ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208

General

Target

ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe
Size

713KB
MD5

65bf8f83dffef62d1579503822c3b790
SHA1

df810334f2dd62277e8c431c88fb31f8c57319c2
SHA256

ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208
SHA512

af7638c01a4f8acb79b5604d0062b8fd3239a77236fc7c5d824ddce0b1a644abb3c93276e6c0550f48083207648229c993aeb75e58fa8d7998679b4cb45b76a1
SSDEEP

12288:Vs+ApVpEYSOPuBOawRa9rBDUGNmX65+SxNPFQbGlHYy/mqEcFlp/j4QWSgBFl:itE30yrBIhKHPFQC+mEspLDW9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2024	ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/976-61-0x0000000000400000-0x000000000059D000-memory.dmp	upx
behavioral1/memory/2024-63-0x0000000000400000-0x000000000059D000-memory.dmp	upx
behavioral1/memory/2024-65-0x0000000000400000-0x000000000059D000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
976	ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe
976	ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208 = "C:\\ProgramData\\System\\ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe"	ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 2024	976	ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe	27
PID 976 wrote to memory of 2024	976	ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe	27
PID 976 wrote to memory of 2024	976	ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe	27
PID 976 wrote to memory of 2024	976	ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe	27

C:\Users\Admin\AppData\Local\Temp\ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe
"C:\Users\Admin\AppData\Local\Temp\ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:976
- C:\ProgramData\System\ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe
  "C:\ProgramData\System\ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe"
  2⤵
  - Executes dropped EXE
  PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\System\ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe

Filesize
713KB

MD5
65bf8f83dffef62d1579503822c3b790

SHA1
df810334f2dd62277e8c431c88fb31f8c57319c2

SHA256
ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208

SHA512
af7638c01a4f8acb79b5604d0062b8fd3239a77236fc7c5d824ddce0b1a644abb3c93276e6c0550f48083207648229c993aeb75e58fa8d7998679b4cb45b76a1

Download Submit
\ProgramData\System\ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe

Filesize
713KB

MD5
65bf8f83dffef62d1579503822c3b790

SHA1
df810334f2dd62277e8c431c88fb31f8c57319c2

SHA256
ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208

SHA512
af7638c01a4f8acb79b5604d0062b8fd3239a77236fc7c5d824ddce0b1a644abb3c93276e6c0550f48083207648229c993aeb75e58fa8d7998679b4cb45b76a1

Download Submit
\ProgramData\System\ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208.exe

Filesize
713KB

MD5
65bf8f83dffef62d1579503822c3b790

SHA1
df810334f2dd62277e8c431c88fb31f8c57319c2

SHA256
ba54531fde470207f2fe239c7c340d0529f46eff8c184b25736b3c4f13f72208

SHA512
af7638c01a4f8acb79b5604d0062b8fd3239a77236fc7c5d824ddce0b1a644abb3c93276e6c0550f48083207648229c993aeb75e58fa8d7998679b4cb45b76a1

Download Submit
memory/976-54-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/976-55-0x0000000001E90000-0x000000000202D000-memory.dmp

Filesize
1.6MB

Download
memory/976-56-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/976-61-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2024-63-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2024-64-0x0000000001EF0000-0x000000000208D000-memory.dmp

Filesize
1.6MB

Download
memory/2024-65-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing