772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca

General

Target

772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Size

312KB
MD5

3bf32adc801cc53d9514cd981acea15f
SHA1

bf4466f30b4d4a4ea0b484704a6deb37a2113482
SHA256

772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca
SHA512

35de859ffbc7eeda9b28358eb9f4ef7d39fe1d824c996663e97ec12eacff405af1f75728d1c61d6e1a99f2fb9ab4617151cb002849dbec6179bce9e26561396f
SSDEEP

6144:zcIhoXH+MWDoLybih7heY0Av9SO/qAvQ0S:oIhyWDoLth7MYPv9r/VvnS

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4624	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdcamgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022e05-133.dat	upx
behavioral2/files/0x0007000000022e05-134.dat	upx
behavioral2/memory/4624-136-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2100	4624	WerFault.exe	83

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1756	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1756	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 4624	1756	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe	83
PID 1756 wrote to memory of 4624	1756	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe	83
PID 1756 wrote to memory of 4624	1756	772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe	83

C:\Users\Admin\AppData\Local\Temp\772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe
"C:\Users\Admin\AppData\Local\Temp\772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdca.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdcamgr.exe
  C:\Users\Admin\AppData\Local\Temp\772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdcamgr.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 264
    3⤵
    - Program crash
    PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4624 -ip 4624
1⤵
PID:3288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdcamgr.exe

Filesize
160KB

MD5
def246ecc4f00381b6b1acf8463831fb

SHA1
864cb109f819a7929fb000490f7628a91d751b28

SHA256
b87b2ab451238dbe16ece999631a662c3efefd20ef9a5339d3f7955d768acb5c

SHA512
8770c4275911ba2537a635cccfbe66e8ea08051250c9837d2ea5bd49c22519a4fe72bc48261e687e60a34a08e8a08fe38f8ed7632bed9098a851fcd8f27b56bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\772645517a7cf06224b855da2a5e27273ef93c1e7b77073476c8637c11b8cdcamgr.exe

Filesize
160KB

MD5
def246ecc4f00381b6b1acf8463831fb

SHA1
864cb109f819a7929fb000490f7628a91d751b28

SHA256
b87b2ab451238dbe16ece999631a662c3efefd20ef9a5339d3f7955d768acb5c

SHA512
8770c4275911ba2537a635cccfbe66e8ea08051250c9837d2ea5bd49c22519a4fe72bc48261e687e60a34a08e8a08fe38f8ed7632bed9098a851fcd8f27b56bd

Download Submit
memory/1756-135-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1756-137-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4624-136-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing