1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce

General

Target

1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
Size

153KB
MD5

0d65678582751e1cc664cf99b76fcd9f
SHA1

81e56007a2241729ef603e99db663ff8c4173998
SHA256

1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce
SHA512

01481b707d0e4453de33425c7255855526040686b5a40f01dfe3960c788959b96169a95e097dccd1c39df3779ba38926604a188e35e4b4d1c6e3042f9d98abdb
SSDEEP

3072:TDzwcnF7u7rVWikKU2FYLpXovtfyP79i6+pUzCz:TDzwcnF679goY5i6+po2

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/536-55-0x0000000001000000-0x000000000104F000-memory.dmp	upx
behavioral1/memory/536-57-0x0000000001000000-0x000000000104F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\svchost.vir	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\ = "vcard_wab_auto_file"	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\Content Type = "text/x-vcard"	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\ = "vCard File"	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\" /vcard %1"	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wab	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vcf	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\",1"	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard\Extension = ".vcf"	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	536	1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe

C:\Users\Admin\AppData\Local\Temp\1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe
"C:\Users\Admin\AppData\Local\Temp\1f1d752ca2f1b3d554a3d2ab87ad7e99fd4a74d46a5c5b8a2ddab289116852ce.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/536-55-0x0000000001000000-0x000000000104F000-memory.dmp

Filesize
316KB

Download
memory/536-56-0x0000000074BF1000-0x0000000074BF3000-memory.dmp

Filesize
8KB

Download
memory/536-57-0x0000000001000000-0x000000000104F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing