9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2

General

Target

9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
Size

2.7MB
MD5

5d1bd24c0db63dcfb5e3c3e883e43a7c
SHA1

1b15c35a884603ad6ec27bcba3f40a63964b5c75
SHA256

9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2
SHA512

fec59f8703399fde2a57b3b955f36ab98383a856280f229cd058fa8d4b7bb20df8cd4a85fdfa7502a27a0d7b83a203e4e2335fab0f8c23dcf08547ef5a5f6c44
SSDEEP

49152:Cfleq3epnQU8HBTrRD+s8KuqGaX0ToIBAUZLYI:y0ppQUayJBAUZLP

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

services_c_3003.exe

pid process

4716 services_c_3003.exe

pid	process
4716	services_c_3003.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2324-133-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-132-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-134-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-136-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-138-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-140-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-142-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-144-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-146-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-154-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-158-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-161-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-163-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-165-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-167-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-169-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-171-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-173-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-175-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2324-176-0x00000000026F0000-0x000000000272E000-memory.dmp	upx
behavioral2/memory/2324-178-0x00000000026F0000-0x000000000272E000-memory.dmp	upx
behavioral2/memory/2324-177-0x00000000026F0000-0x000000000272E000-memory.dmp	upx
behavioral2/memory/2324-180-0x00000000026F0000-0x000000000272E000-memory.dmp	upx
behavioral2/memory/2324-184-0x00000000026F0000-0x000000000272E000-memory.dmp	upx
behavioral2/memory/2324-182-0x00000000026F0000-0x000000000272E000-memory.dmp	upx
behavioral2/memory/2324-186-0x00000000026F0000-0x000000000272E000-memory.dmp	upx
behavioral2/memory/2324-188-0x00000000026F0000-0x000000000272E000-memory.dmp	upx
behavioral2/memory/2324-190-0x00000000026F0000-0x000000000272E000-memory.dmp	upx
behavioral2/memory/2324-192-0x00000000026F0000-0x000000000272E000-memory.dmp	upx
behavioral2/memory/2324-194-0x00000000026F0000-0x000000000272E000-memory.dmp	upx
behavioral2/memory/2324-196-0x00000000026F0000-0x000000000272E000-memory.dmp	upx
behavioral2/memory/2324-219-0x00000000026F0000-0x000000000272E000-memory.dmp	upx
behavioral2/memory/2324-220-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

services_c_3003.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	services_c_3003.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

services_c_3003.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SQ Platform = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services_c_3003.exe ?(?3?)? ?,??????"	services_c_3003.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

services_c_3003.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	services_c_3003.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

services_c_3003.exe

pid process

4716 services_c_3003.exe
4716 services_c_3003.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exeservices_c_3003.exe

pid process

2324 9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
4716 services_c_3003.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exeservices_c_3003.exe

pid process

2324 9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
4716 services_c_3003.exe

pid	process
4716	services_c_3003.exe
4716	services_c_3003.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe

pid	process
2324	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
2324	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
2324	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
2324	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe

description	pid	process	target process
PID 2324 wrote to memory of 4716	2324	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe	services_c_3003.exe
PID 2324 wrote to memory of 4716	2324	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe	services_c_3003.exe
PID 2324 wrote to memory of 4716	2324	9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe	services_c_3003.exe

C:\Users\Admin\AppData\Local\Temp\9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe
"C:\Users\Admin\AppData\Local\Temp\9cb805b6b3ac0831a36f89a745d1215a8e29c5113daaf5213ab9d1733d8278c2.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\services_c_3003.exe
C:\Users\Admin\AppData\Local\Temp\services_c_3003.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\services_c_3003.exe
Filesize
248KB

MD5
a53ab32dc79d4cf6ee4392e8687d0029

SHA1
a80da7b53d1e29cb3f4005cd72699e23bebdf4ae

SHA256
355f405f84858049601a2245ced390405773240d70ec7216573b24c122a1850d

SHA512
0bd8d95992b0a3100400c0d7af75729c4ed8b823cc4fc7d2f83736a34f47c898b230ed66531e2cd4825d11f332e677281d077e2bb75d0c0cdf663d358a626244

Download Submit
C:\Users\Admin\AppData\Local\Temp\services_c_3003.exe
Filesize
248KB

MD5
a53ab32dc79d4cf6ee4392e8687d0029

SHA1
a80da7b53d1e29cb3f4005cd72699e23bebdf4ae

SHA256
355f405f84858049601a2245ced390405773240d70ec7216573b24c122a1850d

SHA512
0bd8d95992b0a3100400c0d7af75729c4ed8b823cc4fc7d2f83736a34f47c898b230ed66531e2cd4825d11f332e677281d077e2bb75d0c0cdf663d358a626244

Download Submit
memory/2324-171-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-134-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-138-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-140-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-142-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-144-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-146-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-133-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-154-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-158-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-161-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-163-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-165-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-167-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-169-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-136-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-184-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/2324-176-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/2324-178-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/2324-177-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/2324-180-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/2324-175-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-182-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/2324-186-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/2324-188-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/2324-190-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/2324-192-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/2324-194-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/2324-196-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/2324-219-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/2324-220-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-132-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2324-173-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4716-221-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads