5afa3995ab10db02e4ae53eace0287b98302111a76fd5dd2184f3e96ce047ef9

General

Target

74f3b871d85aaa247e93290b2bbbe7e0.exe
Size

4.7MB
MD5

74f3b871d85aaa247e93290b2bbbe7e0
SHA1

4532523ce208a7b61f2707ef9020f27aabdd1d10
SHA256

5afa3995ab10db02e4ae53eace0287b98302111a76fd5dd2184f3e96ce047ef9
SHA512

42033f59c9baa72994e2b8fbd082dd693a1d546d52e09ec3b65f017c88f840772b40ee8e70222efed4c5f85f95d8e3926a06dafe9612e4325ba86b7970f2c843
SSDEEP

98304:PX4UgeItnJ43UEQdF9YHWYt33w234Ey8tmxiRGuc+yazx14:vOeItnEbQdFsWYC234EDtmYRL/ya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

74f3b871d85aaa247e93290b2bbbe7e0.tmpPariatur.exe

pid process

2052 74f3b871d85aaa247e93290b2bbbe7e0.tmp
2264 Pariatur.exe
Loads dropped DLL 3 IoCs

Processes:

74f3b871d85aaa247e93290b2bbbe7e0.exe74f3b871d85aaa247e93290b2bbbe7e0.tmp

pid process

1488 74f3b871d85aaa247e93290b2bbbe7e0.exe
2052 74f3b871d85aaa247e93290b2bbbe7e0.tmp
2052 74f3b871d85aaa247e93290b2bbbe7e0.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2052	74f3b871d85aaa247e93290b2bbbe7e0.tmp
2264	Pariatur.exe

pid	process
1488	74f3b871d85aaa247e93290b2bbbe7e0.exe
2052	74f3b871d85aaa247e93290b2bbbe7e0.tmp
2052	74f3b871d85aaa247e93290b2bbbe7e0.tmp

Drops file in Program Files directory 22 IoCs

Processes:

74f3b871d85aaa247e93290b2bbbe7e0.tmp

description	ioc	process
File created	C:\Program Files (x86)\Aut\is-UCQTL.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\eum\is-7HAQU.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\eum\is-HG4KE.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\eum\is-T9BG2.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\eum\is-ESJ89.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\is-7MVPJ.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File opened for modification	C:\Program Files (x86)\Aut\Pariatur.exe	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\unins000.dat	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\is-TSJ08.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\eum\is-1C9OE.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\eum\is-BC59K.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\voluptate\is-NBALJ.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File opened for modification	C:\Program Files (x86)\Aut\sqlite3.dll	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\is-626B1.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\is-F9EVT.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\eum\is-JJER2.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\eum\is-1G7GM.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\voluptate\is-OFDNN.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\voluptate\is-RENF7.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\voluptate\is-53C4G.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File opened for modification	C:\Program Files (x86)\Aut\unins000.dat	74f3b871d85aaa247e93290b2bbbe7e0.tmp
File created	C:\Program Files (x86)\Aut\is-83QH5.tmp	74f3b871d85aaa247e93290b2bbbe7e0.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

74f3b871d85aaa247e93290b2bbbe7e0.tmpPariatur.exe

pid process

2052 74f3b871d85aaa247e93290b2bbbe7e0.tmp
2052 74f3b871d85aaa247e93290b2bbbe7e0.tmp
2264 Pariatur.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

74f3b871d85aaa247e93290b2bbbe7e0.tmp

pid process

2052 74f3b871d85aaa247e93290b2bbbe7e0.tmp

pid	process
2052	74f3b871d85aaa247e93290b2bbbe7e0.tmp
2052	74f3b871d85aaa247e93290b2bbbe7e0.tmp
2264	Pariatur.exe

pid	process
2052	74f3b871d85aaa247e93290b2bbbe7e0.tmp

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

74f3b871d85aaa247e93290b2bbbe7e0.exe74f3b871d85aaa247e93290b2bbbe7e0.tmp

description	pid	process	target process
PID 1488 wrote to memory of 2052	1488	74f3b871d85aaa247e93290b2bbbe7e0.exe	74f3b871d85aaa247e93290b2bbbe7e0.tmp
PID 1488 wrote to memory of 2052	1488	74f3b871d85aaa247e93290b2bbbe7e0.exe	74f3b871d85aaa247e93290b2bbbe7e0.tmp
PID 1488 wrote to memory of 2052	1488	74f3b871d85aaa247e93290b2bbbe7e0.exe	74f3b871d85aaa247e93290b2bbbe7e0.tmp
PID 1488 wrote to memory of 2052	1488	74f3b871d85aaa247e93290b2bbbe7e0.exe	74f3b871d85aaa247e93290b2bbbe7e0.tmp
PID 1488 wrote to memory of 2052	1488	74f3b871d85aaa247e93290b2bbbe7e0.exe	74f3b871d85aaa247e93290b2bbbe7e0.tmp
PID 1488 wrote to memory of 2052	1488	74f3b871d85aaa247e93290b2bbbe7e0.exe	74f3b871d85aaa247e93290b2bbbe7e0.tmp
PID 1488 wrote to memory of 2052	1488	74f3b871d85aaa247e93290b2bbbe7e0.exe	74f3b871d85aaa247e93290b2bbbe7e0.tmp
PID 2052 wrote to memory of 2264	2052	74f3b871d85aaa247e93290b2bbbe7e0.tmp	Pariatur.exe
PID 2052 wrote to memory of 2264	2052	74f3b871d85aaa247e93290b2bbbe7e0.tmp	Pariatur.exe
PID 2052 wrote to memory of 2264	2052	74f3b871d85aaa247e93290b2bbbe7e0.tmp	Pariatur.exe
PID 2052 wrote to memory of 2264	2052	74f3b871d85aaa247e93290b2bbbe7e0.tmp	Pariatur.exe

C:\Users\Admin\AppData\Local\Temp\74f3b871d85aaa247e93290b2bbbe7e0.exe
"C:\Users\Admin\AppData\Local\Temp\74f3b871d85aaa247e93290b2bbbe7e0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\is-38A5E.tmp\74f3b871d85aaa247e93290b2bbbe7e0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-38A5E.tmp\74f3b871d85aaa247e93290b2bbbe7e0.tmp" /SL5="$70120,4273426,721408,C:\Users\Admin\AppData\Local\Temp\74f3b871d85aaa247e93290b2bbbe7e0.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2052

C:\Program Files (x86)\Aut\Pariatur.exe
"C:\Program Files (x86)\Aut/\Pariatur.exe" 3cdc3fe5f039df159d471f9bdb28e914
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Aut\Pariatur.exe
Filesize
547KB

MD5
737b68cb64cfc29de1098febabc3cff9

SHA1
1b19a526772f141c511a6e5578afede81ea17eaf

SHA256
b568a5b98a3ae153c6ffcfe20d227ac6fedbeb0ebec082469ed0d275551df849

SHA512
ca97eae0ae0587c61ed32c2825c809dd566acc165027ccd25ad5ffc7e3f294cb74548620af022d778ce0a77358bdf3c0c9a19c107c268754cd5ac36682e03be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-38A5E.tmp\74f3b871d85aaa247e93290b2bbbe7e0.tmp
Filesize
531KB

MD5
d9898e92de69ca33334174b4070974ce

SHA1
3374be9e332bce8aae4a16b8c1773bf9c259421a

SHA256
bde8d693b30588c413dce0ac628244a3a6423bacef6a530b98dcf34cdccf08b6

SHA512
5254c792730a35a6eed29bfee31a579ff3a47e706ad38100704882cb840ce4021b1c417ef799360c4197aa3a811be6ea62ca5047f35d09b114f957c3a47273c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-38A5E.tmp\74f3b871d85aaa247e93290b2bbbe7e0.tmp
Filesize
443KB

MD5
9dd57f5c41d8e1a88eebcb8401804db4

SHA1
601fb98b5c57bedc2ae690b148b470c5d0cd8a4e

SHA256
caf37942bff2c13013fbf93bf431426dc372cd0aa5330ae108aaf5720b619a94

SHA512
9911d049f261208b324a29795297b3655a642a571375550a814e0bb591d018652f9079623b6d1db49d2b622f13a5ee5db429df6b9fd158d8f19d0432b7837deb

Download Submit
\Program Files (x86)\Aut\Pariatur.exe
Filesize
384KB

MD5
4e3fcc9fbe4d0f0de5c7408ce0bb4f66

SHA1
8f1e25971a9ceac5a48c6f98d05e14efe62479a0

SHA256
2c86341eb0832eb6bfbbaa61660f7bf4fb226e25cc803b1a08b7435b52c4242d

SHA512
7179d7e95ea804355e112e202f6cfc81c64ea33a290d208127925b9f0ed155138ecbd01cdf40f0e5b5383613383201b4891d617e043eeca05015e16d6ba3e4d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-38A5E.tmp\74f3b871d85aaa247e93290b2bbbe7e0.tmp
Filesize
861KB

MD5
82d20977acf26ca0718d1c47685b3ee6

SHA1
acd0b294467094ba3eefaee82c4e6654edb34bb7

SHA256
e9e605c7ea919325cf986e58ea1df1c251cc8e9c7557b089a7a4e42adcfc8c4a

SHA512
8fd6919d3854afa919e16da51d531137b9ebca2f419a589daa7705435ecf873841cd235c4af2a5f4c5d5bd489ea8f93de594559a61576c7c0b71fec7852c223a

Download Submit
\Users\Admin\AppData\Local\Temp\is-K1U1Q.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1488-58-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1488-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2052-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2052-59-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2052-63-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2264-55-0x0000000000400000-0x0000000001617000-memory.dmp

Filesize
18.1MB

Download
memory/2264-56-0x0000000000400000-0x0000000001617000-memory.dmp

Filesize
18.1MB

Download
memory/2264-57-0x0000000003ED0000-0x0000000003ED1000-memory.dmp

Filesize
4KB

Download
memory/2264-60-0x0000000000400000-0x0000000001617000-memory.dmp

Filesize
18.1MB

Download
memory/2264-64-0x0000000000400000-0x0000000001617000-memory.dmp

Filesize
18.1MB

Download
memory/2264-100-0x0000000000400000-0x0000000001617000-memory.dmp

Filesize
18.1MB

Download

Analysis

Sharing