9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22

General

Target

9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe
Size

641KB
MD5

34ccdfb6bc469c571342f35476e33ad4
SHA1

f06f4dd56f2a2ccef0ecdc669bfeeeaadecba6e4
SHA256

9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22
SHA512

8a55a633523496c489bd7e0643147506d81e8bc27d096a70d717346c3213c9f40a91c42756f8d18a69e9694754b71944ebcb1f046d7cc0078c36efcb34b49294
SSDEEP

12288:aplHTKI+LJ6knFQ8LckSl4PDVMfpoLqLWvItSeiH:QBaJ6G/LckSl4PDKf3LCWUH

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

RS1.exeFTvrst.exe

pid process

2220 RS1.exe
2524 FTvrst.exe

pid	process
2220	RS1.exe
2524	FTvrst.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3528-132-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/3528-133-0x0000000000400000-0x0000000000561000-memory.dmp	upx
behavioral2/memory/3528-135-0x0000000000400000-0x0000000000561000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

RS1.exe

pid process

2220 RS1.exe
2220 RS1.exe
2220 RS1.exe
2220 RS1.exe
2220 RS1.exe
2220 RS1.exe
2220 RS1.exe
2220 RS1.exe

pid	process
2220	RS1.exe
2220	RS1.exe
2220	RS1.exe
2220	RS1.exe
2220	RS1.exe
2220	RS1.exe
2220	RS1.exe
2220	RS1.exe

Drops file in Windows directory 8 IoCs

Processes:

RS1.exe9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe

description	ioc	process
File created	C:\WINDOWS\Djltp.txt	RS1.exe
File created	C:\WINDOWS\DNomb\Mpec.mbt	RS1.exe
File created	C:\WINDOWS\DNomb\spolsvt.exe	RS1.exe
File created	C:\WINDOWS\DNomb\FTvrst.exe	RS1.exe
File opened for modification	C:\WINDOWS\DNomb\FTvrst.exe	RS1.exe
File created	C:\WINDOWS\DNomb\audidog.exe	RS1.exe
File created	C:\Windows\DNomb\Mpec.mbt	9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe
File opened for modification	C:\Windows\DNomb\Mpec.mbt	9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exeRS1.exe

pid	process
3528	9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe
3528	9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe
2220	RS1.exe
2220	RS1.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exeRS1.exe

description	pid	process	target process
PID 3528 wrote to memory of 912	3528	9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe	cmd.exe
PID 3528 wrote to memory of 912	3528	9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe	cmd.exe
PID 3528 wrote to memory of 912	3528	9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe	cmd.exe
PID 2220 wrote to memory of 2524	2220	RS1.exe	FTvrst.exe
PID 2220 wrote to memory of 2524	2220	RS1.exe	FTvrst.exe
PID 2220 wrote to memory of 2524	2220	RS1.exe	FTvrst.exe

C:\Users\Admin\AppData\Local\Temp\9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe
"C:\Users\Admin\AppData\Local\Temp\9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del 9c5da2f45289106ed30a3709b0e6bfb9e10e461db8acf22266f437588a22ad22.exe
2⤵
PID:912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3928

C:\Users\Public\Documents\123\RS1.exe
"C:\Users\Public\Documents\123\RS1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220

C:\WINDOWS\DNomb\FTvrst.exe
C:\WINDOWS\DNomb\FTvrst.exe
2⤵
- Executes dropped EXE
PID:2524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\123\RS1.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Users\Public\Documents\123\RS1.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\WINDOWS\DNomb\FTvrst.exe

Filesize
1.9MB

MD5
55ea61276d28d4e61180e7bd3748f88c

SHA1
52d54187d292f67c7a1ffb5bcb5180d27c17edf7

SHA256
285fc2483955292e2edf89c77765f587dfb406fdf408b2387ae36a4a50e67bbe

SHA512
145de3a4c99cd35da85a3f65a1ce3bfb6014b7e745efc97bf29713352426787a4bc7c5f716d8f558a8ef958b323c4fe8b3e65dcc6bfd49b938edcab22119c598

Download Submit
C:\Windows\DNomb\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
memory/912-134-0x0000000000000000-mapping.dmp

Download
memory/2220-143-0x00000000752E0000-0x000000007535A000-memory.dmp

Filesize
488KB

Download
memory/2220-1486-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2220-139-0x0000000076FC0000-0x0000000077163000-memory.dmp

Filesize
1.6MB

Download
memory/2220-140-0x0000000074FE0000-0x00000000751F5000-memory.dmp

Filesize
2.1MB

Download
memory/2220-142-0x0000000076220000-0x00000000763C0000-memory.dmp

Filesize
1.6MB

Download
memory/2220-1490-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2220-1485-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2220-137-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2220-1487-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2220-1488-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2220-1489-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2524-1491-0x0000000000000000-mapping.dmp

Download
memory/3528-132-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/3528-135-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/3528-133-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads