b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15

General

Target

b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe
Size

396KB
MD5

20a17e1e0b00ac8a180a673f13571a5c
SHA1

0fe1ff555d5a8995383ecbb9c9bd34ee951bdf0d
SHA256

b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15
SHA512

d5f829d8b528d1c3803180a387927b92b994fcef39c23e3d967c76f8dd78b20c13937011ac069e83026fd22b5d405383ed766ca675a868af32d6287eb612c6be
SSDEEP

12288:QjkArEN249AyE/rbaMct4bO2/VUO5QGKEBy6ij:LFE//Tct4bOs+MQGKcQj

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

304 setup.exe

pid	process
304	setup.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1084-63-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/1084-65-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs	WScript.exe

Loads dropped DLL 4 IoCs

Processes:

b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exesetup.exe

pid process

1084 b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe
304 setup.exe
304 setup.exe
304 setup.exe

pid	process
1084	b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe
304	setup.exe
304	setup.exe
304	setup.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\update.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\update.vbs\""	WScript.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1084-63-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/1084-65-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\setup.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\setup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\setup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\setup.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe

description	pid	process	target process
PID 1084 wrote to memory of 304	1084	b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe	setup.exe
PID 1084 wrote to memory of 304	1084	b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe	setup.exe
PID 1084 wrote to memory of 304	1084	b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe	setup.exe
PID 1084 wrote to memory of 304	1084	b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe	setup.exe
PID 1084 wrote to memory of 304	1084	b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe	setup.exe
PID 1084 wrote to memory of 304	1084	b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe	setup.exe
PID 1084 wrote to memory of 304	1084	b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe	setup.exe
PID 1084 wrote to memory of 1376	1084	b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe	WScript.exe
PID 1084 wrote to memory of 1376	1084	b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe	WScript.exe
PID 1084 wrote to memory of 1376	1084	b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe	WScript.exe
PID 1084 wrote to memory of 1376	1084	b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe
"C:\Users\Admin\AppData\Local\Temp\b49c9518ccbe525941afa9f85f9bea24b1833b9b06bfdd3626b8811b3eb1bc15.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\setup.exe
C:\Users\Admin\AppData\Local\Temp/setup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\update.vbs" 0
2⤵
- Drops startup file
- Adds Run key to start application
PID:1376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
97KB

MD5
460ac7278d4f8b9c58e1e058fa2c3a49

SHA1
1b4eb9f5b43c07147f8479a1691598148a97a0bf

SHA256
82e7518a186068816c4ffa280334cee65b13945d0c1fe6bbf8b77ef81c6a1b01

SHA512
4d6d9bf2eb4a11321aae2a96d1994eae2672ea7f517a78a909a0d642c8cd8d68cba2d5510fcf5b341ddfc56e2cec1ec7266b2c1bcb56da9cdad4b03b70d04f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
97KB

MD5
460ac7278d4f8b9c58e1e058fa2c3a49

SHA1
1b4eb9f5b43c07147f8479a1691598148a97a0bf

SHA256
82e7518a186068816c4ffa280334cee65b13945d0c1fe6bbf8b77ef81c6a1b01

SHA512
4d6d9bf2eb4a11321aae2a96d1994eae2672ea7f517a78a909a0d642c8cd8d68cba2d5510fcf5b341ddfc56e2cec1ec7266b2c1bcb56da9cdad4b03b70d04f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.vbs
Filesize
308KB

MD5
2abc8e958aec30bc980bae61c3c492ad

SHA1
c4c17225c73afa362f78b84ac25660f46c4ab90c

SHA256
58f654923a67f1d5cc9878fc7dac80f9df24d84f091110126da702574e79f5d6

SHA512
80dc6b8601a98ee2090a7fd6e2887e6e7f7bfd55b45a2de1809314d70a89cb3f305de97f7e532f92b01b771efcf1fcd110ba1a45b816de484bfae5ca622d3388

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC90.tmp\BrandingURL.dll
Filesize
4KB

MD5
71c46b663baa92ad941388d082af97e7

SHA1
5a9fcce065366a526d75cc5ded9aade7cadd6421

SHA256
bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e

SHA512
5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC90.tmp\NSISdl.dll
Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC90.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
97KB

MD5
460ac7278d4f8b9c58e1e058fa2c3a49

SHA1
1b4eb9f5b43c07147f8479a1691598148a97a0bf

SHA256
82e7518a186068816c4ffa280334cee65b13945d0c1fe6bbf8b77ef81c6a1b01

SHA512
4d6d9bf2eb4a11321aae2a96d1994eae2672ea7f517a78a909a0d642c8cd8d68cba2d5510fcf5b341ddfc56e2cec1ec7266b2c1bcb56da9cdad4b03b70d04f66

Download Submit
memory/304-56-0x0000000000000000-mapping.dmp

Download
memory/1084-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1084-63-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1084-65-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1376-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads