a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f

General

Target

a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.exe
Size

659KB
MD5

2ee9076557c7c3ff17203b0ccba0501f
SHA1

b235a9d7e422c7ea03a8e36023cbf2de2c04724e
SHA256

a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f
SHA512

9f452245a36e24b5c3ee6854196fd7e409e120f3c4b98833f2801938dfe8dd2f07dbdc5b94b6b629f6d596419b4e2044b527b01a86efdb745f55c6a2bed3f318
SSDEEP

12288:2ITHQuBsNYHuo1y0I5sG1/HkgUcU6kUgnd5aNesU:2ITQURHu8yEG506Yndxs

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4260	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1376-132-0x0000000000400000-0x00000000005BC000-memory.dmp	upx
behavioral2/files/0x000400000000072f-134.dat	upx
behavioral2/files/0x000400000000072f-135.dat	upx
behavioral2/memory/4260-136-0x0000000000400000-0x00000000005BC000-memory.dmp	upx
behavioral2/memory/1376-137-0x0000000000400000-0x00000000005BC000-memory.dmp	upx
behavioral2/memory/4260-138-0x0000000000400000-0x00000000005BC000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
4260	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy
4260	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1376	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.exe
1376	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.exe
4260	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy
4260	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1376	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.exe
1376	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.exe
1376	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.exe
1376	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.exe
4260	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy
4260	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy
4260	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy
4260	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 4260	1376	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.exe	82
PID 1376 wrote to memory of 4260	1376	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.exe	82
PID 1376 wrote to memory of 4260	1376	a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.exe	82

C:\Users\Admin\AppData\Local\Temp\a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.exe
"C:\Users\Admin\AppData\Local\Temp\a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy
  C:\Users\Admin\AppData\Local\Temp\a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy

Filesize
659KB

MD5
2ee9076557c7c3ff17203b0ccba0501f

SHA1
b235a9d7e422c7ea03a8e36023cbf2de2c04724e

SHA256
a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f

SHA512
9f452245a36e24b5c3ee6854196fd7e409e120f3c4b98833f2801938dfe8dd2f07dbdc5b94b6b629f6d596419b4e2044b527b01a86efdb745f55c6a2bed3f318

Download Submit
C:\Users\Admin\AppData\Local\Temp\a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f.dmy

Filesize
659KB

MD5
2ee9076557c7c3ff17203b0ccba0501f

SHA1
b235a9d7e422c7ea03a8e36023cbf2de2c04724e

SHA256
a537621e9dd330cc6973fa3962ee872043373d9aa1c6ee99f6f90d7fe2f1ac8f

SHA512
9f452245a36e24b5c3ee6854196fd7e409e120f3c4b98833f2801938dfe8dd2f07dbdc5b94b6b629f6d596419b4e2044b527b01a86efdb745f55c6a2bed3f318

Download Submit
C:\Users\Admin\AppData\Local\Temp\ziplib.dll

Filesize
453KB

MD5
6df0ed0afe162198116be68aba60e0c4

SHA1
bd0ca25ff4e495717be7345933aaa90755e5a6ca

SHA256
14172cccc2b24d7b490b6038c9493e64d5cab4afeee62014710dfad546eec9dc

SHA512
6696ec1e2261e44e1259609f74e95c205165048d94e581f44b09b87fc70e89b2eaeecd09b7de9cb9735dab0b9d90dd4ff7b5ac07e4b5bd8e5f502e71bbfdb757

Download Submit
C:\Users\Admin\AppData\Local\Temp\ziplib.dll

Filesize
453KB

MD5
6df0ed0afe162198116be68aba60e0c4

SHA1
bd0ca25ff4e495717be7345933aaa90755e5a6ca

SHA256
14172cccc2b24d7b490b6038c9493e64d5cab4afeee62014710dfad546eec9dc

SHA512
6696ec1e2261e44e1259609f74e95c205165048d94e581f44b09b87fc70e89b2eaeecd09b7de9cb9735dab0b9d90dd4ff7b5ac07e4b5bd8e5f502e71bbfdb757

Download Submit
memory/1376-132-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/1376-137-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/4260-136-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/4260-138-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/4260-141-0x000000000BA40000-0x000000000BAB7000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing