7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc

General

Target

7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
Size

4.1MB
MD5

e38a921dd0ec2715d9ed7d6aea932943
SHA1

642c12d97c64649f6025438d5a0029114026e039
SHA256

7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc
SHA512

ebe03cfc3f4952e2a49d7fdd430ad9a852bbe1550dfccd4f4af28c4788acabf9699fbc4981baccdfe5b06276ee5990af1f098ae79d9c52ad296540e5e3cc8fce
SSDEEP

49152:QZPOAH6b2W8Ox1drCHqPtAppGghVZSNHzSFl/8/yOE2zrMfB6696cZhd06jHM9kz:QZpxOfd2Ag8TSFeFjI/9J1ZMeKg4sscR

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
456	login.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000400000000072d-1482.dat	upx
behavioral2/files/0x000400000000072d-1483.dat	upx
behavioral2/memory/456-1484-0x0000000000400000-0x0000000000D06000-memory.dmp	upx
behavioral2/memory/456-1485-0x0000000000400000-0x0000000000D06000-memory.dmp	upx
behavioral2/memory/456-1486-0x0000000000400000-0x0000000000D06000-memory.dmp	upx
behavioral2/memory/456-1487-0x0000000000400000-0x0000000000D06000-memory.dmp	upx
behavioral2/memory/456-1488-0x0000000000400000-0x0000000000D06000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	login.exe
File opened (read-only)	\??\F:	login.exe
File opened (read-only)	\??\I:	login.exe
File opened (read-only)	\??\K:	login.exe
File opened (read-only)	\??\M:	login.exe
File opened (read-only)	\??\O:	login.exe
File opened (read-only)	\??\Z:	login.exe
File opened (read-only)	\??\A:	login.exe
File opened (read-only)	\??\T:	login.exe
File opened (read-only)	\??\X:	login.exe
File opened (read-only)	\??\H:	login.exe
File opened (read-only)	\??\G:	login.exe
File opened (read-only)	\??\L:	login.exe
File opened (read-only)	\??\P:	login.exe
File opened (read-only)	\??\Q:	login.exe
File opened (read-only)	\??\R:	login.exe
File opened (read-only)	\??\V:	login.exe
File opened (read-only)	\??\W:	login.exe
File opened (read-only)	\??\B:	login.exe
File opened (read-only)	\??\Y:	login.exe
File opened (read-only)	\??\N:	login.exe
File opened (read-only)	\??\S:	login.exe
File opened (read-only)	\??\U:	login.exe
File opened (read-only)	\??\J:	login.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs

pid	Process
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	login.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	login.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
456	login.exe
456	login.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 456	4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe	83
PID 4092 wrote to memory of 456	4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe	83
PID 4092 wrote to memory of 456	4092	7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe	83

C:\Users\Admin\AppData\Local\Temp\7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe
"C:\Users\Admin\AppData\Local\Temp\7844d22d6f0ce7b481f63eeaf93d087412982f87a37b686e7a86a673bbcba0bc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\login.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\login.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\login.exe

Filesize
3.2MB

MD5
b9d00588e709536cbb117e3db5c81b81

SHA1
8809c2a2d97af12e8c0a700ed4129e6b9d5b3b19

SHA256
0f2608cc8b6fa2143424cec9cfe12d6ff1bc41317fdd92f5c8ef3b77f81d4ace

SHA512
a45bb2ff04ae8c81a31308a8baa3800a796e4abe9a6489ab952b7807dcfb40fdd89a6f15500724122726e1b86defb05fe27408198d5553edc83cbf43d48e443b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\login.exe

Filesize
3.2MB

MD5
b9d00588e709536cbb117e3db5c81b81

SHA1
8809c2a2d97af12e8c0a700ed4129e6b9d5b3b19

SHA256
0f2608cc8b6fa2143424cec9cfe12d6ff1bc41317fdd92f5c8ef3b77f81d4ace

SHA512
a45bb2ff04ae8c81a31308a8baa3800a796e4abe9a6489ab952b7807dcfb40fdd89a6f15500724122726e1b86defb05fe27408198d5553edc83cbf43d48e443b

Download Submit
memory/456-1486-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/456-1484-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/456-1488-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/456-1487-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/456-1485-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/4092-133-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download
memory/4092-136-0x0000000076470000-0x0000000076610000-memory.dmp

Filesize
1.6MB

Download
memory/4092-134-0x0000000075170000-0x0000000075385000-memory.dmp

Filesize
2.1MB

Download
memory/4092-1480-0x0000000000A90000-0x0000000000B90000-memory.dmp

Filesize
1024KB

Download
memory/4092-132-0x0000000001000000-0x000000000140B000-memory.dmp

Filesize
4.0MB

Download
memory/4092-1479-0x0000000000A90000-0x0000000000B90000-memory.dmp

Filesize
1024KB

Download
memory/4092-137-0x0000000075F10000-0x0000000075F8A000-memory.dmp

Filesize
488KB

Download
memory/4092-1489-0x0000000001000000-0x000000000140B000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing