9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba

General

Target

9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe
Size

617KB
MD5

a3aa6ed3f24abe910f07e057d30b8d40
SHA1

1f3ca24b81ebd427946c4fc8d6a7ef3b9d8386e3
SHA256

9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba
SHA512

1e4434113b75b4520a40369e3d1a3418e73f0085b5392afb1ee9330b5bb619bfc2e1dbd1afc5aaf6f4bbfda69f243fddf4bbc79a768a03b1fcf02856eb99bc23
SSDEEP

12288:rQFaPYrf9Hz+1WD/W3VA7xJZ0aOyhKIcgUKhuO+7XsFgwmcd3:rQFuYZHzO4/W3KtH0aObIcsEH1B43

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1492-57-0x0000000000420000-0x0000000000559000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1492	9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe
1492	9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1492	9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1492	9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe
1492	9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 592	1492	9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe	27
PID 1492 wrote to memory of 592	1492	9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe	27
PID 1492 wrote to memory of 592	1492	9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe	27
PID 1492 wrote to memory of 592	1492	9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe	27

C:\Users\Admin\AppData\Local\Temp\9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe
"C:\Users\Admin\AppData\Local\Temp\9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe
  "C:\Users\Admin\AppData\Local\Temp\9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe" /_ShowProgress
  2⤵
  PID:592

Network

DNS

os.freewarefilescdn.com

9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

Remote address:

8.8.8.8:53

Request

os.freewarefilescdn.com

IN A

Response
DNS

os2.freewarefilescdn.com

9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

Remote address:

8.8.8.8:53

Request

os2.freewarefilescdn.com

IN A

Response

206.217.205.73:80

9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

152 B
3
206.217.205.73:80

9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

152 B
3
206.217.205.73:80

9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

152 B
3
206.217.205.73:80

9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

152 B
3
206.217.205.73:80

9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

152 B
3
206.217.205.73:80

9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

152 B
3

8.8.8.8:53

os.freewarefilescdn.com

dns

9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

69 B
142 B
1
1

DNS Request

os.freewarefilescdn.com
8.8.8.8:53

os2.freewarefilescdn.com

dns

9eddd6e4e769f502fee205bc5a24f181162165324da63feff18b380a09ac27ba.exe

70 B
143 B
1
1

DNS Request

os2.freewarefilescdn.com

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-71-0x00000000004D6000-0x0000000000558000-memory.dmp

Filesize
520KB

Download
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1492-56-0x00000000004D6000-0x0000000000558000-memory.dmp

Filesize
520KB

Download
memory/1492-57-0x0000000000420000-0x0000000000559000-memory.dmp

Filesize
1.2MB

Download
memory/1492-61-0x0000000000250000-0x00000000002EB000-memory.dmp

Filesize
620KB

Download
memory/1492-60-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1492-62-0x00000000004D6000-0x0000000000558000-memory.dmp

Filesize
520KB

Download
memory/1492-63-0x0000000000421000-0x00000000004D6000-memory.dmp

Filesize
724KB

Download
memory/1492-74-0x00000000004D6000-0x0000000000558000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing