9896658ff247be3b1d23a0b1f6fad3b0a50a22a929ac82f78e0eccf246188b80

General

Target

8e7de45b002831cda6b754c34dabfb13.exe
Size

3.7MB
MD5

8e7de45b002831cda6b754c34dabfb13
SHA1

a02d47ce255579b62a795d6683ab739e2af43491
SHA256

9896658ff247be3b1d23a0b1f6fad3b0a50a22a929ac82f78e0eccf246188b80
SHA512

b6f58eb6457e3067cdb64578f362fc22b2183aca4accda34a6c85347204c33c134c09404d741cab04d87b2410808cbcb139e3921f36c9db099e63d811b6b8fdc
SSDEEP

98304:GX47XHcqMSX2bYxxbaLhgQKW8wWAgBCxaBhqyyazx1b:sCHLMScYvaFg5Cg8O5ya/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4004	8e7de45b002831cda6b754c34dabfb13.tmp
4980	Ut.exe

Loads dropped DLL 1 IoCs

pid	Process
4004	8e7de45b002831cda6b754c34dabfb13.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Non\ut\sqlite3.dll	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\ut\is-JC7PV.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File opened for modification	C:\Program Files (x86)\Non\unins000.dat	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\is-INL6J.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\is-DORBL.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\ut\is-52AII.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\velit\is-SK5ID.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\ut\is-SHKQO.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\is-THCFC.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\is-150JP.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\is-36IE1.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\fugiat\is-B7VLI.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\fugiat\is-8G3SC.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\ut\is-6ENG7.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\velit\is-KVF1L.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\fugiat\is-97DNK.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\fugiat\is-T5PHG.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\ut\is-FE2OQ.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\ut\is-1FHUJ.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\ut\is-8NKQA.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\ut\is-S0K25.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\unins000.dat	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\is-UBRO9.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\ut\is-LLCF3.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\ut\is-G8S4M.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File created	C:\Program Files (x86)\Non\velit\is-VPK1H.tmp	8e7de45b002831cda6b754c34dabfb13.tmp
File opened for modification	C:\Program Files (x86)\Non\ut\Ut.exe	8e7de45b002831cda6b754c34dabfb13.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
208	4980	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4004	8e7de45b002831cda6b754c34dabfb13.tmp
4004	8e7de45b002831cda6b754c34dabfb13.tmp
4980	Ut.exe
4980	Ut.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4004	8e7de45b002831cda6b754c34dabfb13.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 4004	1732	8e7de45b002831cda6b754c34dabfb13.exe	86
PID 1732 wrote to memory of 4004	1732	8e7de45b002831cda6b754c34dabfb13.exe	86
PID 1732 wrote to memory of 4004	1732	8e7de45b002831cda6b754c34dabfb13.exe	86
PID 4004 wrote to memory of 4980	4004	8e7de45b002831cda6b754c34dabfb13.tmp	87
PID 4004 wrote to memory of 4980	4004	8e7de45b002831cda6b754c34dabfb13.tmp	87
PID 4004 wrote to memory of 4980	4004	8e7de45b002831cda6b754c34dabfb13.tmp	87

C:\Users\Admin\AppData\Local\Temp\8e7de45b002831cda6b754c34dabfb13.exe
"C:\Users\Admin\AppData\Local\Temp\8e7de45b002831cda6b754c34dabfb13.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\is-4K9QG.tmp\8e7de45b002831cda6b754c34dabfb13.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4K9QG.tmp\8e7de45b002831cda6b754c34dabfb13.tmp" /SL5="$D002A,3196655,721408,C:\Users\Admin\AppData\Local\Temp\8e7de45b002831cda6b754c34dabfb13.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Program Files (x86)\Non\ut\Ut.exe
    "C:\Program Files (x86)\Non/\ut\Ut.exe" 8409edbaf42c30564bf561fddda1ef89
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 868
      4⤵
      Program crash
      PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4980 -ip 4980
1⤵
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Non\ut\Ut.exe

Filesize
785KB

MD5
82124a19407ab81d5b12cc5be4371c60

SHA1
b2d445fa5c6f2d23c862b8d671f253070731056b

SHA256
8b7bb20006651675c98025eae13195937f4a4221758999e34da4978119d77b2b

SHA512
1d88120fd59db2e47ca1e9a1940323dd00e29e13118332066db18dd818d773b5cfc3644f9ab3ac343e78668eaeaffd14ee683922d2799956452bbabda4b21c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4K9QG.tmp\8e7de45b002831cda6b754c34dabfb13.tmp

Filesize
1.9MB

MD5
847e8ca6f25c7dfbfd97818d547fe6ed

SHA1
0b936121e139f1acbb4c18199f315c2f2b235a8e

SHA256
2201a394270fd9d114074dc88885f9e36ff8567ae8d8f338640cf0165e8f82c3

SHA512
1666abfdc2e04f453a07361b94f91e1d6aa65c6aa4cebf6e6a82ec8a0541656ae294f978d9f14cfab5d3ffd45a55dcb73e8a0a771f889ad6cdf9af8da9eac33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4K9QG.tmp\8e7de45b002831cda6b754c34dabfb13.tmp

Filesize
2.4MB

MD5
3fddfbaa9d029821152e746edbabf7ce

SHA1
703690b3a2377047f6755e9b5274d608791b8062

SHA256
787cef456bd60075199c04ac38dd5e65291bd3a930b132538889e4dafb76fa1a

SHA512
fd50e763c6523022f1be02a6a690d2a2dec4e9a73c941314b4a810bbd7605d4058c5c49c53dcbdd8fde5e6c4d2c78fcec52b5bca087cbf552bc1ce90819c4903

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q8VMB.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1732-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1732-63-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4004-64-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/4004-5-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4004-69-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4980-61-0x0000000000400000-0x00000000014BC000-memory.dmp

Filesize
16.7MB

Download
memory/4980-62-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/4980-60-0x0000000000400000-0x00000000014BC000-memory.dmp

Filesize
16.7MB

Download
memory/4980-65-0x0000000000400000-0x00000000014BC000-memory.dmp

Filesize
16.7MB

Download
memory/4980-72-0x0000000000400000-0x00000000014BC000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing