8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081

General

Target

8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081.exe
Size

66KB
MD5

0ce0177b75c91157846a10cf211ff227
SHA1

b45e4192bdeefea3991c1744062cb680d41cca6b
SHA256

8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081
SHA512

d14ae4e510bb5152567c1c9eed6a0a3a3b50e36691a62c4347a712a027a2be043ab5fbd2889eb874743cff6ea8ac82bf902c70cbd7e674c0f4b34cd87fa39202
SSDEEP

1536:xNF1v8nmnsy+zxv2iqAl8eNuibs/5cZFODm061WuOdi1mBjy:3Fp8nmnozxv2iqABNuJEsmh1Od

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4308	rotr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/440-132-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/files/0x0006000000022e65-134.dat	upx
behavioral2/files/0x0006000000022e65-135.dat	upx
behavioral2/memory/440-136-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/4308-137-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/4308-138-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "\"C:\\Program Files (x86)\\unue\\rotr.exe\" -vt mt"	8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	rotr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "\"C:\\Program Files (x86)\\unue\\rotr.exe\" -vt mt"	rotr.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\unue\rotr.exe	8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081.exe
File opened for modification	C:\Program Files (x86)\unue\rotr.exe	rotr.exe
File created	C:\Program Files (x86)\unue\rotr.exe	rotr.exe
File opened for modification	C:\Program Files (x86)\unue\rotr.exe	8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Tuah	8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Tuah\Aroo = 6afa41f20586239fa0709216	8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 4308	440	8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081.exe	81
PID 440 wrote to memory of 4308	440	8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081.exe	81
PID 440 wrote to memory of 4308	440	8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081.exe	81

C:\Users\Admin\AppData\Local\Temp\8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081.exe
"C:\Users\Admin\AppData\Local\Temp\8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:440
- C:\Program Files (x86)\unue\rotr.exe
  "C:\Program Files (x86)\unue\rotr.exe" -vt mt
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  PID:4308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\unue\rotr.exe

Filesize
66KB

MD5
0ce0177b75c91157846a10cf211ff227

SHA1
b45e4192bdeefea3991c1744062cb680d41cca6b

SHA256
8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081

SHA512
d14ae4e510bb5152567c1c9eed6a0a3a3b50e36691a62c4347a712a027a2be043ab5fbd2889eb874743cff6ea8ac82bf902c70cbd7e674c0f4b34cd87fa39202

Download Submit
C:\Program Files (x86)\unue\rotr.exe

Filesize
66KB

MD5
0ce0177b75c91157846a10cf211ff227

SHA1
b45e4192bdeefea3991c1744062cb680d41cca6b

SHA256
8b6b75686e8698d29bb8c70ce9d74d996570a2af8b9760e6219a9d97ce554081

SHA512
d14ae4e510bb5152567c1c9eed6a0a3a3b50e36691a62c4347a712a027a2be043ab5fbd2889eb874743cff6ea8ac82bf902c70cbd7e674c0f4b34cd87fa39202

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
300B

MD5
bf034518c3427206cc85465dc2e296e5

SHA1
ef3d8f548ad3c26e08fa41f2a74e68707cfc3d3a

SHA256
e5da797df9533a2fcae7a6aa79f2b9872c8f227dd1c901c91014c7a9fa82ff7e

SHA512
c307eaf605bd02e03f25b58fa38ff8e59f4fb5672ef6cb5270c8bdb004bca56e47450777bfb7662797ffb18ab409cde66df4536510bc5a435cc945e662bddb78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955A650A4A681FA4B13E8D1D10E46F0C

Filesize
346B

MD5
05998b25320bff12fa70f99e6693ad8a

SHA1
98f290592d58180aee0591fff6b10afeb07d4943

SHA256
cbeddc565f097b2c6ce739d7208ab18f36b64bfbd898b4df6af0cafd452cb20c

SHA512
73803248ac30da2f1343209fc38df05710fbd7af3f6e175d89329beb53ab36129e46209cf858398916ca8d258f472df72d1318b862564a293b755efd206b6526

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
646f67ffbb622153ac38a01dcdd528ff

SHA1
90486f92ef864f0c858125d733950f2dc0132159

SHA256
20aa17d64551e2652fcff97a975e52b0f83b400bfd8945f975b664dc4d963fc8

SHA512
19e4c2781323ff7a09d0a8b807ac47bcc36de5b188cb7b78724780ac5993f50cb7e483fe43d19528afb193cbfcc3bdfe7d858d26997f791c542a843729928ac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
db2bde1cb0a270f00f241b45d8af10a9

SHA1
22650fa4df0f04c5d07de0612a117393c018e98e

SHA256
a0d7b6e2724c72047f9bebcf0f47dbea16c6abff803cc10318bdcb98871f4896

SHA512
7b79eb41ff20ba43ade81b551876ac6c139650af8f487ac242fe1b214bbcc133f39180aff781c159fe9f77043462cc5a23b6fd246a592c7481d0775971720cd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955A650A4A681FA4B13E8D1D10E46F0C

Filesize
544B

MD5
cdcf4f5b17daf89f0395c8ceb12a16e8

SHA1
2550e61f2b4bafbcad9bbb817ceb155d6bca6e74

SHA256
8fabbe5bf85da70784f4e6798b036b2a58df002d9c445974f366dc9b146e9927

SHA512
35631edb9c079d69902a442066ad0ca51192677c9319b9caa60516cad18531f0aec8fca026f3bec825320b15b72e6f4072218cbbefa481e5730bd01e8c716a3a

Download Submit
memory/440-132-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/440-136-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4308-138-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4308-137-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4308-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing