5bf737b523846a073eca67002f280cdff3fd42b0c916811a2b3a60219de51764

General

Target

50ef93e4ccf69fcf279de3fcb8075f80.exe
Size

3.7MB
MD5

50ef93e4ccf69fcf279de3fcb8075f80
SHA1

5ab016854f0dc0f9b046dcd6d6e7f773f484be21
SHA256

5bf737b523846a073eca67002f280cdff3fd42b0c916811a2b3a60219de51764
SHA512

1b85312aa82d612c3e9e20cf802dd12fd45fefae2e64f3a947d1e52f48f7e6e331f72ea2cd5f2d2b91867904be7916de3f001023b855184e97ac508d31b6995a
SSDEEP

98304:PX4T0P3Jv4bCFA7frAJUyATxRlwz22UFpyazx14:vK0P32Myj2cxj+22Ipya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1316	50ef93e4ccf69fcf279de3fcb8075f80.tmp
2620	Iure.exe

Loads dropped DLL 4 IoCs

pid	Process
2252	50ef93e4ccf69fcf279de3fcb8075f80.exe
1316	50ef93e4ccf69fcf279de3fcb8075f80.tmp
1316	50ef93e4ccf69fcf279de3fcb8075f80.tmp
2620	Iure.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Voluptas\officia\Iure.exe	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\officia\is-56T0P.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\officia\is-802CQ.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\optio\is-LVISK.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\optio\is-Q4AJQ.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\is-JI25P.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\doloribus\is-ONI3S.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\doloribus\is-A88I1.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\doloribus\is-LSCS1.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File opened for modification	C:\Program Files (x86)\Voluptas\unins000.dat	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\is-9G2UA.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\is-59RRE.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\is-2QVGD.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\doloribus\is-HTU7Q.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\doloribus\is-PIS69.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\doloribus\is-VFEUA.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\officia\is-TEVR1.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\officia\is-OT6L8.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File opened for modification	C:\Program Files (x86)\Voluptas\officia\sqlite3.dll	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\unins000.dat	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\is-FNBDU.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\is-PKH5D.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1316	50ef93e4ccf69fcf279de3fcb8075f80.tmp
1316	50ef93e4ccf69fcf279de3fcb8075f80.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1316	50ef93e4ccf69fcf279de3fcb8075f80.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1316	2252	50ef93e4ccf69fcf279de3fcb8075f80.exe	28
PID 2252 wrote to memory of 1316	2252	50ef93e4ccf69fcf279de3fcb8075f80.exe	28
PID 2252 wrote to memory of 1316	2252	50ef93e4ccf69fcf279de3fcb8075f80.exe	28
PID 2252 wrote to memory of 1316	2252	50ef93e4ccf69fcf279de3fcb8075f80.exe	28
PID 2252 wrote to memory of 1316	2252	50ef93e4ccf69fcf279de3fcb8075f80.exe	28
PID 2252 wrote to memory of 1316	2252	50ef93e4ccf69fcf279de3fcb8075f80.exe	28
PID 2252 wrote to memory of 1316	2252	50ef93e4ccf69fcf279de3fcb8075f80.exe	28
PID 1316 wrote to memory of 2620	1316	50ef93e4ccf69fcf279de3fcb8075f80.tmp	29
PID 1316 wrote to memory of 2620	1316	50ef93e4ccf69fcf279de3fcb8075f80.tmp	29
PID 1316 wrote to memory of 2620	1316	50ef93e4ccf69fcf279de3fcb8075f80.tmp	29
PID 1316 wrote to memory of 2620	1316	50ef93e4ccf69fcf279de3fcb8075f80.tmp	29

C:\Users\Admin\AppData\Local\Temp\50ef93e4ccf69fcf279de3fcb8075f80.exe
"C:\Users\Admin\AppData\Local\Temp\50ef93e4ccf69fcf279de3fcb8075f80.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\is-UOFQB.tmp\50ef93e4ccf69fcf279de3fcb8075f80.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UOFQB.tmp\50ef93e4ccf69fcf279de3fcb8075f80.tmp" /SL5="$400F4,3183062,721408,C:\Users\Admin\AppData\Local\Temp\50ef93e4ccf69fcf279de3fcb8075f80.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Program Files (x86)\Voluptas\officia\Iure.exe
    "C:\Program Files (x86)\Voluptas/\officia\Iure.exe" 5fa3e4141295a83810d25683391a76aa
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Voluptas\officia\Iure.exe

Filesize
761KB

MD5
89e52b24c6f53965fa3daa8c8172ad29

SHA1
8c6cf56b5e707b4b45d6dd8e2076fb2806608fcf

SHA256
49e0935e9f8e2fd0b2aaa7fa8744de3f767319597997f085a4ef82f74aef3cd0

SHA512
2b71e84bf5ef39755f494223b782873433550e2d1b39fa4b6271df9ca77f3b46648a22521b1e697db9f87d312c1eb8edf08098690fdb77bb5789a5055fa09b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UOFQB.tmp\50ef93e4ccf69fcf279de3fcb8075f80.tmp

Filesize
848KB

MD5
b788b0cad184acab743e2063e2ccb862

SHA1
a41b979a46877d233adf20438b7705b5378ae388

SHA256
586d361efffb4e4bd71135eece3e440ad7daaad02f1dad8b28934a419119ab33

SHA512
595900edeac18a1c5dd60c0c26c26552a8639ef3cc56eedc493b21a83c22bd89045447b809f9eea72add0a3430cd292f20150d1f8e4313c459cf2544e2a8d3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UOFQB.tmp\50ef93e4ccf69fcf279de3fcb8075f80.tmp

Filesize
1.7MB

MD5
a3fa3e19187f5f7e58b31dd0b364f67d

SHA1
e05f97add73834a054629f06cc2961b3b1838704

SHA256
67a50ec1a2994e71406a1bc45d8c6c5ef407dc07a8ecd051804818bad6cb7cb5

SHA512
7fdd243cf4b1ef191aaea194e14719382f444d12e5a1e59fbe01f33d6a31e699c587e442a4073af769bd5fbec74c9e14addc716c1b771a983cfc4d0ecef420fc

Download Submit
\Program Files (x86)\Voluptas\officia\Iure.exe

Filesize
761KB

MD5
3b3acb5472be36653c287c0bdbb3126c

SHA1
7b55394126de1fb38de4bcb651d8ec0a91027fab

SHA256
7492f6fa6b128c7deebaebcc3654b474869b81af84055f96deb64ef8a2fe1e86

SHA512
b81fdf1794c4b3b702e1da3572efa16c081baed421cf30e62bbb72e5ac59bc140a3ba4c8e50578b12d984dab777fbecc442fd325befc75b4a716ea1347491761

Download Submit
\Program Files (x86)\Voluptas\officia\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Local\Temp\is-KCPNT.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-UOFQB.tmp\50ef93e4ccf69fcf279de3fcb8075f80.tmp

Filesize
1.6MB

MD5
f16dd48d9a86760516bb2cfaddf67888

SHA1
2003f21637d491bc5583ccf88067aa4eb2e57d2a

SHA256
3fbbdfc66a392d4bb283d332d90948c7f4c61205596402c53184451312ba8e82

SHA512
d794826a703e12b664eb6b10689cd5839cceb0b93586daea0eccab9e0d1d53ca0208d6131e082ffffab4df828620de395fbd30d57c7aecb3db1c49217df3e415

Download Submit
memory/1316-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1316-58-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2252-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2252-59-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2620-57-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing