61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236

General

Target

61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe
Size

1.2MB
MD5

617b022e71a5d40ebdbe5ed9507f028d
SHA1

6bbacfabd060d5b75fcc5169ccde812bd50cf762
SHA256

61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236
SHA512

778f4a0793ff13acec4f9f415df4f0a1c17268af002f923c41c679ab250ef18f2626921f67c5d473e2c3e57f26428be5d6c6fae43be20b712ee26b6e75f1b5c2
SSDEEP

24576:ynL83cUxIysopjz8WaSzjq6e9gZoXcYpYc8EigfhmYo1ISI4IBjhD:I4cUcU8k+6nZmYcFjfhmYmnIBjt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1196	Best Treiner.exe
968	UFR.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012324-60.dat	upx
behavioral1/memory/968-70-0x0000000000400000-0x0000000000670000-memory.dmp	upx
behavioral1/memory/968-71-0x0000000000400000-0x0000000000670000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1196	Best Treiner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1196	Best Treiner.exe
968	UFR.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1196	1760	61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe	27
PID 1760 wrote to memory of 1196	1760	61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe	27
PID 1760 wrote to memory of 1196	1760	61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe	27
PID 1760 wrote to memory of 1196	1760	61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe	27
PID 1760 wrote to memory of 968	1760	61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe	28
PID 1760 wrote to memory of 968	1760	61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe	28
PID 1760 wrote to memory of 968	1760	61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe	28
PID 1760 wrote to memory of 968	1760	61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe	28
PID 1196 wrote to memory of 1108	1196	Best Treiner.exe	29
PID 1196 wrote to memory of 1108	1196	Best Treiner.exe	29
PID 1196 wrote to memory of 1108	1196	Best Treiner.exe	29
PID 1196 wrote to memory of 1108	1196	Best Treiner.exe	29
PID 1196 wrote to memory of 1108	1196	Best Treiner.exe	29

C:\Users\Admin\AppData\Local\Temp\61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe
"C:\Users\Admin\AppData\Local\Temp\61a01560ab72e858b18b1f875728063836c29a21df52dbb8f9f270a3e8caa236.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\Best Treiner.exe
  "C:\Users\Admin\AppData\Local\Temp\Best Treiner.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Users\Admin\AppData\Local\Temp\Best Treiner.exe
    "C:\Users\Admin\AppData\Local\Temp\Best Treiner.exe"
    3⤵
    PID:1108
- C:\Users\Admin\AppData\Local\Temp\UFR.exe
  "C:\Users\Admin\AppData\Local\Temp\UFR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Best Treiner.exe

Filesize
47KB

MD5
52c502d749eb4fd9a057abaf0db2a2cd

SHA1
ded71c3be511c13ef7e8d10dc7303877a4a31ad9

SHA256
777ada5f3cfd81c25781bfb1d9912b94a52412fb81527d2c8d2d1c1f4a04f721

SHA512
e70e91ff618fea2fc7726770f7d597c98db65a83052a0564bc59dbf0e90f64d0687ddc95d73a61077562f5da35ecb874bea21110b3c501ecbb9a6ec44ce8ac44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Best Treiner.exe

Filesize
47KB

MD5
52c502d749eb4fd9a057abaf0db2a2cd

SHA1
ded71c3be511c13ef7e8d10dc7303877a4a31ad9

SHA256
777ada5f3cfd81c25781bfb1d9912b94a52412fb81527d2c8d2d1c1f4a04f721

SHA512
e70e91ff618fea2fc7726770f7d597c98db65a83052a0564bc59dbf0e90f64d0687ddc95d73a61077562f5da35ecb874bea21110b3c501ecbb9a6ec44ce8ac44

Download Submit
C:\Users\Admin\AppData\Local\Temp\UFR.exe

Filesize
1015KB

MD5
eb40b0fb8931a46620f4a42258969213

SHA1
bfd6e0931826144b4b24b83c4abe244eebd330c2

SHA256
b935a9835a07ad642fe157e5b57e75092124feb750da2e383ee16593760b747e

SHA512
61758a07f0e7b9ea24d385822785b9bc17e039f74105227c04c746c89e1662bece9ff66e28e5b27221e52be5d584c8202a28b400e428ae62ac5869873a14e047

Download Submit
\Users\Admin\AppData\Local\Temp\Best Treiner.exe

Filesize
47KB

MD5
52c502d749eb4fd9a057abaf0db2a2cd

SHA1
ded71c3be511c13ef7e8d10dc7303877a4a31ad9

SHA256
777ada5f3cfd81c25781bfb1d9912b94a52412fb81527d2c8d2d1c1f4a04f721

SHA512
e70e91ff618fea2fc7726770f7d597c98db65a83052a0564bc59dbf0e90f64d0687ddc95d73a61077562f5da35ecb874bea21110b3c501ecbb9a6ec44ce8ac44

Download Submit
memory/968-62-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/968-70-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/968-71-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/1108-67-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1108-68-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1760-56-0x000007FEFB621000-0x000007FEFB623000-memory.dmp

Filesize
8KB

Download
memory/1760-54-0x000007FEF35E0000-0x000007FEF4003000-memory.dmp

Filesize
10.1MB

Download
memory/1760-63-0x0000000000B16000-0x0000000000B35000-memory.dmp

Filesize
124KB

Download
memory/1760-55-0x000007FEF2540000-0x000007FEF35D6000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing