cadb50a04d252b13b2bfd535030fe479bcd15d831304641fe03cb0b960d335cb

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b78ca5ff4569c26b77ef487e533b921.exe
Size

4.8MB
MD5

7b78ca5ff4569c26b77ef487e533b921
SHA1

f54a783d42e6dae12976b2533b12680214932dce
SHA256

cadb50a04d252b13b2bfd535030fe479bcd15d831304641fe03cb0b960d335cb
SHA512

748d30f97a8eb016d7f4ec715d945b778c843cee49721b2fe511e4a9994afe6c5427ddd6d38de94393a30f2fa98312d81fc423c86775a6bf57be8baf78408fa1
SSDEEP

98304:PX4/v4RlDNhrRrrGopaLpZlbaCEJw159niUn/lPiexaWgaMbbyazx14:v/lDNVBrGoMJVsw15ZiUnYeQWIbya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2324	7b78ca5ff4569c26b77ef487e533b921.tmp
2868	Amet.exe

Loads dropped DLL 10 IoCs

pid	Process
2000	7b78ca5ff4569c26b77ef487e533b921.exe
2324	7b78ca5ff4569c26b77ef487e533b921.tmp
2324	7b78ca5ff4569c26b77ef487e533b921.tmp
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reiciendis\is-6UCFB.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\is-JH8CJ.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\is-0L073.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\ullam\is-ADKE9.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\ullam\is-F1PS5.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\ullam\is-VC8K4.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File opened for modification	C:\Program Files (x86)\Reiciendis\ullam\Amet.exe	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\unins000.dat	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\voluptatum\is-PGJ3J.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\is-KVQ8H.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\ullam\is-1ISKR.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\ullam\is-RP4AP.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File opened for modification	C:\Program Files (x86)\Reiciendis\unins000.dat	7b78ca5ff4569c26b77ef487e533b921.tmp
File opened for modification	C:\Program Files (x86)\Reiciendis\ullam\sqlite3.dll	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\is-C6FU1.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\ullam\is-RML6S.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\ullam\is-9O4T3.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\ullam\is-GRPQ0.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\ullam\is-7S5IH.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\ullam\is-PCM42.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\is-RF9KV.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp
File created	C:\Program Files (x86)\Reiciendis\ullam\is-5HD7S.tmp	7b78ca5ff4569c26b77ef487e533b921.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2536	2868	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2324	7b78ca5ff4569c26b77ef487e533b921.tmp
2324	7b78ca5ff4569c26b77ef487e533b921.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2324	7b78ca5ff4569c26b77ef487e533b921.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2324	2000	7b78ca5ff4569c26b77ef487e533b921.exe	28
PID 2000 wrote to memory of 2324	2000	7b78ca5ff4569c26b77ef487e533b921.exe	28
PID 2000 wrote to memory of 2324	2000	7b78ca5ff4569c26b77ef487e533b921.exe	28
PID 2000 wrote to memory of 2324	2000	7b78ca5ff4569c26b77ef487e533b921.exe	28
PID 2000 wrote to memory of 2324	2000	7b78ca5ff4569c26b77ef487e533b921.exe	28
PID 2000 wrote to memory of 2324	2000	7b78ca5ff4569c26b77ef487e533b921.exe	28
PID 2000 wrote to memory of 2324	2000	7b78ca5ff4569c26b77ef487e533b921.exe	28
PID 2324 wrote to memory of 2868	2324	7b78ca5ff4569c26b77ef487e533b921.tmp	29
PID 2324 wrote to memory of 2868	2324	7b78ca5ff4569c26b77ef487e533b921.tmp	29
PID 2324 wrote to memory of 2868	2324	7b78ca5ff4569c26b77ef487e533b921.tmp	29
PID 2324 wrote to memory of 2868	2324	7b78ca5ff4569c26b77ef487e533b921.tmp	29
PID 2868 wrote to memory of 2536	2868	Amet.exe	30
PID 2868 wrote to memory of 2536	2868	Amet.exe	30
PID 2868 wrote to memory of 2536	2868	Amet.exe	30
PID 2868 wrote to memory of 2536	2868	Amet.exe	30

C:\Users\Admin\AppData\Local\Temp\7b78ca5ff4569c26b77ef487e533b921.exe
"C:\Users\Admin\AppData\Local\Temp\7b78ca5ff4569c26b77ef487e533b921.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\is-0BEL5.tmp\7b78ca5ff4569c26b77ef487e533b921.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0BEL5.tmp\7b78ca5ff4569c26b77ef487e533b921.tmp" /SL5="$60026,4323671,721408,C:\Users\Admin\AppData\Local\Temp\7b78ca5ff4569c26b77ef487e533b921.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Program Files (x86)\Reiciendis\ullam\Amet.exe
    "C:\Program Files (x86)\Reiciendis/\ullam\Amet.exe" 44d495b75069228c7b7a6370fb372ae5
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 244
      4⤵
      Loads dropped DLL
      Program crash
      PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reiciendis\ullam\Amet.exe

Filesize
4.0MB

MD5
c7a01f2f3a7ff21532ce1997ae50832f

SHA1
d6e1d1d080f5b1633df25bedaf5d055f13a26615

SHA256
6890adc13461285118ba9247d84216b4ab5d3cbc3947e54edc7e6a72fb9e50c7

SHA512
23a592ed09b82cc919364c6bd81f1efb2a34de43cce352d3948cdcfe58c5f2d309f77229283c1c70073bd62af9380f07bd6aae0007995d6e413a568edf4a75e8

Download Submit
\Program Files (x86)\Reiciendis\ullam\Amet.exe

Filesize
3.9MB

MD5
f5788a11a683018804eacf0a045e0a27

SHA1
2a8f3ab74825f47e30bbe2b3be26e082f975add0

SHA256
285d25cdffe0928ccbddc678c431fea5f34d52dcdadff15e6f6b39456f134c0e

SHA512
380dc582f6c258e4315c103a22df502a4bc1a3ab62787327a31cb9dcfacdb8aec98e3c53ebe9c7587fe8a342cd32b607152e1f4a950a49e1b69ce3675dea347f

Download Submit
\Program Files (x86)\Reiciendis\ullam\Amet.exe

Filesize
3.6MB

MD5
88751675ffcef0c847ace5a55635811d

SHA1
2b39ee599b8a507950c60d9cbdde8af045993a8f

SHA256
64aa5213654f39d97e5a6b6ab34788de70d0bec40248ba64d454396d827d6b58

SHA512
8e92ebcc32399549b86b4ee7575c0e54c96a10d0c5f8f267d8a37f8d4437f06106bca3e887000cde32dc424feb802e5473d376d4d6383a47e06888a329ff9555

Download Submit
\Program Files (x86)\Reiciendis\ullam\Amet.exe

Filesize
3.0MB

MD5
06e2821a4e5759ce925b2206295533cc

SHA1
2e5478cb841ea5efe10f276857dce063201d33e4

SHA256
0d08677931a7d3005abb0909c1f13ffe87009c10e4bcce98a426ae7ae634b678

SHA512
5ee771ea96938f8c612d11ebb34a58c84de3066a52e80b5f2db40ab71844ae395d31108ca1a5b84cfdceb1a6dfe03ace21dcafeb330ccf26f68654ad9525b71a

Download Submit
\Program Files (x86)\Reiciendis\ullam\Amet.exe

Filesize
2.8MB

MD5
7277f7b3fd623a6a41fa35ca6fc5c483

SHA1
f704d27e79b73594fe75b8e016f5215b2c08b249

SHA256
3e04440e9b1a57c22abe94cfbce3b68c6e360c7ef69561c73906cd3ddb2ee186

SHA512
d4539e17b5d546479ed4478e87cd24314adbaa707a1c5e8c0f6cd01947582f70ec7e912ae088cf4d1651330fad57617e81f861463d3ab6c9d091a315807a7058

Download Submit
\Program Files (x86)\Reiciendis\ullam\Amet.exe

Filesize
2.7MB

MD5
86760b25475c8acf355e486fc89931a3

SHA1
fac3f4a048507a2f3d4acb554c525baa4254eff0

SHA256
dae67ba0b5c923d3fac0475cc6b7254dd2e65becdc642370675aad54ee4f2b49

SHA512
a2be020432d3d0dc7e7851e9e482e9bb81560828c936709f038d8c22c44651149dc7d3fe5ffd2f86dbd2d40f68acba46d5bc22b2617652c3587266bd4f91b0ce

Download Submit
\Program Files (x86)\Reiciendis\ullam\Amet.exe

Filesize
2.2MB

MD5
34ed300e08a91f57ff000229e8601ada

SHA1
aa757e7b9ac4485d09c800553d0e551795296b1d

SHA256
df3734bda07f765d02c236e2d04b072b70a2e04096328e0bbe787eae6246e78e

SHA512
d3a54611835665b9b426481cc7bec0a8b8da079ac5e49b4631bc14c6dc2ed5ce85a8f431b4b208ac3a2bdff644978e1c8b6ac3857964522776dd91f13f9cdedc

Download Submit
\Program Files (x86)\Reiciendis\ullam\Amet.exe

Filesize
1.9MB

MD5
75fd0a38bc9c88b35e5325eed6cf4787

SHA1
dc125853dcdddd857f82594294e2d3945268811b

SHA256
80fe7011d47952544758107d316d5b29db9fe76f66a0a9a8d7c11ae25d4d403e

SHA512
ef24a3d2812b4c2aa64b42d8e8089b9bbaa7ec00f2d0f2f0ccb4f92d4ce35ca1835338337dc077dd8a472f9c32e7cb5fd92f71124a90f80b416e79dc7a92df7b

Download Submit
\Program Files (x86)\Reiciendis\ullam\Amet.exe

Filesize
2.2MB

MD5
a1863d3084cb8a7d52705b776e0d7e88

SHA1
110c5fd0334dc4a3f86f70fc146c3423dfc76d7b

SHA256
4d0a08efb4bd6989dd060560d83108d5533b3f589de600da584c290d248a16e6

SHA512
08cf4af27749f7971ced86537bf633a6a90472878660b66b671172c98d04aa047499b11a6bf1f7548618c3340abd3936bf859d054426d1375812d15ce4b1f036

Download Submit
\Users\Admin\AppData\Local\Temp\is-0BEL5.tmp\7b78ca5ff4569c26b77ef487e533b921.tmp

Filesize
2.4MB

MD5
3fddfbaa9d029821152e746edbabf7ce

SHA1
703690b3a2377047f6755e9b5274d608791b8062

SHA256
787cef456bd60075199c04ac38dd5e65291bd3a930b132538889e4dafb76fa1a

SHA512
fd50e763c6523022f1be02a6a690d2a2dec4e9a73c941314b4a810bbd7605d4058c5c49c53dcbdd8fde5e6c4d2c78fcec52b5bca087cbf552bc1ce90819c4903

Download Submit
\Users\Admin\AppData\Local\Temp\is-74U8Q.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2000-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2000-64-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2324-61-0x0000000003EA0000-0x00000000051CB000-memory.dmp

Filesize
19.2MB

Download
memory/2324-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2324-65-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2324-70-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2324-71-0x0000000003EA0000-0x00000000051CB000-memory.dmp

Filesize
19.2MB

Download
memory/2868-62-0x0000000000400000-0x000000000172B000-memory.dmp

Filesize
19.2MB

Download