cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210

General

Target

cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe
Size

406KB
MD5

6ed334c33b8c2d716959dfeb60c45c05
SHA1

0c81453ad960133889c48719bcd4794da0576522
SHA256

cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210
SHA512

b8c30fc4bcef86904f9d1bff3a3c689e89ace2197de125a18117df1df4fe452ab30f7fb6b37b520cfdbc70a9e347f3539c014d0e36598bd2c1e9e0db2f61fd0e
SSDEEP

6144:a6VNA/Db+2qCAQ3cuNGfQV/Db+2qCAQ3cuNGfQ:/s+UTcuNz+UTcuN

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1380-138-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1380-140-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1380-141-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1380-142-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1380-143-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4904 set thread context of 3048	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	82
PID 4904 set thread context of 2212	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	84
PID 4904 set thread context of 1380	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4748	3048	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1380	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe
1380	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe
1380	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe
1380	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3048	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	82
PID 4904 wrote to memory of 3048	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	82
PID 4904 wrote to memory of 3048	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	82
PID 4904 wrote to memory of 3048	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	82
PID 4904 wrote to memory of 2212	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	84
PID 4904 wrote to memory of 2212	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	84
PID 4904 wrote to memory of 2212	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	84
PID 4904 wrote to memory of 2212	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	84
PID 4904 wrote to memory of 2212	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	84
PID 4904 wrote to memory of 2212	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	84
PID 4904 wrote to memory of 2212	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	84
PID 4904 wrote to memory of 2212	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	84
PID 4904 wrote to memory of 2212	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	84
PID 4904 wrote to memory of 1380	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	86
PID 4904 wrote to memory of 1380	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	86
PID 4904 wrote to memory of 1380	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	86
PID 4904 wrote to memory of 1380	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	86
PID 4904 wrote to memory of 1380	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	86
PID 4904 wrote to memory of 1380	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	86
PID 4904 wrote to memory of 1380	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	86
PID 4904 wrote to memory of 1380	4904	cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe	86

C:\Users\Admin\AppData\Local\Temp\cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe
"C:\Users\Admin\AppData\Local\Temp\cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe
  "C:\Users\Admin\AppData\Local\Temp\cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe"
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 80
    3⤵
    - Program crash
    PID:4748
- C:\Users\Admin\AppData\Local\Temp\cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe
  "C:\Users\Admin\AppData\Local\Temp\cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe"
  2⤵
  PID:2212
- C:\Users\Admin\AppData\Local\Temp\cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe
  "C:\Users\Admin\AppData\Local\Temp\cbb045d993152a1cc42d48dae70cd4c9f3a7084d6b4d03a1b6dc562da0f14210.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3048 -ip 3048
1⤵
PID:4148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1380-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1380-140-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1380-141-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1380-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1380-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2212-136-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing