31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a

General

Target

31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
Size

3.4MB
MD5

580a367267582f4a328ff28da7758065
SHA1

b37bc18b864600113080c123880f2091bb6cc55d
SHA256

31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a
SHA512

0ae82f3ece93da1bb58ba691a9b8d38b7248b9f1dc123ec89a2a79a8695af7a7cfac5b5d7ff478376f5909dcfd317e200c2ccb3ff381437c6136cd22d7e4f6bf
SSDEEP

98304:vHeaEJPELI+OFZUpBOgICqfMps1r7YYH5NuXSU+M:/eHwfOIBOgvs1r7Y87M

Score

8^/10

discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/364-55-0x0000000000400000-0x0000000000ABB000-memory.dmp	upx
behavioral1/memory/364-57-0x0000000000400000-0x0000000000ABB000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.DynamicNS\Clsid\ = "{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}"	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\ProgID\ = "31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.DynamicNS"	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.DynamicNS\ = "DynamicNS"	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe"	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.DynamicNS	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.DynamicNS\Clsid	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\ProgID	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\ = "DynamicNS"	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\LocalServer32	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
364	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
364	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
364	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
364	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
364	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
364	31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe

C:\Users\Admin\AppData\Local\Temp\31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe
"C:\Users\Admin\AppData\Local\Temp\31eeeecb431fd5add1cf10d0e4d5a01a0a07b12489cf1fb73df460d14590738a.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/364-55-0x0000000000400000-0x0000000000ABB000-memory.dmp

Filesize
6.7MB

Download
memory/364-56-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/364-57-0x0000000000400000-0x0000000000ABB000-memory.dmp

Filesize
6.7MB

Download
memory/364-59-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing