75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42

General

Target

75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe
Size

2.3MB
MD5

313f09780a2ad45f5a7f7eb5cd3bc74a
SHA1

dc162675599bc6613b0cde34203f59ee9ebac1db
SHA256

75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42
SHA512

797ad380df4e9add6ef3043dca8d64cf09a4c7256139378dfb62dcffa6176ddbe4630c4c1ac8860fee9bff1d62c59dc20f53d0cbd96469ed4a4d478e18459004
SSDEEP

49152:ueDEAqF5rR6iU9yzhDs/ioe3ugjNAYo/xQvF1XWbtKGY6FammuGpNTgFKlcOShch:ueDEAqF5rR6iU9yzRs/ioe3ugjNAYGiV

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1888	Bat_To_Exe_Converter_(x32).exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122cd-55.dat	upx
behavioral1/files/0x000b0000000122cd-56.dat	upx
behavioral1/files/0x000b0000000122cd-59.dat	upx
behavioral1/files/0x000b0000000122cd-58.dat	upx
behavioral1/files/0x000b0000000122cd-57.dat	upx
behavioral1/files/0x000b0000000122cd-61.dat	upx
behavioral1/memory/1888-65-0x0000000000400000-0x0000000000742000-memory.dmp	upx
behavioral1/memory/1888-69-0x0000000000400000-0x0000000000742000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1648	75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe
1648	75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe
1648	75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe
1648	75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe
1648	75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe
1888	Bat_To_Exe_Converter_(x32).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1888	1648	75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe	28
PID 1648 wrote to memory of 1888	1648	75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe	28
PID 1648 wrote to memory of 1888	1648	75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe	28
PID 1648 wrote to memory of 1888	1648	75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe	28

C:\Users\Admin\AppData\Local\Temp\75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe
"C:\Users\Admin\AppData\Local\Temp\75e10cadf357f35c9cb9095ce78354b25237338cd21877d34770e2c9d3780a42.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bat_To_Exe_Converter_(x32).exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bat_To_Exe_Converter_(x32).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bat_To_Exe_Converter_(x32).exe

Filesize
1.8MB

MD5
4229d83b56553a234b5141fa43464f61

SHA1
d4af1ffc18d9f64d24902a917f5b5a2513c3d85a

SHA256
6d0db8805dde63767573ec5453f344c10cfa62762908694410da2c781d059969

SHA512
9056017089a2c82118b184e7b235ab60bfac5b6a766a372ccfc9f042422ab23ee3b32b369434ed1631c2790a3d455ad72665af748ea41723c09a0bbad46625e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\settings

Filesize
478B

MD5
2ecfdc8c69ab074112c3447a08e7735c

SHA1
c662820fcef61542dda2b5f2e83260b29a88f338

SHA256
604c7adfa98f4f81e6700d0b3811bc84b191e3c584d31d8cdb4261b93a5121f1

SHA512
3fb7d7cc81b3d6290b3071e91db9dc783489b85a893ad689277783ded2bba8a2f4608c17310166348e97458277ee79efdec2509b7822d76df89c467d2aaccee2

Download Submit
\Users\Admin\AppData\Local\Temp\E937.tmp\Scilexer.dll

Filesize
399KB

MD5
9092cc0fa27603c620df12b58c4c89df

SHA1
7b2e36fcf71aa8e20c3006a1ec001d50503a66e7

SHA256
6468cdf465b47c64ec621f548fff5e32ca24e21f50a331a17014f68006b12f0e

SHA512
a5a0d023cd06cc3b398b6929dfefb345d1ead3de54728b916e2c1c6a492a34ef610a0eedb55864b6f3d6f98fde2273223b4496a5a27b1b3ba87ba0baa6138419

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Bat_To_Exe_Converter_(x32).exe

Filesize
1.8MB

MD5
4229d83b56553a234b5141fa43464f61

SHA1
d4af1ffc18d9f64d24902a917f5b5a2513c3d85a

SHA256
6d0db8805dde63767573ec5453f344c10cfa62762908694410da2c781d059969

SHA512
9056017089a2c82118b184e7b235ab60bfac5b6a766a372ccfc9f042422ab23ee3b32b369434ed1631c2790a3d455ad72665af748ea41723c09a0bbad46625e8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Bat_To_Exe_Converter_(x32).exe

Filesize
1.8MB

MD5
4229d83b56553a234b5141fa43464f61

SHA1
d4af1ffc18d9f64d24902a917f5b5a2513c3d85a

SHA256
6d0db8805dde63767573ec5453f344c10cfa62762908694410da2c781d059969

SHA512
9056017089a2c82118b184e7b235ab60bfac5b6a766a372ccfc9f042422ab23ee3b32b369434ed1631c2790a3d455ad72665af748ea41723c09a0bbad46625e8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Bat_To_Exe_Converter_(x32).exe

Filesize
1.8MB

MD5
4229d83b56553a234b5141fa43464f61

SHA1
d4af1ffc18d9f64d24902a917f5b5a2513c3d85a

SHA256
6d0db8805dde63767573ec5453f344c10cfa62762908694410da2c781d059969

SHA512
9056017089a2c82118b184e7b235ab60bfac5b6a766a372ccfc9f042422ab23ee3b32b369434ed1631c2790a3d455ad72665af748ea41723c09a0bbad46625e8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Bat_To_Exe_Converter_(x32).exe

Filesize
1.8MB

MD5
4229d83b56553a234b5141fa43464f61

SHA1
d4af1ffc18d9f64d24902a917f5b5a2513c3d85a

SHA256
6d0db8805dde63767573ec5453f344c10cfa62762908694410da2c781d059969

SHA512
9056017089a2c82118b184e7b235ab60bfac5b6a766a372ccfc9f042422ab23ee3b32b369434ed1631c2790a3d455ad72665af748ea41723c09a0bbad46625e8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Bat_To_Exe_Converter_(x32).exe

Filesize
1.8MB

MD5
4229d83b56553a234b5141fa43464f61

SHA1
d4af1ffc18d9f64d24902a917f5b5a2513c3d85a

SHA256
6d0db8805dde63767573ec5453f344c10cfa62762908694410da2c781d059969

SHA512
9056017089a2c82118b184e7b235ab60bfac5b6a766a372ccfc9f042422ab23ee3b32b369434ed1631c2790a3d455ad72665af748ea41723c09a0bbad46625e8

Download Submit
memory/1648-64-0x0000000003120000-0x0000000003462000-memory.dmp

Filesize
3.3MB

Download
memory/1648-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1648-63-0x0000000003120000-0x0000000003462000-memory.dmp

Filesize
3.3MB

Download
memory/1648-68-0x0000000003130000-0x0000000003472000-memory.dmp

Filesize
3.3MB

Download
memory/1888-65-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download
memory/1888-69-0x0000000000400000-0x0000000000742000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing