5bf737b523846a073eca67002f280cdff3fd42b0c916811a2b3a60219de51764

General

Target

50ef93e4ccf69fcf279de3fcb8075f80.exe
Size

3.7MB
MD5

50ef93e4ccf69fcf279de3fcb8075f80
SHA1

5ab016854f0dc0f9b046dcd6d6e7f773f484be21
SHA256

5bf737b523846a073eca67002f280cdff3fd42b0c916811a2b3a60219de51764
SHA512

1b85312aa82d612c3e9e20cf802dd12fd45fefae2e64f3a947d1e52f48f7e6e331f72ea2cd5f2d2b91867904be7916de3f001023b855184e97ac508d31b6995a
SSDEEP

98304:PX4T0P3Jv4bCFA7frAJUyATxRlwz22UFpyazx14:vK0P32Myj2cxj+22Ipya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3360	50ef93e4ccf69fcf279de3fcb8075f80.tmp
4412	Iure.exe

Loads dropped DLL 2 IoCs

pid	Process
3360	50ef93e4ccf69fcf279de3fcb8075f80.tmp
4412	Iure.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Voluptas\optio\is-MCIRV.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\optio\is-01LC9.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File opened for modification	C:\Program Files (x86)\Voluptas\officia\Iure.exe	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\is-DBHNV.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\doloribus\is-SUH9O.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\doloribus\is-BE6PL.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\doloribus\is-V7PP9.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\officia\is-SFOVH.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\officia\is-B35SV.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\officia\is-4V6F1.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\officia\is-TF4AQ.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File opened for modification	C:\Program Files (x86)\Voluptas\unins000.dat	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File opened for modification	C:\Program Files (x86)\Voluptas\officia\sqlite3.dll	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\is-4QDTG.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\is-6J9MG.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\doloribus\is-8RNLF.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\doloribus\is-QFETN.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\doloribus\is-388U9.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\unins000.dat	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\is-GN1IC.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\is-M61E1.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp
File created	C:\Program Files (x86)\Voluptas\is-CMJ9K.tmp	50ef93e4ccf69fcf279de3fcb8075f80.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1880	4412	WerFault.exe	45

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3360	50ef93e4ccf69fcf279de3fcb8075f80.tmp
3360	50ef93e4ccf69fcf279de3fcb8075f80.tmp
4412	Iure.exe
4412	Iure.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3360	50ef93e4ccf69fcf279de3fcb8075f80.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 3360	1460	50ef93e4ccf69fcf279de3fcb8075f80.exe	23
PID 1460 wrote to memory of 3360	1460	50ef93e4ccf69fcf279de3fcb8075f80.exe	23
PID 1460 wrote to memory of 3360	1460	50ef93e4ccf69fcf279de3fcb8075f80.exe	23
PID 3360 wrote to memory of 4412	3360	50ef93e4ccf69fcf279de3fcb8075f80.tmp	45
PID 3360 wrote to memory of 4412	3360	50ef93e4ccf69fcf279de3fcb8075f80.tmp	45
PID 3360 wrote to memory of 4412	3360	50ef93e4ccf69fcf279de3fcb8075f80.tmp	45

C:\Users\Admin\AppData\Local\Temp\50ef93e4ccf69fcf279de3fcb8075f80.exe
"C:\Users\Admin\AppData\Local\Temp\50ef93e4ccf69fcf279de3fcb8075f80.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\is-ACVIK.tmp\50ef93e4ccf69fcf279de3fcb8075f80.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ACVIK.tmp\50ef93e4ccf69fcf279de3fcb8075f80.tmp" /SL5="$A0056,3183062,721408,C:\Users\Admin\AppData\Local\Temp\50ef93e4ccf69fcf279de3fcb8075f80.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Program Files (x86)\Voluptas\officia\Iure.exe
    "C:\Program Files (x86)\Voluptas/\officia\Iure.exe" 5fa3e4141295a83810d25683391a76aa
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 860
      4⤵
      Program crash
      PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4412 -ip 4412
1⤵
PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Voluptas\officia\Iure.exe

Filesize
224KB

MD5
aaddfcc515b41d0f8337b712a873dcbc

SHA1
98072cb413d3568fa5b31dc8f11432e07ce475f5

SHA256
6b138b513eebebf54eefa4126f3b655345a0d73d9d8c528b58a7115a03ffa5ac

SHA512
244206825a29c70f3c772d70093c9b9db6501be2a8208ef88fa217e3684893b1b4d2283196086ec3c2ff517e6fb953134620d267b24ee89927a49b94f43085de

Download Submit
C:\Program Files (x86)\Voluptas\officia\sqlite3.dll

Filesize
390KB

MD5
a2e44583ea3b9de2b94dd3ec59f1d597

SHA1
d7672b6a0986cba2a26a9a2b3b0b7236fb44fca7

SHA256
4cd578ed6bff0d21257c5af52527c50cd67e71171dbe83ce760e09c81b68924b

SHA512
2368ca7d40466819fafdbbf0c6ebf69a945ac3dffc0575ecd1af43ee75fd80c2c1308920aac306059b157d2e3a31c6f91a8464098cf968fb8437cc2577239ba7

Download Submit
C:\Program Files (x86)\Voluptas\officia\sqlite3.dll

Filesize
343KB

MD5
c4fc14059867ff1db19ec1a55b691dc0

SHA1
bf29f851942ba3c03fdf9a3e3fd9d1a94ed66281

SHA256
c1de9c0eb1a834e6d607afd8534056c6fbc20c4fa0a53e62d5478385a0412e6f

SHA512
0306eea0e6dcda06d9a4ca3f774c2ce734196c5632d79891a022365584ec9bf62120123a8e024e7abb921c7a57ddaa8fbde1af0714da40b542617aa8fbe1bc76

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ACVIK.tmp\50ef93e4ccf69fcf279de3fcb8075f80.tmp

Filesize
2KB

MD5
711836f9151fe51ed49324df3c1ca111

SHA1
c0a11291251aec53cb4477b644737ce411bf9b9e

SHA256
fc21a23d2c636ff7634d6e7d45f8cbfbf09b11af9224c03e208f0912b008ef3c

SHA512
b55bd7aec8fddb07c879b3affd19979fcc2840b2589d1ee4cd0a17f1f057aec15a291a7bedc90840642610f6cd89f35646c3dbd5bb4cd46495e38441a03ace9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ACVIK.tmp\50ef93e4ccf69fcf279de3fcb8075f80.tmp

Filesize
29KB

MD5
6b12164cf3bf52ec5eebd05f8b6736a2

SHA1
1e5560ea857877a9e3a774b36713f25fe2e240f2

SHA256
5e0aece0e65a07b97bcc1796dc00c68171f5707813c164c8d68288eff1a54098

SHA512
f88d3644b66081390b6af44b0643b199dafc25e2e677fd531cd6462f996f31f41f5cdbf71974e6295b4766dec2580f16c12be039409d9f396885a277be5fe6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UBLVL.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1460-56-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1460-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3360-57-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/3360-6-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/3360-64-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/4412-54-0x0000000000400000-0x00000000014AF000-memory.dmp

Filesize
16.7MB

Download
memory/4412-55-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/4412-53-0x0000000000400000-0x00000000014AF000-memory.dmp

Filesize
16.7MB

Download
memory/4412-59-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4412-58-0x0000000000400000-0x00000000014AF000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing