8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434

General

Target

8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe
Size

85KB
MD5

6d10da60bad5b5970eadc45c129aac60
SHA1

2c050e96712dab6ddb2a260e6f9f3ce2d94a9001
SHA256

8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434
SHA512

7cd8128441b4dea90c4482ff4e18938978b1f5ec0fd5eb78a6e7f760f5dc5b0524076071dfac425aca1799c4183da9287cf413ae33a53b5e9569d9f1372d966d
SSDEEP

1536:XOImZsvlgpFZAvScr5RoAH25Y/CtwJGspcIoDOcVnQ3xvnouy8Y:+FZfi6CNH6zwgspgD0x/outY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1732	IntelDriver.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1228-56-0x0000000000400000-0x00000000004FE000-memory.dmp	upx
behavioral1/files/0x000a000000012324-61.dat	upx
behavioral1/files/0x000a000000012324-65.dat	upx
behavioral1/files/0x000a000000012324-64.dat	upx
behavioral1/files/0x000a000000012324-63.dat	upx
behavioral1/files/0x000a000000012324-62.dat	upx
behavioral1/files/0x000a000000012324-69.dat	upx
behavioral1/memory/1228-70-0x0000000000400000-0x00000000004FE000-memory.dmp	upx
behavioral1/memory/1732-74-0x0000000000400000-0x00000000004FE000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe
1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe
1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe
1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe
1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel GMA X4100 = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\IntelDriver.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process
PID 1732 set thread context of 0	1732	IntelDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe
1732	IntelDriver.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 904	1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe	27
PID 1228 wrote to memory of 904	1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe	27
PID 1228 wrote to memory of 904	1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe	27
PID 1228 wrote to memory of 904	1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe	27
PID 904 wrote to memory of 332	904	cmd.exe	29
PID 904 wrote to memory of 332	904	cmd.exe	29
PID 904 wrote to memory of 332	904	cmd.exe	29
PID 904 wrote to memory of 332	904	cmd.exe	29
PID 1228 wrote to memory of 1732	1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe	30
PID 1228 wrote to memory of 1732	1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe	30
PID 1228 wrote to memory of 1732	1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe	30
PID 1228 wrote to memory of 1732	1228	8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe	30
PID 1732 wrote to memory of 0	1732	IntelDriver.exe
PID 1732 wrote to memory of 0	1732	IntelDriver.exe
PID 1732 wrote to memory of 0	1732	IntelDriver.exe
PID 1732 wrote to memory of 0	1732	IntelDriver.exe
PID 1732 wrote to memory of 0	1732	IntelDriver.exe

C:\Users\Admin\AppData\Local\Temp\8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe
"C:\Users\Admin\AppData\Local\Temp\8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\UXMLN.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Intel GMA X4100" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system32\IntelDriver.exe" /f
    3⤵
    - Adds Run key to start application
    PID:332
- C:\Users\Admin\AppData\Roaming\system32\IntelDriver.exe
  "C:\Users\Admin\AppData\Roaming\system32\IntelDriver.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UXMLN.bat

Filesize
155B

MD5
dde51921a08675349429286e8f8574ee

SHA1
776e3f4e35c1b871d1474cc774ec9e3496b1b802

SHA256
15027bf4347d7a93bf0a29592a9d248586dc6f336c705e3fe3315b96528dace2

SHA512
5760496d074cffc356c4ce70be090b27623ba6d0ca8633c5d4c0fb0c4ce8f584d16dc64ee8726b0b35e47f5ceecb95ed7dc619c436c1f1db363218d08db2d89d

Download Submit
C:\Users\Admin\AppData\Roaming\system32\IntelDriver.exe

Filesize
85KB

MD5
6d10da60bad5b5970eadc45c129aac60

SHA1
2c050e96712dab6ddb2a260e6f9f3ce2d94a9001

SHA256
8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434

SHA512
7cd8128441b4dea90c4482ff4e18938978b1f5ec0fd5eb78a6e7f760f5dc5b0524076071dfac425aca1799c4183da9287cf413ae33a53b5e9569d9f1372d966d

Download Submit
\Users\Admin\AppData\Roaming\system32\IntelDriver.exe

Filesize
85KB

MD5
6d10da60bad5b5970eadc45c129aac60

SHA1
2c050e96712dab6ddb2a260e6f9f3ce2d94a9001

SHA256
8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434

SHA512
7cd8128441b4dea90c4482ff4e18938978b1f5ec0fd5eb78a6e7f760f5dc5b0524076071dfac425aca1799c4183da9287cf413ae33a53b5e9569d9f1372d966d

Download Submit
\Users\Admin\AppData\Roaming\system32\IntelDriver.exe

Filesize
85KB

MD5
6d10da60bad5b5970eadc45c129aac60

SHA1
2c050e96712dab6ddb2a260e6f9f3ce2d94a9001

SHA256
8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434

SHA512
7cd8128441b4dea90c4482ff4e18938978b1f5ec0fd5eb78a6e7f760f5dc5b0524076071dfac425aca1799c4183da9287cf413ae33a53b5e9569d9f1372d966d

Download Submit
\Users\Admin\AppData\Roaming\system32\IntelDriver.exe

Filesize
85KB

MD5
6d10da60bad5b5970eadc45c129aac60

SHA1
2c050e96712dab6ddb2a260e6f9f3ce2d94a9001

SHA256
8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434

SHA512
7cd8128441b4dea90c4482ff4e18938978b1f5ec0fd5eb78a6e7f760f5dc5b0524076071dfac425aca1799c4183da9287cf413ae33a53b5e9569d9f1372d966d

Download Submit
\Users\Admin\AppData\Roaming\system32\IntelDriver.exe

Filesize
85KB

MD5
6d10da60bad5b5970eadc45c129aac60

SHA1
2c050e96712dab6ddb2a260e6f9f3ce2d94a9001

SHA256
8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434

SHA512
7cd8128441b4dea90c4482ff4e18938978b1f5ec0fd5eb78a6e7f760f5dc5b0524076071dfac425aca1799c4183da9287cf413ae33a53b5e9569d9f1372d966d

Download Submit
\Users\Admin\AppData\Roaming\system32\IntelDriver.exe

Filesize
85KB

MD5
6d10da60bad5b5970eadc45c129aac60

SHA1
2c050e96712dab6ddb2a260e6f9f3ce2d94a9001

SHA256
8ea4bd84d73349eb2f750768d9b5e8cf8271f0aafad92a9be4319648fffae434

SHA512
7cd8128441b4dea90c4482ff4e18938978b1f5ec0fd5eb78a6e7f760f5dc5b0524076071dfac425aca1799c4183da9287cf413ae33a53b5e9569d9f1372d966d

Download Submit
memory/0-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1228-56-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1228-67-0x0000000003140000-0x000000000323E000-memory.dmp

Filesize
1016KB

Download
memory/1228-68-0x0000000003140000-0x000000000323E000-memory.dmp

Filesize
1016KB

Download
memory/1228-70-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1228-57-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1732-74-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing