18ba3a01329d8a198d4e53fe2ebb9983b4b6ecbdc960594053c53da351123bb4

General

Target

18ba3a01329d8a198d4e53fe2ebb9983b4b6ecbdc960594053c53da351123bb4.exe
Size

454KB
MD5

20dc9840c76bb5c63751302b26d89790
SHA1

10a896cfd3dca163c0032c6e9b46df052c36f709
SHA256

18ba3a01329d8a198d4e53fe2ebb9983b4b6ecbdc960594053c53da351123bb4
SHA512

c0f35d07a97fd6dd3021404c0b2e093c98a44f542826ea32b031a358485e2a9281395288be287b9f2f77f6fa0e856323d680beb3b017f476117d2bd7d77440ab
SSDEEP

12288:c/ve2+HrYpMiRpTAG1ZsEC2abS9FLYiyb0Jkh59h1yNXKKyTP:cHjBpMG//GiHkTf1yNX1yTP

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1948-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-79-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-83-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-81-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-85-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-87-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-89-0x0000000000400000-0x000000000051E000-memory.dmp	upx
behavioral1/memory/1948-93-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-91-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-99-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1948-101-0x0000000000400000-0x000000000051E000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1628	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1948	18ba3a01329d8a198d4e53fe2ebb9983b4b6ecbdc960594053c53da351123bb4.exe
1948	18ba3a01329d8a198d4e53fe2ebb9983b4b6ecbdc960594053c53da351123bb4.exe
1948	18ba3a01329d8a198d4e53fe2ebb9983b4b6ecbdc960594053c53da351123bb4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1628	1948	18ba3a01329d8a198d4e53fe2ebb9983b4b6ecbdc960594053c53da351123bb4.exe	28
PID 1948 wrote to memory of 1628	1948	18ba3a01329d8a198d4e53fe2ebb9983b4b6ecbdc960594053c53da351123bb4.exe	28
PID 1948 wrote to memory of 1628	1948	18ba3a01329d8a198d4e53fe2ebb9983b4b6ecbdc960594053c53da351123bb4.exe	28
PID 1948 wrote to memory of 1628	1948	18ba3a01329d8a198d4e53fe2ebb9983b4b6ecbdc960594053c53da351123bb4.exe	28

C:\Users\Admin\AppData\Local\Temp\18ba3a01329d8a198d4e53fe2ebb9983b4b6ecbdc960594053c53da351123bb4.exe
"C:\Users\Admin\AppData\Local\Temp\18ba3a01329d8a198d4e53fe2ebb9983b4b6ecbdc960594053c53da351123bb4.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  - Deletes itself
  PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
275B

MD5
f67a742ecf1e09bd54366774153f081c

SHA1
a4e359d8d71a8101106f0d0aafa3ba0624d2c338

SHA256
06e09025bc6165ebb50ae141717768151b1b813a4ac8545eb9c81432b2a5c817

SHA512
064fada0504cf04ecf28a6243b289573645ce5351fd734d0ba6417f61bec7fb797e7a968841223da79b5fa5a9f9428204bd0604bf2713a0cf9edcb00788b914c

Download Submit
memory/1948-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-99-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-79-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1948-93-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-85-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-87-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-89-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1948-81-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-91-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-83-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1948-101-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1948-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing