d2b7c2e88aff66c0d0722fdb3500c3904784f18bbb1ce695bf81026b8725b9c8

General

Target

a3c3e5fd502b69388e1df82e356bbe77.exe
Size

4.6MB
MD5

a3c3e5fd502b69388e1df82e356bbe77
SHA1

a609984ae142bff0ad0dac288b13056807ab25d5
SHA256

d2b7c2e88aff66c0d0722fdb3500c3904784f18bbb1ce695bf81026b8725b9c8
SHA512

6577a492fdc734784ac76f8e2bdd334841b68ff23fc45049fd3ea3695b3e7bc535bb96ffd1db6e2cb5e4aefaeaedd3ada9aee41b9da6ae3fedff80283e38aa1e
SSDEEP

98304:PX4KEa+NIeFBxuxf9CwuaXcy+09tTs8ZPE7uosyazx14:vB+FFBxuxFG6r+6O6osya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2220	a3c3e5fd502b69388e1df82e356bbe77.tmp
2556	Eius.exe

Loads dropped DLL 3 IoCs

pid	Process
2160	a3c3e5fd502b69388e1df82e356bbe77.exe
2220	a3c3e5fd502b69388e1df82e356bbe77.tmp
2220	a3c3e5fd502b69388e1df82e356bbe77.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Est\is-A79QE.tmp	a3c3e5fd502b69388e1df82e356bbe77.tmp
File created	C:\Program Files (x86)\Est\is-HVMIP.tmp	a3c3e5fd502b69388e1df82e356bbe77.tmp
File created	C:\Program Files (x86)\Est\enim\is-B9BL8.tmp	a3c3e5fd502b69388e1df82e356bbe77.tmp
File created	C:\Program Files (x86)\Est\enim\is-KS97K.tmp	a3c3e5fd502b69388e1df82e356bbe77.tmp
File opened for modification	C:\Program Files (x86)\Est\Eius.exe	a3c3e5fd502b69388e1df82e356bbe77.tmp
File created	C:\Program Files (x86)\Est\is-Q3TJ4.tmp	a3c3e5fd502b69388e1df82e356bbe77.tmp
File created	C:\Program Files (x86)\Est\is-HMA6C.tmp	a3c3e5fd502b69388e1df82e356bbe77.tmp
File created	C:\Program Files (x86)\Est\is-PV5IK.tmp	a3c3e5fd502b69388e1df82e356bbe77.tmp
File created	C:\Program Files (x86)\Est\enim\is-B7HHN.tmp	a3c3e5fd502b69388e1df82e356bbe77.tmp
File opened for modification	C:\Program Files (x86)\Est\unins000.dat	a3c3e5fd502b69388e1df82e356bbe77.tmp
File created	C:\Program Files (x86)\Est\unins000.dat	a3c3e5fd502b69388e1df82e356bbe77.tmp
File created	C:\Program Files (x86)\Est\is-RKL30.tmp	a3c3e5fd502b69388e1df82e356bbe77.tmp
File created	C:\Program Files (x86)\Est\enim\is-DP06A.tmp	a3c3e5fd502b69388e1df82e356bbe77.tmp
File created	C:\Program Files (x86)\Est\enim\is-437CG.tmp	a3c3e5fd502b69388e1df82e356bbe77.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	a3c3e5fd502b69388e1df82e356bbe77.tmp
2220	a3c3e5fd502b69388e1df82e356bbe77.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2220	a3c3e5fd502b69388e1df82e356bbe77.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2220	2160	a3c3e5fd502b69388e1df82e356bbe77.exe	28
PID 2160 wrote to memory of 2220	2160	a3c3e5fd502b69388e1df82e356bbe77.exe	28
PID 2160 wrote to memory of 2220	2160	a3c3e5fd502b69388e1df82e356bbe77.exe	28
PID 2160 wrote to memory of 2220	2160	a3c3e5fd502b69388e1df82e356bbe77.exe	28
PID 2160 wrote to memory of 2220	2160	a3c3e5fd502b69388e1df82e356bbe77.exe	28
PID 2160 wrote to memory of 2220	2160	a3c3e5fd502b69388e1df82e356bbe77.exe	28
PID 2160 wrote to memory of 2220	2160	a3c3e5fd502b69388e1df82e356bbe77.exe	28
PID 2220 wrote to memory of 2556	2220	a3c3e5fd502b69388e1df82e356bbe77.tmp	29
PID 2220 wrote to memory of 2556	2220	a3c3e5fd502b69388e1df82e356bbe77.tmp	29
PID 2220 wrote to memory of 2556	2220	a3c3e5fd502b69388e1df82e356bbe77.tmp	29
PID 2220 wrote to memory of 2556	2220	a3c3e5fd502b69388e1df82e356bbe77.tmp	29

C:\Users\Admin\AppData\Local\Temp\a3c3e5fd502b69388e1df82e356bbe77.exe
"C:\Users\Admin\AppData\Local\Temp\a3c3e5fd502b69388e1df82e356bbe77.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\is-HUDUU.tmp\a3c3e5fd502b69388e1df82e356bbe77.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HUDUU.tmp\a3c3e5fd502b69388e1df82e356bbe77.tmp" /SL5="$400EE,4101322,721408,C:\Users\Admin\AppData\Local\Temp\a3c3e5fd502b69388e1df82e356bbe77.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Program Files (x86)\Est\Eius.exe
    "C:\Program Files (x86)\Est/\Eius.exe" f9f49517622b570c537e67fe0cc42ce5
    3⤵
    - Executes dropped EXE
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Est\Eius.exe

Filesize
5.0MB

MD5
114f65f55a5fb7c6b4b041c716c97266

SHA1
20328a7a391078a5134ad690af0ae41ec6f942b2

SHA256
1d49e2e1b5b37bb09f8b105fccdc7873b3e5127824313ef3fe363434c32b2be8

SHA512
2aa5cfa61b3abd18c9ed2769d007be6091c7e7f99e88f253c98d0b09cb66273e5f27b9da142ff7c34040d2ea18bc7ac83237805d0fd5d0243ee7e6770cfb1a93

Download Submit
\Users\Admin\AppData\Local\Temp\is-CAE3O.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-HUDUU.tmp\a3c3e5fd502b69388e1df82e356bbe77.tmp

Filesize
2.4MB

MD5
3fddfbaa9d029821152e746edbabf7ce

SHA1
703690b3a2377047f6755e9b5274d608791b8062

SHA256
787cef456bd60075199c04ac38dd5e65291bd3a930b132538889e4dafb76fa1a

SHA512
fd50e763c6523022f1be02a6a690d2a2dec4e9a73c941314b4a810bbd7605d4058c5c49c53dcbdd8fde5e6c4d2c78fcec52b5bca087cbf552bc1ce90819c4903

Download Submit
memory/2160-44-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2160-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2220-45-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2220-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2220-50-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2556-42-0x0000000000400000-0x0000000001710000-memory.dmp

Filesize
19.1MB

Download
memory/2556-43-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2556-41-0x0000000000400000-0x0000000001710000-memory.dmp

Filesize
19.1MB

Download
memory/2556-46-0x0000000000400000-0x0000000001710000-memory.dmp

Filesize
19.1MB

Download
memory/2556-51-0x0000000000400000-0x0000000001710000-memory.dmp

Filesize
19.1MB

Download

Analysis

Sharing