3c4cac09378e535330fd9009b77d89ca37492afe130ce03cbaa104450e43402b

General

Target

b90d71911dbeac45c9f94f9f5c2feaad.exe
Size

4.4MB
MD5

b90d71911dbeac45c9f94f9f5c2feaad
SHA1

55f247d96990432cc6108adb7cb15d1e1cb5d2f1
SHA256

3c4cac09378e535330fd9009b77d89ca37492afe130ce03cbaa104450e43402b
SHA512

29a8069f1bec4a4300db4a8348ab6f5b6337f6bd20ce29f25e191ebb8a9343420c8027ee54984baccabf429eca6f4838b027b21fcf7d9f743722eed573ba8ae4
SSDEEP

98304:PX4Ad3TGIbVNnNIyumvwLCc4A8kOJQL5ulMX5yazx14:vT6IbVNnUmoCA8sL56+5ya0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2504	b90d71911dbeac45c9f94f9f5c2feaad.tmp
2436	Quia.exe

Loads dropped DLL 3 IoCs

pid	Process
3036	b90d71911dbeac45c9f94f9f5c2feaad.exe
2504	b90d71911dbeac45c9f94f9f5c2feaad.tmp
2504	b90d71911dbeac45c9f94f9f5c2feaad.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Nulla\unins000.dat	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\unins000.dat	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\is-VJU6M.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\is-PNMNH.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\ipsum\is-KE9O1.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\ipsum\is-H0N29.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\ipsum\is-H8B0Q.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\is-D6TR6.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\ipsum\is-P1JEI.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\ipsum\is-5HLJ5.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File opened for modification	C:\Program Files (x86)\Nulla\ipsum\Quia.exe	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\is-OCEPV.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\is-H0ODI.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\ipsum\is-0JV6Q.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\ipsum\is-T1BJQ.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\ipsum\is-QQ35E.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File opened for modification	C:\Program Files (x86)\Nulla\ipsum\sqlite3.dll	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\is-UPAS3.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\is-ANFOK.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\is-2EDCD.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp
File created	C:\Program Files (x86)\Nulla\ipsum\is-H443U.tmp	b90d71911dbeac45c9f94f9f5c2feaad.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2504	b90d71911dbeac45c9f94f9f5c2feaad.tmp
2504	b90d71911dbeac45c9f94f9f5c2feaad.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2504	b90d71911dbeac45c9f94f9f5c2feaad.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2504	3036	b90d71911dbeac45c9f94f9f5c2feaad.exe	28
PID 3036 wrote to memory of 2504	3036	b90d71911dbeac45c9f94f9f5c2feaad.exe	28
PID 3036 wrote to memory of 2504	3036	b90d71911dbeac45c9f94f9f5c2feaad.exe	28
PID 3036 wrote to memory of 2504	3036	b90d71911dbeac45c9f94f9f5c2feaad.exe	28
PID 3036 wrote to memory of 2504	3036	b90d71911dbeac45c9f94f9f5c2feaad.exe	28
PID 3036 wrote to memory of 2504	3036	b90d71911dbeac45c9f94f9f5c2feaad.exe	28
PID 3036 wrote to memory of 2504	3036	b90d71911dbeac45c9f94f9f5c2feaad.exe	28
PID 2504 wrote to memory of 2436	2504	b90d71911dbeac45c9f94f9f5c2feaad.tmp	29
PID 2504 wrote to memory of 2436	2504	b90d71911dbeac45c9f94f9f5c2feaad.tmp	29
PID 2504 wrote to memory of 2436	2504	b90d71911dbeac45c9f94f9f5c2feaad.tmp	29
PID 2504 wrote to memory of 2436	2504	b90d71911dbeac45c9f94f9f5c2feaad.tmp	29

C:\Users\Admin\AppData\Local\Temp\b90d71911dbeac45c9f94f9f5c2feaad.exe
"C:\Users\Admin\AppData\Local\Temp\b90d71911dbeac45c9f94f9f5c2feaad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\is-9FEIO.tmp\b90d71911dbeac45c9f94f9f5c2feaad.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9FEIO.tmp\b90d71911dbeac45c9f94f9f5c2feaad.tmp" /SL5="$70122,3957391,721408,C:\Users\Admin\AppData\Local\Temp\b90d71911dbeac45c9f94f9f5c2feaad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Program Files (x86)\Nulla\ipsum\Quia.exe
    "C:\Program Files (x86)\Nulla/\ipsum\Quia.exe" 10506b98fc880542ea15f5a05edd8e4a
    3⤵
    - Executes dropped EXE
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Nulla\ipsum\Quia.exe

Filesize
3.6MB

MD5
f475d7a9dc9101c7908ddd6e2d72695b

SHA1
7a04db4cd5f7a7a2b45c2e099ca38d6799d5d1c2

SHA256
5c9b19c102385affd8223ad6cc011b8acde8bd2c278192ab662357d574d15636

SHA512
a4513cb8f2cf1c0de68cde9ae2e917fd6ac1945f59cd6f24f5562e8916a3a4e840c768b68a42e6d5dbc87f05b7f06b8e9cdcde03c112dd54002af187a5e3360b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9FEIO.tmp\b90d71911dbeac45c9f94f9f5c2feaad.tmp

Filesize
2.0MB

MD5
06b8aef95363c3629fbc987df42134be

SHA1
e91b286101d056efb1c7206f18da64729610d6f1

SHA256
9de185811638f1d920fe980d3285d8e2dea06a71c54200123c6b268929973b7e

SHA512
e68e3859fb7233a26ad3fb34bd8e7537c23f03b5e263f10140184f213ad4d97af97e4be9fa6b79dc4aa1c9b58aad5131b074902fb20562018491e9b3696af0d3

Download Submit
\Program Files (x86)\Nulla\ipsum\Quia.exe

Filesize
3.5MB

MD5
8fce455bf2ce38a45b8df689e8b48e53

SHA1
ecf95b18d8834fcb34fec71ce2e8a6fabe8b6386

SHA256
546b5f27897cee4f924cbe5a99e88062b4bed6756f2a59e9343629f2fbfcd1e4

SHA512
964fe4be2a63bb5d3fc169eb0a597796b42086fefd980621c45952fbfb96156d4e903cf3b16b6fc537880adc9d338a585bd9e824f65d75f16055b54c8f93b37b

Download Submit
\Users\Admin\AppData\Local\Temp\is-5JGPE.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-9FEIO.tmp\b90d71911dbeac45c9f94f9f5c2feaad.tmp

Filesize
2.4MB

MD5
3fddfbaa9d029821152e746edbabf7ce

SHA1
703690b3a2377047f6755e9b5274d608791b8062

SHA256
787cef456bd60075199c04ac38dd5e65291bd3a930b132538889e4dafb76fa1a

SHA512
fd50e763c6523022f1be02a6a690d2a2dec4e9a73c941314b4a810bbd7605d4058c5c49c53dcbdd8fde5e6c4d2c78fcec52b5bca087cbf552bc1ce90819c4903

Download Submit
memory/2436-52-0x0000000000400000-0x00000000015DC000-memory.dmp

Filesize
17.9MB

Download
memory/2436-53-0x0000000000400000-0x00000000015DC000-memory.dmp

Filesize
17.9MB

Download
memory/2436-54-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2436-57-0x0000000000400000-0x00000000015DC000-memory.dmp

Filesize
17.9MB

Download
memory/2436-70-0x0000000000400000-0x00000000015DC000-memory.dmp

Filesize
17.9MB

Download
memory/2504-7-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-56-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2504-60-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3036-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3036-55-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing