db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7

General

Target

db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe
Size

909KB
MD5

823c825e4a48d4d54a611242b54b789c
SHA1

1632bba7b691bf586b4897e4b4908196194d00f9
SHA256

db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7
SHA512

4556b4e2c4f932440baa6faa7bfcc695dac8fc997dcdf964befbc34ca06815ed228244d95fd45cef32de7f29a8240dcaee29be17251889e17e7c5a9cf5a58581
SSDEEP

24576:3MMMMMMMMMMMMMMMMMMMMMMghvhNGdGeGkpBFywcB7tZDDMxj82+arl4YaP:3MMMMMMMMMMMMMMMMMMMMMMghvS8eGkE

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

server.exeCliente.exe

pid process

1704 server.exe
912 Cliente.exe

pid	process
1704	server.exe
912	Cliente.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1704-66-0x0000000000330000-0x0000000000341000-memory.dmp	upx
behavioral1/memory/1704-69-0x0000000000350000-0x0000000000388000-memory.dmp	upx
behavioral1/memory/1704-70-0x0000000000330000-0x0000000000341000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

server.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	server.exe

Loads dropped DLL 3 IoCs

Processes:

db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe

pid	process
1760	db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe
1760	db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe
1760	db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

server.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	server.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	server.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	server.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

server.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe

pid process

1760 db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe

description	pid	process	target process
PID 1760 wrote to memory of 1704	1760	db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe	server.exe
PID 1760 wrote to memory of 1704	1760	db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe	server.exe
PID 1760 wrote to memory of 1704	1760	db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe	server.exe
PID 1760 wrote to memory of 1704	1760	db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe	server.exe
PID 1760 wrote to memory of 912	1760	db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe	Cliente.exe
PID 1760 wrote to memory of 912	1760	db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe	Cliente.exe
PID 1760 wrote to memory of 912	1760	db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe	Cliente.exe
PID 1760 wrote to memory of 912	1760	db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe	Cliente.exe

C:\Users\Admin\AppData\Local\Temp\db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe
"C:\Users\Admin\AppData\Local\Temp\db17bb7ad4df8aaa4fe344a1ae9c4119f82177fb075917bc564944c8488c2ef7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:1704

C:\Users\Admin\AppData\Local\Temp\Cliente.exe
"C:\Users\Admin\AppData\Local\Temp\Cliente.exe"
2⤵
- Executes dropped EXE
PID:912

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cliente.exe
Filesize
60KB

MD5
d75e2c45d1199c426e10764eb4459388

SHA1
958f62457918f8f4d93f9ae238ec0702af17265c

SHA256
6080e155120c657785d233b6892dcb3ba263d05690bbe3561640e4ac03ed6de7

SHA512
76548bc64a8abbf83e240199924d132553fc6f275ea212e5e29a2facc5d7d4f7f447d049e8380089bc9a683d784b88a8d35edc12343f5caee19f3e519e0f735f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cliente.exe
Filesize
60KB

MD5
d75e2c45d1199c426e10764eb4459388

SHA1
958f62457918f8f4d93f9ae238ec0702af17265c

SHA256
6080e155120c657785d233b6892dcb3ba263d05690bbe3561640e4ac03ed6de7

SHA512
76548bc64a8abbf83e240199924d132553fc6f275ea212e5e29a2facc5d7d4f7f447d049e8380089bc9a683d784b88a8d35edc12343f5caee19f3e519e0f735f

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
800KB

MD5
3d64416a3a7e50a60aefbee9a667f91d

SHA1
b780f0c551cbb973a628a17de10bd3a81ae364e4

SHA256
1a1bc9bd9314d09fa7c187beb9b1fc07fe836e98e1ac183d480c15b2da85cc98

SHA512
7db765a68b1fb72bd175d5e9ce9998bcad5205536cd900199c2d0e4f3e4471fe92fc4965806eae23a9d63c81ffa9f5ed359cacaf1910eee44071c88fd7cc4b2c

Download Submit
\Users\Admin\AppData\Local\Temp\Cliente.exe
Filesize
60KB

MD5
d75e2c45d1199c426e10764eb4459388

SHA1
958f62457918f8f4d93f9ae238ec0702af17265c

SHA256
6080e155120c657785d233b6892dcb3ba263d05690bbe3561640e4ac03ed6de7

SHA512
76548bc64a8abbf83e240199924d132553fc6f275ea212e5e29a2facc5d7d4f7f447d049e8380089bc9a683d784b88a8d35edc12343f5caee19f3e519e0f735f

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
800KB

MD5
3d64416a3a7e50a60aefbee9a667f91d

SHA1
b780f0c551cbb973a628a17de10bd3a81ae364e4

SHA256
1a1bc9bd9314d09fa7c187beb9b1fc07fe836e98e1ac183d480c15b2da85cc98

SHA512
7db765a68b1fb72bd175d5e9ce9998bcad5205536cd900199c2d0e4f3e4471fe92fc4965806eae23a9d63c81ffa9f5ed359cacaf1910eee44071c88fd7cc4b2c

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
800KB

MD5
3d64416a3a7e50a60aefbee9a667f91d

SHA1
b780f0c551cbb973a628a17de10bd3a81ae364e4

SHA256
1a1bc9bd9314d09fa7c187beb9b1fc07fe836e98e1ac183d480c15b2da85cc98

SHA512
7db765a68b1fb72bd175d5e9ce9998bcad5205536cd900199c2d0e4f3e4471fe92fc4965806eae23a9d63c81ffa9f5ed359cacaf1910eee44071c88fd7cc4b2c

Download Submit
memory/912-62-0x0000000000000000-mapping.dmp

Download
memory/912-68-0x000007FEF3DA0000-0x000007FEF47C3000-memory.dmp

Filesize
10.1MB

Download
memory/1704-59-0x0000000000000000-mapping.dmp

Download
memory/1704-66-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/1704-67-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1704-69-0x0000000000350000-0x0000000000388000-memory.dmp

Filesize
224KB

Download
memory/1704-70-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/1760-56-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads