504c149e8c6eec8df5921e3985f4c39905c672e99934ed647297a36a46738689

General

Target

743c4293924966145a15247019678041.exe
Size

4.8MB
MD5

743c4293924966145a15247019678041
SHA1

ab5cd9f4c3818b44ec13c3003ab024365b439d7d
SHA256

504c149e8c6eec8df5921e3985f4c39905c672e99934ed647297a36a46738689
SHA512

97159de873a712b016cbb40b97c27168edc40c9ae899afdf207ebd595fa219703818837e2e0d8627dc1164b37312d87b396f15774860e87d6542369c6dde4f37
SSDEEP

98304:PX4uRbJiH9PqGVGOobrS+S8Qu+4warOauQ4KS/f41WvdYvzyUyazx14:vXRWPqGVYi8QuRORKS/hvdYyUya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2880	743c4293924966145a15247019678041.tmp
2700	Minima.exe

Loads dropped DLL 3 IoCs

pid	Process
2816	743c4293924966145a15247019678041.exe
2880	743c4293924966145a15247019678041.tmp
2880	743c4293924966145a15247019678041.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Corrupti\rerum\is-MGMB3.tmp	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\rerum\is-QAQQ7.tmp	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\aut\is-VUK37.tmp	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\rerum\is-G21LG.tmp	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\rerum\is-3VUL1.tmp	743c4293924966145a15247019678041.tmp
File opened for modification	C:\Program Files (x86)\Corrupti\rerum\sqlite3.dll	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\aut\is-LHQ6A.tmp	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\is-M1G50.tmp	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\aut\is-364CV.tmp	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\aut\is-1BSCV.tmp	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\rerum\is-04D6K.tmp	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\rerum\is-12OBD.tmp	743c4293924966145a15247019678041.tmp
File opened for modification	C:\Program Files (x86)\Corrupti\unins000.dat	743c4293924966145a15247019678041.tmp
File opened for modification	C:\Program Files (x86)\Corrupti\rerum\Minima.exe	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\unins000.dat	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\is-H5GC2.tmp	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\is-JIEPT.tmp	743c4293924966145a15247019678041.tmp
File created	C:\Program Files (x86)\Corrupti\is-DRBQN.tmp	743c4293924966145a15247019678041.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2880	743c4293924966145a15247019678041.tmp
2880	743c4293924966145a15247019678041.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2880	743c4293924966145a15247019678041.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2880	2816	743c4293924966145a15247019678041.exe	28
PID 2816 wrote to memory of 2880	2816	743c4293924966145a15247019678041.exe	28
PID 2816 wrote to memory of 2880	2816	743c4293924966145a15247019678041.exe	28
PID 2816 wrote to memory of 2880	2816	743c4293924966145a15247019678041.exe	28
PID 2816 wrote to memory of 2880	2816	743c4293924966145a15247019678041.exe	28
PID 2816 wrote to memory of 2880	2816	743c4293924966145a15247019678041.exe	28
PID 2816 wrote to memory of 2880	2816	743c4293924966145a15247019678041.exe	28
PID 2880 wrote to memory of 2700	2880	743c4293924966145a15247019678041.tmp	29
PID 2880 wrote to memory of 2700	2880	743c4293924966145a15247019678041.tmp	29
PID 2880 wrote to memory of 2700	2880	743c4293924966145a15247019678041.tmp	29
PID 2880 wrote to memory of 2700	2880	743c4293924966145a15247019678041.tmp	29

C:\Users\Admin\AppData\Local\Temp\743c4293924966145a15247019678041.exe
"C:\Users\Admin\AppData\Local\Temp\743c4293924966145a15247019678041.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\is-RIH5I.tmp\743c4293924966145a15247019678041.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RIH5I.tmp\743c4293924966145a15247019678041.tmp" /SL5="$5014C,4319728,721408,C:\Users\Admin\AppData\Local\Temp\743c4293924966145a15247019678041.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Program Files (x86)\Corrupti\rerum\Minima.exe
    "C:\Program Files (x86)\Corrupti/\rerum\Minima.exe" d33ea9aeaf55fd261c3afe4927f1bef5
    3⤵
    - Executes dropped EXE
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Corrupti\rerum\Minima.exe

Filesize
814KB

MD5
bb197619f4c7aebd7765ef5d57ad4ac3

SHA1
4773cd5f5ecda080d0721961ecf741dc31325eb2

SHA256
01ae883a7c1f8dd78160a462f0789753f21c7ae43576eecb20557cd84db3c3e5

SHA512
3f6a94459db9e983629ea12beaee35dbe699deb1157ba6ff76d96da2e31210ae36f51cffc9d5fe192106bd334612d46ff5bf177a9c40a71386c6f923a36e331f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RIH5I.tmp\743c4293924966145a15247019678041.tmp

Filesize
1.1MB

MD5
ced16afdf48987cf299cb41595d113ca

SHA1
2b2280b395a88e86a0cd30932bc5f1d1bcb3f634

SHA256
404d1fd670563565b7573eb098250725ee4a947b3f6379160c17be76e560cb2a

SHA512
ef4ffdf738ec481f3219503bb4dcdbf74cba0c75ea17c94a68824fadc337aae345ffa0457e3251202ad95066ef058a7107ee6c3828d2cfea01295e76f3ff85e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RIH5I.tmp\743c4293924966145a15247019678041.tmp

Filesize
657KB

MD5
e19a185d9c3dc7324f67850246d05698

SHA1
fda6405ea3e47b667d2d8445a33a90e6a98bc219

SHA256
5b20dafb22f47426171fcc9d3b27350e445a43210f57853c68b23f792c0f697e

SHA512
828fa26be852f4195347c212f57ebdfb0d9faee4a6e7ce4c1de008704a3f2ccf4a5e319b3ce46193c0cef6e61228311858e98575a88bf3c256a109f9a5176e94

Download Submit
\Program Files (x86)\Corrupti\rerum\Minima.exe

Filesize
641KB

MD5
f4d2240110f85849ba7859063ed92370

SHA1
42ba77cf3f3c0dd92e3f4acc9403a2461119d2f3

SHA256
aac602ae0c570c64eee99ce5ca68bed4ea228d42f6a7056d0a2fc84e9155bc64

SHA512
6ba63a11625e743d21df15702d5c081864d5e398e0396388e23006df61ac03a826a9f09bd247be6d92b76958d6dbd64f02034f479f116895b4de8a81252a9a06

Download Submit
\Users\Admin\AppData\Local\Temp\is-AK85P.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-RIH5I.tmp\743c4293924966145a15247019678041.tmp

Filesize
712KB

MD5
a959fa6637cdc35618d90108fa1f7e99

SHA1
752034726205c2f96f5ae0016e7df2076f01f12b

SHA256
c50f7c8f5c4cb2549622c9777038072b5b2ffe0d3b7ff460287de658ec746944

SHA512
a410e063f5420454f6d053a6d154a139d7591985417e3298ef1dbbff66910089d2eea38162b8994db9ff13be5049e2b8ced5f2a9d12a4a986228124d01435f05

Download Submit
memory/2700-47-0x0000000000400000-0x00000000016AC000-memory.dmp

Filesize
18.7MB

Download
memory/2700-49-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2700-48-0x0000000000400000-0x00000000016AC000-memory.dmp

Filesize
18.7MB

Download
memory/2700-52-0x0000000000400000-0x00000000016AC000-memory.dmp

Filesize
18.7MB

Download
memory/2700-62-0x0000000000400000-0x00000000016AC000-memory.dmp

Filesize
18.7MB

Download
memory/2816-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2816-50-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2880-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2880-51-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2880-56-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing