df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0

General

Target

df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0.exe
Size

879KB
MD5

a297a217987296030bb7cc486bfa8d20
SHA1

0a4273cfd819111da5282ac30fcb05a6ac68ff31
SHA256

df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0
SHA512

97b3ce0c0b96e2553406206569ba521d23076efe329bca491d4e3481083deee829e54fd042f0eac7479eeeb35a0a52fac447657ed5d8315ea7afe96f0ee93287
SSDEEP

24576:r3R8Mqs12ebv3CVbRiDcWWXw+sBodhdXkpEYGGOPp:rB8Mqs12ebv3CBR8cE+sBo/dDbGGp

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2008	1673845.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-61.dat	upx
behavioral1/files/0x00140000000054ab-62.dat	upx
behavioral1/files/0x00140000000054ab-64.dat	upx
behavioral1/files/0x00140000000054ab-68.dat	upx
behavioral1/files/0x00140000000054ab-71.dat	upx

Deletes itself 1 IoCs

pid	Process
1784	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1784	cmd.exe
2008	1673845.exe
2008	1673845.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0 = "\"C:\\Users\\Admin\\AppData\\Local\\1673845.exe\" 0 30 "	df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	1673845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\1673845 = "\"C:\\Users\\Admin\\AppData\\Local\\1673845.exe\" 0 23 "	1673845.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2024	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2008	1673845.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2008	1673845.exe
2008	1673845.exe
2008	1673845.exe
2008	1673845.exe
2008	1673845.exe
2008	1673845.exe
2008	1673845.exe
2008	1673845.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2008	1673845.exe
2008	1673845.exe
2008	1673845.exe
2008	1673845.exe
2008	1673845.exe
2008	1673845.exe
2008	1673845.exe
2008	1673845.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 1784	780	df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0.exe	28
PID 780 wrote to memory of 1784	780	df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0.exe	28
PID 780 wrote to memory of 1784	780	df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0.exe	28
PID 780 wrote to memory of 1784	780	df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0.exe	28
PID 1784 wrote to memory of 2024	1784	cmd.exe	30
PID 1784 wrote to memory of 2024	1784	cmd.exe	30
PID 1784 wrote to memory of 2024	1784	cmd.exe	30
PID 1784 wrote to memory of 2024	1784	cmd.exe	30
PID 1784 wrote to memory of 2008	1784	cmd.exe	31
PID 1784 wrote to memory of 2008	1784	cmd.exe	31
PID 1784 wrote to memory of 2008	1784	cmd.exe	31
PID 1784 wrote to memory of 2008	1784	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0.exe
"C:\Users\Admin\AppData\Local\Temp\df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\572349.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0 /f
    3⤵
    - Modifies registry key
    PID:2024
- - C:\Users\Admin\AppData\Local\1673845.exe
    C:\Users\Admin\AppData\Local\1673845.exe -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1673845.exe

Filesize
879KB

MD5
a297a217987296030bb7cc486bfa8d20

SHA1
0a4273cfd819111da5282ac30fcb05a6ac68ff31

SHA256
df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0

SHA512
97b3ce0c0b96e2553406206569ba521d23076efe329bca491d4e3481083deee829e54fd042f0eac7479eeeb35a0a52fac447657ed5d8315ea7afe96f0ee93287

Download Submit
C:\Users\Admin\AppData\Local\1673845.exe

Filesize
879KB

MD5
a297a217987296030bb7cc486bfa8d20

SHA1
0a4273cfd819111da5282ac30fcb05a6ac68ff31

SHA256
df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0

SHA512
97b3ce0c0b96e2553406206569ba521d23076efe329bca491d4e3481083deee829e54fd042f0eac7479eeeb35a0a52fac447657ed5d8315ea7afe96f0ee93287

Download Submit
C:\Users\Admin\AppData\Local\Temp\572349.bat

Filesize
455B

MD5
e4b4bbf00db30c160e9c8f3e9a53f6f5

SHA1
c45355374957457a928cca04754be5ef3168681e

SHA256
2b5b9e71ea3ed4a565b14a80353bdab89765da06ad918a47afcc643279dd89d4

SHA512
3190fede404e21ffe6f970c960fdfa58d61bd753a6bf6293e8f278f93da22ad8f4526a571f43bc62b59d8c15310981bebc64d88f747fde2064fd4cd31a0c5a3d

Download Submit
\Users\Admin\AppData\Local\1673845.exe

Filesize
879KB

MD5
a297a217987296030bb7cc486bfa8d20

SHA1
0a4273cfd819111da5282ac30fcb05a6ac68ff31

SHA256
df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0

SHA512
97b3ce0c0b96e2553406206569ba521d23076efe329bca491d4e3481083deee829e54fd042f0eac7479eeeb35a0a52fac447657ed5d8315ea7afe96f0ee93287

Download Submit
\Users\Admin\AppData\Local\1673845.exe

Filesize
879KB

MD5
a297a217987296030bb7cc486bfa8d20

SHA1
0a4273cfd819111da5282ac30fcb05a6ac68ff31

SHA256
df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0

SHA512
97b3ce0c0b96e2553406206569ba521d23076efe329bca491d4e3481083deee829e54fd042f0eac7479eeeb35a0a52fac447657ed5d8315ea7afe96f0ee93287

Download Submit
\Users\Admin\AppData\Local\1673845.exe

Filesize
879KB

MD5
a297a217987296030bb7cc486bfa8d20

SHA1
0a4273cfd819111da5282ac30fcb05a6ac68ff31

SHA256
df7145455eefc9c2c68b7e35ab078d103abdc1095f7572f5fe53d011577088e0

SHA512
97b3ce0c0b96e2553406206569ba521d23076efe329bca491d4e3481083deee829e54fd042f0eac7479eeeb35a0a52fac447657ed5d8315ea7afe96f0ee93287

Download Submit
memory/780-55-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/780-54-0x0000000000830000-0x0000000000C61000-memory.dmp

Filesize
4.2MB

Download
memory/780-56-0x0000000001000000-0x000000000157F000-memory.dmp

Filesize
5.5MB

Download
memory/780-58-0x0000000001000000-0x000000000157F000-memory.dmp

Filesize
5.5MB

Download
memory/2008-67-0x0000000001000000-0x000000000157F000-memory.dmp

Filesize
5.5MB

Download
memory/2008-69-0x0000000001000000-0x000000000157F000-memory.dmp

Filesize
5.5MB

Download
memory/2008-70-0x0000000003580000-0x0000000003AFF000-memory.dmp

Filesize
5.5MB

Download
memory/2008-72-0x0000000003E70000-0x0000000003E80000-memory.dmp

Filesize
64KB

Download
memory/2008-73-0x0000000001000000-0x000000000157F000-memory.dmp

Filesize
5.5MB

Download
memory/2008-74-0x0000000003580000-0x0000000003AFF000-memory.dmp

Filesize
5.5MB

Download
memory/2008-75-0x0000000003E70000-0x0000000003E80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads