33358691144fd04943b0de774643ba673448b6d7e616d482beb5200d09f9beeb

General

Target

injector.exe
Size

464KB
MD5

17cdde0e896e4a1bf5d8b376346c4d40
SHA1

6a1a5d06a351a23571d436c5f480fc6c0bf2267b
SHA256

33358691144fd04943b0de774643ba673448b6d7e616d482beb5200d09f9beeb
SHA512

43aa0de352de5930434951e6f79aa6f0175bc779858818aac0fc407e8dfcf4712df5d0bbea43953291b373ae2fec7ff5b4379f2bf16cf03fc2e3b2daec96c16c

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

extd.exe

pid process

860 extd.exe

pid	process
860	extd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3949.tmp\394A.tmp\extd.exe	upx
\Users\Admin\AppData\Local\Temp\3949.tmp\394A.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\3949.tmp\394A.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\3949.tmp\394A.tmp\extd.exe	upx

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1668 cmd.exe
1668 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1668	cmd.exe
1668	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

injector.execmd.exe

description	pid	process	target process
PID 468 wrote to memory of 1668	468	injector.exe	cmd.exe
PID 468 wrote to memory of 1668	468	injector.exe	cmd.exe
PID 468 wrote to memory of 1668	468	injector.exe	cmd.exe
PID 1668 wrote to memory of 860	1668	cmd.exe	extd.exe
PID 1668 wrote to memory of 860	1668	cmd.exe	extd.exe
PID 1668 wrote to memory of 860	1668	cmd.exe	extd.exe

C:\Users\Admin\AppData\Local\Temp\injector.exe
"C:\Users\Admin\AppData\Local\Temp\injector.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3949.tmp\394A.tmp\394B.bat C:\Users\Admin\AppData\Local\Temp\injector.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\3949.tmp\394A.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\3949.tmp\394A.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:860

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3949.tmp\394A.tmp\394B.bat
MD5
708a02f63ca660f2df9687b45a5dba05

SHA1
636ea4f3b0bd3ecb54169a9812ce6e0a8d2b3ade

SHA256
d44577685db37ea19fdeeed0e59495b3ebeab3358d3952a2e97e27c4a6e0e4c4

SHA512
3e6d7b3a1b457ce93025eb630b00d308751fc6b57be0deed3b55a8f1a6c4a2d837653a2675260ce22340358f4f50ab51f41d86a0152ce56c9af0934fcdf02fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3949.tmp\394A.tmp\extd.exe
MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\3949.tmp\394A.tmp\extd.exe
MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
\Users\Admin\AppData\Local\Temp\3949.tmp\394A.tmp\extd.exe
MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
\Users\Admin\AppData\Local\Temp\3949.tmp\394A.tmp\extd.exe
MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
memory/468-59-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/860-65-0x0000000000000000-mapping.dmp

Download
memory/1668-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing