5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7

General

Target

5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe
Size

935KB
MD5

7e391852898d684690d956909e7a5675
SHA1

05fc7c95f2d3e20fc9c953e28a50880410a7dd61
SHA256

5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7
SHA512

b8947a070a30421b90adc5abde2bcb9658be0dcc5090cc23638a87eedf4e95cee8715a62640048e19628599df437c3c352c928ca70712fb9820653020f4caa1e
SSDEEP

12288:p5Yr15f753d5QWIDz/Wz9NCyzHinLipNDJ5eoFb0OZ/WiGaks+HL63S27x4e:pyHv5Z+Wzv7AiBll0OBWi6si9Gj

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1168-55-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1168-57-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1168-58-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1168-62-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1168-63-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1168-64-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1168-65-0x0000000000400000-0x00000000004F2000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 828 set thread context of 1168	828	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe	29

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1168	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1168	828	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe	29
PID 828 wrote to memory of 1168	828	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe	29
PID 828 wrote to memory of 1168	828	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe	29
PID 828 wrote to memory of 1168	828	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe	29
PID 828 wrote to memory of 1168	828	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe	29
PID 828 wrote to memory of 1168	828	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe	29
PID 828 wrote to memory of 1168	828	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe	29
PID 828 wrote to memory of 1168	828	5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe	29

C:\Users\Admin\AppData\Local\Temp\5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe
"C:\Users\Admin\AppData\Local\Temp\5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe
  "C:\Users\Admin\AppData\Local\Temp\5f85e9392e2b6136496d9a09b74a4b9e3c5f84e27ece03cd4d8822df82e829a7.exe" Track="0001001000"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-54-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-55-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-57-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-58-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-61-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/1168-62-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-63-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-64-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-65-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads