ab18797d77f02f87e7017796af32cd2c832cd1db27da5896b06de18126119bf8

General

Target

8c74c5f053b92bc70f3da000f5e6ba95.exe
Size

4.5MB
MD5

8c74c5f053b92bc70f3da000f5e6ba95
SHA1

a49bc079df1594248da21b30d0a7e5a5f2700601
SHA256

ab18797d77f02f87e7017796af32cd2c832cd1db27da5896b06de18126119bf8
SHA512

e0a55d3a30af24acf17a4c5fc04ec5c1c0e1f04e39ca53310209a1cca9c1dfdd12ec79d53a3d306b2732f69d711f00c05a7ef05bd2418e99cafc3598eb62c0c2
SSDEEP

98304:PX4E93HiQ9DMhaTs2bQBhB1ES2NJwb7aIkfRT81Qbcyazx14:vn3HH9D42wB+zIk58ibcya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4252	8c74c5f053b92bc70f3da000f5e6ba95.tmp
632	Eum.exe

Loads dropped DLL 1 IoCs

pid	Process
4252	8c74c5f053b92bc70f3da000f5e6ba95.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Expedita\unins000.dat	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\is-7P82P.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\is-P53SK.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-1FUP6.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-GSUV3.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-3JV46.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-B0424.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File opened for modification	C:\Program Files (x86)\Expedita\sqlite3.dll	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\is-90DG4.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\is-OJIBK.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\is-FKA99.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\is-G2P12.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-4DT7I.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-S6TEF.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-9N658.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-27S61.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-0SMIT.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File opened for modification	C:\Program Files (x86)\Expedita\unins000.dat	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File opened for modification	C:\Program Files (x86)\Expedita\Eum.exe	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-P1F0N.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-50DMO.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-P7D7K.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-17M0H.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-K98BT.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\omnis\is-B0843.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp
File created	C:\Program Files (x86)\Expedita\is-7NK86.tmp	8c74c5f053b92bc70f3da000f5e6ba95.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4252	8c74c5f053b92bc70f3da000f5e6ba95.tmp
4252	8c74c5f053b92bc70f3da000f5e6ba95.tmp
632	Eum.exe
632	Eum.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4252	8c74c5f053b92bc70f3da000f5e6ba95.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 4252	2632	8c74c5f053b92bc70f3da000f5e6ba95.exe	84
PID 2632 wrote to memory of 4252	2632	8c74c5f053b92bc70f3da000f5e6ba95.exe	84
PID 2632 wrote to memory of 4252	2632	8c74c5f053b92bc70f3da000f5e6ba95.exe	84
PID 4252 wrote to memory of 632	4252	8c74c5f053b92bc70f3da000f5e6ba95.tmp	85
PID 4252 wrote to memory of 632	4252	8c74c5f053b92bc70f3da000f5e6ba95.tmp	85
PID 4252 wrote to memory of 632	4252	8c74c5f053b92bc70f3da000f5e6ba95.tmp	85

C:\Users\Admin\AppData\Local\Temp\8c74c5f053b92bc70f3da000f5e6ba95.exe
"C:\Users\Admin\AppData\Local\Temp\8c74c5f053b92bc70f3da000f5e6ba95.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\is-NPKSI.tmp\8c74c5f053b92bc70f3da000f5e6ba95.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NPKSI.tmp\8c74c5f053b92bc70f3da000f5e6ba95.tmp" /SL5="$A01FC,4027613,721408,C:\Users\Admin\AppData\Local\Temp\8c74c5f053b92bc70f3da000f5e6ba95.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Program Files (x86)\Expedita\Eum.exe
    "C:\Program Files (x86)\Expedita/\Eum.exe" 796ca44b01b45c63c645b99bb2237d4d
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Expedita\Eum.exe

Filesize
4.4MB

MD5
a8fabf6941ba9ceeb23729b44a274a7b

SHA1
19d2a3df32070da69e41f6b6361701d6b82d31b3

SHA256
9f4c618a00ea85c4e8c71454dcff69702129b496ad7ad28c0ce8deb8da1c1457

SHA512
92826473bfc3fe83daf72657f21874d9f5828c1f65b0a28d32d339fa2f0d0d0306a2fd58787cc0c086b032022e11d3eb6918bfc9679ad0b4bea39ca46445557a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-85JS3.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NPKSI.tmp\8c74c5f053b92bc70f3da000f5e6ba95.tmp

Filesize
2.4MB

MD5
3fddfbaa9d029821152e746edbabf7ce

SHA1
703690b3a2377047f6755e9b5274d608791b8062

SHA256
787cef456bd60075199c04ac38dd5e65291bd3a930b132538889e4dafb76fa1a

SHA512
fd50e763c6523022f1be02a6a690d2a2dec4e9a73c941314b4a810bbd7605d4058c5c49c53dcbdd8fde5e6c4d2c78fcec52b5bca087cbf552bc1ce90819c4903

Download Submit
memory/632-59-0x0000000000400000-0x0000000001672000-memory.dmp

Filesize
18.4MB

Download
memory/632-58-0x0000000000400000-0x0000000001672000-memory.dmp

Filesize
18.4MB

Download
memory/632-60-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/632-63-0x0000000000400000-0x0000000001672000-memory.dmp

Filesize
18.4MB

Download
memory/632-68-0x0000000000400000-0x0000000001672000-memory.dmp

Filesize
18.4MB

Download
memory/2632-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2632-61-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4252-5-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4252-62-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/4252-66-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing