132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73

General

Target

132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.exe
Size

6.2MB
MD5

1b1d89a29dfa9c8a388a8d0d9e6e172f
SHA1

c6864b625d3f7a61b3e669e822f5e6e5ffb4e0af
SHA256

132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73
SHA512

ed97e27ebb0e62739cdece2a62f895cd937568145ce0b4ac6e13768ca7b2c4988015cbb2f2c0fa56ca20bff959b50fc3b13a49fea5bbb767303d1868fa7abe98
SSDEEP

196608:xeQzyEmN28Q3q+bo48G4mNUaIJRHk3yvY3V:xFyjebo48G4mNUaI8GYl

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2776	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp
4960	mulloyall.exe

Loads dropped DLL 3 IoCs

pid	Process
2776	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp
2776	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp
2776	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 12 IoCs

pid	pid_target	Process	procid_target
3236	4960	WerFault.exe	88
988	4960	WerFault.exe	88
3352	4960	WerFault.exe	88
2340	4960	WerFault.exe	88
2324	4960	WerFault.exe	88
4120	4960	WerFault.exe	88
1520	4960	WerFault.exe	88
1968	4960	WerFault.exe	88
2460	4960	WerFault.exe	88
5060	4960	WerFault.exe	88
628	4960	WerFault.exe	88
544	4960	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2776	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp
2776	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp
4960	mulloyall.exe
4960	mulloyall.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2776	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 2776	4912	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.exe	82
PID 4912 wrote to memory of 2776	4912	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.exe	82
PID 4912 wrote to memory of 2776	4912	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.exe	82
PID 2776 wrote to memory of 1760	2776	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp	86
PID 2776 wrote to memory of 1760	2776	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp	86
PID 2776 wrote to memory of 1760	2776	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp	86
PID 2776 wrote to memory of 4960	2776	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp	88
PID 2776 wrote to memory of 4960	2776	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp	88
PID 2776 wrote to memory of 4960	2776	132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp	88

C:\Users\Admin\AppData\Local\Temp\132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.exe
"C:\Users\Admin\AppData\Local\Temp\132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\is-UJ990.tmp\132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UJ990.tmp\132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp" /SL5="$600EA,6234242,56832,C:\Users\Admin\AppData\Local\Temp\132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "Mulloy_5113"
    3⤵
    PID:1760
- - C:\Users\Admin\AppData\Local\Mulloy\mulloyall.exe
    "C:\Users\Admin\AppData\Local\Mulloy\mulloyall.exe" 0b03b5d4cfd20fcc43fb198f0519e603
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1288
      4⤵
      Program crash
      PID:3236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1296
      4⤵
      Program crash
      PID:988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1348
      4⤵
      Program crash
      PID:3352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1312
      4⤵
      Program crash
      PID:2340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1428
      4⤵
      Program crash
      PID:2324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1320
      4⤵
      Program crash
      PID:4120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1304
      4⤵
      Program crash
      PID:1520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1596
      4⤵
      Program crash
      PID:1968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 992
      4⤵
      Program crash
      PID:2460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 692
      4⤵
      Program crash
      PID:5060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 972
      4⤵
      Program crash
      PID:628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 904
      4⤵
      Program crash
      PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4960 -ip 4960
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4960 -ip 4960
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4960 -ip 4960
1⤵
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4960 -ip 4960
1⤵
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4960 -ip 4960
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4960 -ip 4960
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4960 -ip 4960
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4960 -ip 4960
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4960 -ip 4960
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4960 -ip 4960
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4960 -ip 4960
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4960 -ip 4960
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mulloy\mulloyall.exe

Filesize
4.9MB

MD5
811e06c97d4125798af40c095a215898

SHA1
745b4d759bdc6c0fff23dbe9dba7abbea338ec65

SHA256
6e11e4b83d391df3ed338e0ff2b552852e8bf0eaf568a845035e426e460edae7

SHA512
3f96b970b94528aea77a64023cc79231960ca1176fcf862f357af0e30c76cb765d995049019b9a8f65c7db7dff3f431e61a751a4fdbda39dc06450b21e3e8f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BA5K7.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BA5K7.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UJ990.tmp\132cff8910cdf5dfad82e2efcdf554d5c7d3d33468db34dfe482275e57f5ba73.tmp

Filesize
692KB

MD5
f9fdb0ae28ac99715101ddd3bbf7d7c0

SHA1
1655f0199520314f79cb7b85cdaca73929eb48de

SHA256
d3ca078aaf42859ad45c1a1802407c42af64fe1918bf7b07d82fca50ece45ec4

SHA512
bdb1f6fbc1535cc83c3fb137cf17e09a5040fd8eeb9b404e87f6f9c5fca9b66e86271bcd7e73e2ef4dc1698fc2b473fc4575a5903c679fed8eb67cb219b2dbda

Download Submit
memory/2776-7-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2776-77-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4912-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4912-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4912-76-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4960-74-0x0000000000400000-0x0000000000CDE000-memory.dmp

Filesize
8.9MB

Download
memory/4960-75-0x0000000000400000-0x0000000000CDE000-memory.dmp

Filesize
8.9MB

Download
memory/4960-78-0x0000000000400000-0x0000000000CDE000-memory.dmp

Filesize
8.9MB

Download
memory/4960-81-0x0000000000400000-0x0000000000CDE000-memory.dmp

Filesize
8.9MB

Download

Analysis

Sharing