44489d9fccc11d052be.exe	91
PID 1616 wrote to memory of 5104	1616	406e390c04f7e44489d9fccc11d052be.exe	91
PID 1616 wrote to memory of 5104	1616	406e390c04f7e44489d9fccc11d052be.exe	91
PID 5104 wrote to memory of 1476	5104	406e390c04f7e44489d9fccc11d052be.tmp	96
PID 5104 wrote to memory of 1476	5104	406e390c04f7e44489d9fccc11d052be.tmp	96
PID 5104 wrote to memory of 1476	5104	406e390c04f7e44489d9fccc11d052be.tmp	96

C:\Users\Admin\AppData\Local\Temp\406e390c04f7e44489d9fccc11d052be.exe
"C:\Users\Admin\AppData\Local\Temp\406e390c04f7e44489d9fccc11d052be.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\is-0CA66.tmp\406e390c04f7e44489d9fccc11d052be.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0CA66.tmp\406e390c04f7e44489d9fccc11d052be.tmp" /SL5="$B005C,4331755,721408,C:\Users\Admin\AppData\Local\Temp\406e390c04f7e44489d9fccc11d052be.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Program Files (x86)\Porro\ut\Exercitationem.exe
    "C:\Program Files (x86)\Porro/\ut\Exercitationem.exe" 2c01271b758834e432ce522b824c5313
    3⤵
    - Executes dropped EXE
    PID:1476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 852
      4⤵
      Program crash
      PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1476 -ip 1476
1⤵
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Porro\ut\Exercitationem.exe

Filesize
4.9MB

MD5
0b8e19c68989028b845f26d445654dde

SHA1
58fea89b18ebbfcd6aec54f7785eb005dc5ec04f

SHA256
051fefe663ff43a9d4a0f3ebf059beea7df501f3d8e339a1620d7a460ffd27d8

SHA512
9a3c7df7edf241b0b3f53ca52476da68de42ab821ef67c924a93255b7e052f146ef48b4f8f078fa9fab0a1e6472239d8ffef98e65529b0b3997858675ac619cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0CA66.tmp\406e390c04f7e44489d9fccc11d052be.tmp

Filesize
2.4MB

MD5
3fddfbaa9d029821152e746edbabf7ce

SHA1
703690b3a2377047f6755e9b5274d608791b8062

SHA256
787cef456bd60075199c04ac38dd5e65291bd3a930b132538889e4dafb76fa1a

SHA512
fd50e763c6523022f1be02a6a690d2a2dec4e9a73c941314b4a810bbd7605d4058c5c49c53dcbdd8fde5e6c4d2c78fcec52b5bca087cbf552bc1ce90819c4903

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G0PV3.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1476-77-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/1476-70-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/1476-88-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/1476-68-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/1476-67-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/1476-65-0x0000000000400000-0x00000000016FE000-memory.dmp

Filesize
19.0MB

Download
memory/1616-90-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1616-12-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1616-6-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1616-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5104-42-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/5104-69-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/5104-5-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/5104-66-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/5104-89-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/5104-11-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing