8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266

General

Target

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe
Size

379KB
MD5

6ee26437cc104fb116f52a18b8a24cee
SHA1

611542b360253ddb71ac81364d6cd6293a20d85f
SHA256

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266
SHA512

3fba076431cfe2b939233726d78e3e878fdffe373dc32b57fc065339053093c0141249f37e30bdbee3e86e5c09a703891f052285b683e25ca36e0b19f55d552a
SSDEEP

6144:X50B/5FeaPRp2CcHTSs/yaBgCDLbor06APSx367o/d3A7N0EuuSPEjesIxTV2qo:X50B/feaz+TJ/ya9N6APw/9u0NPuIz2p

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

_setup.exe

pid process

1924 _setup.exe

pid	process
1924	_setup.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2016-55-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral1/memory/2016-62-0x0000000000400000-0x00000000004F4000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1724 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

pid process

2016 8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

pid	process
1724	cmd.exe

Drops file in Windows directory 3 IoCs

Processes:

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe_setup.exe

description	ioc	process
File created	\??\c:\windows\system\unllt\config.ini	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe
File created	\??\c:\windows\system\unllt\_setup.exe	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe
File opened for modification	C:\windows\system\unllt\Log\20221123.log	_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

description pid process

Token: SeDebugPrivilege 2016 8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

description	pid	process
Token: SeDebugPrivilege	2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

pid	process
2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe
2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe

description	pid	process	target process
PID 2016 wrote to memory of 1924	2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	_setup.exe
PID 2016 wrote to memory of 1924	2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	_setup.exe
PID 2016 wrote to memory of 1924	2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	_setup.exe
PID 2016 wrote to memory of 1924	2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	_setup.exe
PID 2016 wrote to memory of 1924	2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	_setup.exe
PID 2016 wrote to memory of 1924	2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	_setup.exe
PID 2016 wrote to memory of 1924	2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	_setup.exe
PID 2016 wrote to memory of 1724	2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	cmd.exe
PID 2016 wrote to memory of 1724	2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	cmd.exe
PID 2016 wrote to memory of 1724	2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	cmd.exe
PID 2016 wrote to memory of 1724	2016	8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe
"C:\Users\Admin\AppData\Local\Temp\8a9af5f7f01fb6bdb680cd049ac55f6c76032d489336a1fac9057967b3b61266.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016

C:\windows\system\unllt\_setup.exe
"C:\windows\system\unllt\_setup.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ .bat""
2⤵
- Deletes itself
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ .bat
Filesize
173B

MD5
ff8f4f4ad7e7ba959da4ed7df60f77db

SHA1
4d4b0fec2b01ea871e1d1325f1b8d2c4af2f627e

SHA256
d785d08bd2bcd75355d04bac079d04a5cea0496cf52983267803d426e22b75fc

SHA512
e65b5ecd7c63312150eb3b13b1b482703dac09ad83bb9fde315ae8967bee723615372cda4c55a97d52dac698f6a026a94d63701e81d77d487380ffc91060c4c5

Download Submit
C:\Windows\system\unllt\_setup.exe
Filesize
261KB

MD5
f0a5b8914ed3e63d74ba1095437e9d7d

SHA1
4b30cc79a9ebd632adfbc94f6b0e3760f781efec

SHA256
6f5b873c6fc11c81a49effdae9bb3fdff8e810873014f36c45023b8fc0a296ae

SHA512
a1e0fc934efa915f75c7ff498431c5b6bbba1dc5005a28a2d446cd9325e67b620fbf6880dbedf9aee9f3f5de308fbaa86a03885993587b1b5e62a5f5dd001434

Download Submit
C:\windows\system\unllt\config.ini
Filesize
26B

MD5
6068361993d71c7a5d27889465558d36

SHA1
5bc981bcab8c1d90382257e09d61cc1aeef911d5

SHA256
ecca8e3d812234401d1860efc7dcc80cd0d13acf363702e090e439f72a3937dc

SHA512
4551f37bb4217bfc96f6447a86c437b0ec97febe131b897490b3476c7f36e1c79bfca0c7c92aec156368cf8e27cb7b1c1c09247c70666aba4d22a3455711a6a1

Download Submit
\Windows\system\unllt\_setup.exe
Filesize
261KB

MD5
f0a5b8914ed3e63d74ba1095437e9d7d

SHA1
4b30cc79a9ebd632adfbc94f6b0e3760f781efec

SHA256
6f5b873c6fc11c81a49effdae9bb3fdff8e810873014f36c45023b8fc0a296ae

SHA512
a1e0fc934efa915f75c7ff498431c5b6bbba1dc5005a28a2d446cd9325e67b620fbf6880dbedf9aee9f3f5de308fbaa86a03885993587b1b5e62a5f5dd001434

Download Submit
memory/1724-61-0x0000000000000000-mapping.dmp

Download
memory/1924-57-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2016-55-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2016-62-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads