9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2

General

Target

9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
Size

2.7MB
MD5

5d1bd24c0db63dcfb5e3c3e883e43a7c
SHA1

1b15c35a884603ad6ec27bcba3f40a63964b5c75
SHA256

9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2
SHA512

fec59f8703399fde2a57b3b955f36ab98383a856280f229cd058fa8d4b7bb20df8cd4a85fdfa7502a27a0d7b83a203e4e2335fab0f8c23dcf08547ef5a5f6c44
SSDEEP

49152:Cfleq3epnQU8HBTrRD+s8KuqGaX0ToIBAUZLYI:y0ppQUayJBAUZLP

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

services_c_3003.exe

pid process

1684 services_c_3003.exe

pid	process
1684	services_c_3003.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1112-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-79-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-81-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-83-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-87-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-91-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-89-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-85-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-93-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-106-0x0000000001F10000-0x0000000001F4E000-memory.dmp	upx
behavioral1/memory/1112-104-0x0000000001F10000-0x0000000001F4E000-memory.dmp	upx
behavioral1/memory/1112-102-0x0000000001F10000-0x0000000001F4E000-memory.dmp	upx
behavioral1/memory/1112-100-0x0000000001F10000-0x0000000001F4E000-memory.dmp	upx
behavioral1/memory/1112-99-0x0000000001F10000-0x0000000001F4E000-memory.dmp	upx
behavioral1/memory/1112-98-0x0000000001F10000-0x0000000001F4E000-memory.dmp	upx
behavioral1/memory/1112-116-0x0000000001F10000-0x0000000001F4E000-memory.dmp	upx
behavioral1/memory/1112-114-0x0000000001F10000-0x0000000001F4E000-memory.dmp	upx
behavioral1/memory/1112-112-0x0000000001F10000-0x0000000001F4E000-memory.dmp	upx
behavioral1/memory/1112-110-0x0000000001F10000-0x0000000001F4E000-memory.dmp	upx
behavioral1/memory/1112-108-0x0000000001F10000-0x0000000001F4E000-memory.dmp	upx
behavioral1/memory/1112-141-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-142-0x0000000001F10000-0x0000000001F4E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exeservices_c_3003.exe

pid process

1112 9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
1684 services_c_3003.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

services_c_3003.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SQ Platform = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services_c_3003.exe ?(?3?)? ?,??????"	services_c_3003.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

services_c_3003.exe

pid process

1684 services_c_3003.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exeservices_c_3003.exe

pid process

1112 9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
1684 services_c_3003.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exeservices_c_3003.exe

pid process

1112 9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
1684 services_c_3003.exe

pid	process
1684	services_c_3003.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe

pid	process
1112	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
1112	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
1112	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
1112	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe

description	pid	process	target process
PID 1112 wrote to memory of 1684	1112	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe	services_c_3003.exe
PID 1112 wrote to memory of 1684	1112	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe	services_c_3003.exe
PID 1112 wrote to memory of 1684	1112	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe	services_c_3003.exe
PID 1112 wrote to memory of 1684	1112	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe	services_c_3003.exe

C:\Users\Admin\AppData\Local\Temp\9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
"C:\Users\Admin\AppData\Local\Temp\9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\services_c_3003.exe
C:\Users\Admin\AppData\Local\Temp\services_c_3003.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\services_c_3003.exe
Filesize
248KB

MD5
a53ab32dc79d4cf6ee4392e8687d0029

SHA1
a80da7b53d1e29cb3f4005cd72699e23bebdf4ae

SHA256
355f405f84858049601a2245ced390405773240d70ec7216573b24c122a1850d

SHA512
0bd8d95992b0a3100400c0d7af75729c4ed8b823cc4fc7d2f83736a34f47c898b230ed66531e2cd4825d11f332e677281d077e2bb75d0c0cdf663d358a626244

Download Submit
C:\Users\Admin\AppData\Local\Temp\services_c_3003.exe
Filesize
248KB

MD5
a53ab32dc79d4cf6ee4392e8687d0029

SHA1
a80da7b53d1e29cb3f4005cd72699e23bebdf4ae

SHA256
355f405f84858049601a2245ced390405773240d70ec7216573b24c122a1850d

SHA512
0bd8d95992b0a3100400c0d7af75729c4ed8b823cc4fc7d2f83736a34f47c898b230ed66531e2cd4825d11f332e677281d077e2bb75d0c0cdf663d358a626244

Download Submit
\Users\Admin\AppData\Local\Temp\services_c_3003.exe
Filesize
248KB

MD5
a53ab32dc79d4cf6ee4392e8687d0029

SHA1
a80da7b53d1e29cb3f4005cd72699e23bebdf4ae

SHA256
355f405f84858049601a2245ced390405773240d70ec7216573b24c122a1850d

SHA512
0bd8d95992b0a3100400c0d7af75729c4ed8b823cc4fc7d2f83736a34f47c898b230ed66531e2cd4825d11f332e677281d077e2bb75d0c0cdf663d358a626244

Download Submit
\Users\Admin\AppData\Local\Temp\services_c_3003.exe
Filesize
248KB

MD5
a53ab32dc79d4cf6ee4392e8687d0029

SHA1
a80da7b53d1e29cb3f4005cd72699e23bebdf4ae

SHA256
355f405f84858049601a2245ced390405773240d70ec7216573b24c122a1850d

SHA512
0bd8d95992b0a3100400c0d7af75729c4ed8b823cc4fc7d2f83736a34f47c898b230ed66531e2cd4825d11f332e677281d077e2bb75d0c0cdf663d358a626244

Download Submit
memory/1112-85-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-93-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-79-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-81-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-83-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-87-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-91-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-89-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1112-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-98-0x0000000001F10000-0x0000000001F4E000-memory.dmp

Filesize
248KB

Download
memory/1112-104-0x0000000001F10000-0x0000000001F4E000-memory.dmp

Filesize
248KB

Download
memory/1112-102-0x0000000001F10000-0x0000000001F4E000-memory.dmp

Filesize
248KB

Download
memory/1112-100-0x0000000001F10000-0x0000000001F4E000-memory.dmp

Filesize
248KB

Download
memory/1112-99-0x0000000001F10000-0x0000000001F4E000-memory.dmp

Filesize
248KB

Download
memory/1112-106-0x0000000001F10000-0x0000000001F4E000-memory.dmp

Filesize
248KB

Download
memory/1112-116-0x0000000001F10000-0x0000000001F4E000-memory.dmp

Filesize
248KB

Download
memory/1112-114-0x0000000001F10000-0x0000000001F4E000-memory.dmp

Filesize
248KB

Download
memory/1112-112-0x0000000001F10000-0x0000000001F4E000-memory.dmp

Filesize
248KB

Download
memory/1112-110-0x0000000001F10000-0x0000000001F4E000-memory.dmp

Filesize
248KB

Download
memory/1112-108-0x0000000001F10000-0x0000000001F4E000-memory.dmp

Filesize
248KB

Download
memory/1112-141-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-142-0x0000000001F10000-0x0000000001F4E000-memory.dmp

Filesize
248KB

Download
memory/1112-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1684-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads