e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173

General

Target

e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe
Size

419KB
MD5

073a79104101a2ae4535719f94bc8480
SHA1

51a2fb2180a8e2a50e8f6b39de8602cf117cf857
SHA256

e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173
SHA512

866901ad79d94ac6e1cdd6e415aa2d6286844078f12b23ff37643a67dc6c5fcfbd975831eb58f6e464896a6269ddeec2cbcf3376be7068e94fc14eac23507a7d
SSDEEP

6144:u7PjM1h2DiL6yA8IpdJfLKLzmPPb+WCFOnDK0svS:yMLM2tIpnGzmPSWC64K

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1208	opzes.exe
520	asyvq.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012726-67.dat	upx
behavioral1/files/0x0009000000012726-69.dat	upx
behavioral1/memory/520-72-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/memory/520-73-0x0000000000400000-0x00000000004B3000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1376	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
788	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe
1208	opzes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe
520	asyvq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 1208	788	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	28
PID 788 wrote to memory of 1208	788	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	28
PID 788 wrote to memory of 1208	788	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	28
PID 788 wrote to memory of 1208	788	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	28
PID 788 wrote to memory of 1376	788	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	29
PID 788 wrote to memory of 1376	788	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	29
PID 788 wrote to memory of 1376	788	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	29
PID 788 wrote to memory of 1376	788	e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe	29
PID 1208 wrote to memory of 520	1208	opzes.exe	31
PID 1208 wrote to memory of 520	1208	opzes.exe	31
PID 1208 wrote to memory of 520	1208	opzes.exe	31
PID 1208 wrote to memory of 520	1208	opzes.exe	31

C:\Users\Admin\AppData\Local\Temp\e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe
"C:\Users\Admin\AppData\Local\Temp\e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:788
- C:\Users\Admin\AppData\Local\Temp\opzes.exe
  "C:\Users\Admin\AppData\Local\Temp\opzes.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\asyvq.exe
    "C:\Users\Admin\AppData\Local\Temp\asyvq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
5c0d4071de770b54e5029ea67ab8202a

SHA1
0fa729ddbedaf4f8d3dc8d70d475a721d5894317

SHA256
81557131f78feef4c027870d164afe28a9a7e39eef90f77a3adb4770d4143289

SHA512
e56a0f0d43d4916cb235d5e507c39757ad6ac76aeba2f674b614092e729d9c2c4bbde3cd151932123818263ca60692bf5a707fd87831496f79cd81b436678fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\asyvq.exe

Filesize
207KB

MD5
1b08abaa106557dc7803c86d7c92c97f

SHA1
c2d6a04c1bda634e1d49870168a07224565726ab

SHA256
741e65f18e0d15f03792e47b3e5b83deeec7659584f9e1d850a96e7cf69f1321

SHA512
fcf8ec8b8fe48c183e95ef6bf8781ac17ceae6517b26c2e05569c7bac7ce7fbdadc1f6fbe48fa29da57595f415c133aaa8120dd7d121971f47679c30565c029b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0f9fcd19b7d3cdcbbbd3346262c3b8a2

SHA1
8a178853c2fc7d014d3a0f89b0489b735d2fde8b

SHA256
9e7b4e8ac8d1aaeaa0e52abb171eb3bb5fa15ceed7f62a5b9ce2302df252999f

SHA512
803a0b28d71a1a65713681d0d51461ae7e6c48d15a75d4d5d650587a9f8c84d8d6af8cfff9f560353abd92bf2768e3feefffc4ad8b3e2408f9e204081d1e0afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\opzes.exe

Filesize
420KB

MD5
9ebfada8f823978d6babea4f6c5303d9

SHA1
8561674d63a62f2fbe9755a7a946931cc9689869

SHA256
8b3509cf902b525efcbae8ea7cd3cd351a0d6b2c9fdc94346e4b1ab9baccfb69

SHA512
351fd3992792447f44d685cdebc6732d153cbdf173e056c6979f67a551b83eb484f2c201a1850010a49d66138e708e30744be59abb4ced791898558eb117825d

Download Submit
C:\Users\Admin\AppData\Local\Temp\opzes.exe

Filesize
420KB

MD5
9ebfada8f823978d6babea4f6c5303d9

SHA1
8561674d63a62f2fbe9755a7a946931cc9689869

SHA256
8b3509cf902b525efcbae8ea7cd3cd351a0d6b2c9fdc94346e4b1ab9baccfb69

SHA512
351fd3992792447f44d685cdebc6732d153cbdf173e056c6979f67a551b83eb484f2c201a1850010a49d66138e708e30744be59abb4ced791898558eb117825d

Download Submit
\Users\Admin\AppData\Local\Temp\asyvq.exe

Filesize
207KB

MD5
1b08abaa106557dc7803c86d7c92c97f

SHA1
c2d6a04c1bda634e1d49870168a07224565726ab

SHA256
741e65f18e0d15f03792e47b3e5b83deeec7659584f9e1d850a96e7cf69f1321

SHA512
fcf8ec8b8fe48c183e95ef6bf8781ac17ceae6517b26c2e05569c7bac7ce7fbdadc1f6fbe48fa29da57595f415c133aaa8120dd7d121971f47679c30565c029b

Download Submit
\Users\Admin\AppData\Local\Temp\opzes.exe

Filesize
420KB

MD5
9ebfada8f823978d6babea4f6c5303d9

SHA1
8561674d63a62f2fbe9755a7a946931cc9689869

SHA256
8b3509cf902b525efcbae8ea7cd3cd351a0d6b2c9fdc94346e4b1ab9baccfb69

SHA512
351fd3992792447f44d685cdebc6732d153cbdf173e056c6979f67a551b83eb484f2c201a1850010a49d66138e708e30744be59abb4ced791898558eb117825d

Download Submit
memory/520-72-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/520-73-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/788-61-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/788-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/788-55-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1208-63-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1208-65-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1208-70-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing