41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86

General

Target

41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe
Size

22.2MB
MD5

c8935975bd4eecf8c5aa7f74745ab3a7
SHA1

af02f7558657e189e03b7c3b85ebda7c7da03b31
SHA256

41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86
SHA512

3aced0e89052c2ae1e9e6562a0b7ae598ff9f097672d815f2e2953e3efec76f6206062f10c52cd58f4ff8becbbeb42bc67114c91115960dba5bb34a435a4f1a2
SSDEEP

393216:+b+6b4ERAqPID+X6DwW4imFJFpjSA3nnMUfA/KAizTupX9n01XKpAnKKos:+a/ERfA6KMW2FF3nMUoSAiIX90Bms

Score

8^/10

evasion trojan upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

FFRenamePro_x64.exe

pid process

616 FFRenamePro_x64.exe

pid	process
616	FFRenamePro_x64.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1928-55-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/576-58-0x0000000000400000-0x0000000000422000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FFRenamePro_x64.exe	upx
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FFRenamePro_x64.exe	upx
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FFRenamePro_x64.exe	upx
behavioral1/memory/616-65-0x0000000000400000-0x00000000028B3000-memory.dmp	upx
behavioral1/memory/1928-67-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/576-69-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/616-71-0x0000000000400000-0x00000000028B3000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe

pid process

576 41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

FFRenamePro_x64.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FFRenamePro_x64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

FFRenamePro_x64.exe

pid process

616 FFRenamePro_x64.exe

pid	process
576	41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FFRenamePro_x64.exe

pid	process
616	FFRenamePro_x64.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe

description	pid	process	target process
PID 1928 wrote to memory of 576	1928	41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe	41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe
PID 1928 wrote to memory of 576	1928	41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe	41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe
PID 1928 wrote to memory of 576	1928	41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe	41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe
PID 1928 wrote to memory of 576	1928	41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe	41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe
PID 576 wrote to memory of 616	576	41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe	FFRenamePro_x64.exe
PID 576 wrote to memory of 616	576	41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe	FFRenamePro_x64.exe
PID 576 wrote to memory of 616	576	41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe	FFRenamePro_x64.exe
PID 576 wrote to memory of 616	576	41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe	FFRenamePro_x64.exe

C:\Users\Admin\AppData\Local\Temp\41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe
"C:\Users\Admin\AppData\Local\Temp\41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe
"C:\Users\Admin\AppData\Local\Temp\41d8c76941e8dbb664883361551799b4e20c7915b4f3c8e0af8c216801174b86.exe" -sfxwaitall:0 "FFRenamePro_x64.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FFRenamePro_x64.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FFRenamePro_x64.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:616

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FFRenamePro_x64.exe
Filesize
11.8MB

MD5
a71d42cb5a601e62d063262b4d493b87

SHA1
5e4a990e5ca362ed2c51e73de9e3616b58f40f27

SHA256
feaa0ea6caad90e1dda09cd708fb992497feb2ebb8231960d5ca2f674d5aadd6

SHA512
0f8f915d16ec23103e374c51c7de5af61164e2ad9c87fb700051cc00a0c60a30fa0a86fa77fd17c6725d642b7d0565d62062e269de8637361076a4992512389a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FFRenamePro_x64.exe
Filesize
11.8MB

MD5
a71d42cb5a601e62d063262b4d493b87

SHA1
5e4a990e5ca362ed2c51e73de9e3616b58f40f27

SHA256
feaa0ea6caad90e1dda09cd708fb992497feb2ebb8231960d5ca2f674d5aadd6

SHA512
0f8f915d16ec23103e374c51c7de5af61164e2ad9c87fb700051cc00a0c60a30fa0a86fa77fd17c6725d642b7d0565d62062e269de8637361076a4992512389a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FFRenamePro_x64.ini
Filesize
15KB

MD5
68cd88ff70213c510e2e95b8c2857263

SHA1
013df47ebbcda04c45214ae0a4e4408178ae9070

SHA256
b947931a0348c427569d70cba0ba52b81edb66621638263740cb412fc1050acc

SHA512
0b341e60b9ad1af96fde62f970ad723d12661779ec03ab326d87be16361b674ee909f865c4dd10a618d5b38c5557c8287275dc3f798844513569a0f710a22106

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FFRenamePro_x64.exe
Filesize
11.8MB

MD5
a71d42cb5a601e62d063262b4d493b87

SHA1
5e4a990e5ca362ed2c51e73de9e3616b58f40f27

SHA256
feaa0ea6caad90e1dda09cd708fb992497feb2ebb8231960d5ca2f674d5aadd6

SHA512
0f8f915d16ec23103e374c51c7de5af61164e2ad9c87fb700051cc00a0c60a30fa0a86fa77fd17c6725d642b7d0565d62062e269de8637361076a4992512389a

Download Submit
memory/576-64-0x0000000002670000-0x0000000004B23000-memory.dmp

Filesize
36.7MB

Download
memory/576-70-0x0000000002670000-0x0000000004B23000-memory.dmp

Filesize
36.7MB

Download
memory/576-56-0x0000000000000000-mapping.dmp

Download
memory/576-58-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/576-69-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/616-63-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/616-65-0x0000000000400000-0x00000000028B3000-memory.dmp

Filesize
36.7MB

Download
memory/616-61-0x0000000000000000-mapping.dmp

Download
memory/616-71-0x0000000000400000-0x00000000028B3000-memory.dmp

Filesize
36.7MB

Download
memory/1928-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1928-67-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1928-68-0x0000000000270000-0x0000000000292000-memory.dmp

Filesize
136KB

Download
memory/1928-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing