1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923

General

Target

1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe
Size

464KB
MD5

90db9ee9a2be838479ab2e70e4dfd936
SHA1

59de7435ffd0cb577e05d2360ba3af0570b788d8
SHA256

1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923
SHA512

615d3f1e58dc58e8045db4be0a58d273b1e402a8513a678aa5f00cf18f0e76507ebee4befc72a2cb52d465960fe614c8c0d9f6cbfce41c78e0e6d50751536df3
SSDEEP

12288:pg89R3qKtzPQkSNkG1XEZ3+7ytZcnepd1hjSRn:pg89T0LP2cn21hWRn

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Setup.exe

pid process

752 Setup.exe

pid	process
752	Setup.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1476-55-0x0000000000C40000-0x0000000000D73CA0-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\a28RVPAPH3\6jnSJilI\Setup.exe	upx
C:\Users\Admin\AppData\Local\Temp\a28RVPAPH3\6jnSJilI\Setup.exe	upx
C:\Users\Admin\AppData\Local\Temp\a28RVPAPH3\6jnSJilI\Setup.exe	upx
behavioral1/memory/752-62-0x0000000000C10000-0x0000000000D43CA0-memory.dmp	upx
behavioral1/memory/1476-63-0x0000000000C40000-0x0000000000D73CA0-memory.dmp	upx
behavioral1/memory/752-64-0x0000000000C10000-0x0000000000D43CA0-memory.dmp	upx
behavioral1/memory/752-65-0x0000000000C10000-0x0000000000D43CA0-memory.dmp	upx
behavioral1/memory/1476-66-0x0000000000C40000-0x0000000000D73CA0-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe

pid process

1476 1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1476	1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

Setup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Setup.exe = "0"	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\Setup.exe = "1"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND\Setup.exe = "0"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	Setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe

description	pid	process	target process
PID 1476 wrote to memory of 752	1476	1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe	Setup.exe
PID 1476 wrote to memory of 752	1476	1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe	Setup.exe
PID 1476 wrote to memory of 752	1476	1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe	Setup.exe
PID 1476 wrote to memory of 752	1476	1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe	Setup.exe
PID 1476 wrote to memory of 752	1476	1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe	Setup.exe
PID 1476 wrote to memory of 752	1476	1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe	Setup.exe
PID 1476 wrote to memory of 752	1476	1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe
"C:\Users\Admin\AppData\Local\Temp\1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\a28RVPAPH3\6jnSJilI\Setup.exe
C:\Users\Admin\AppData\Local\Temp\a28RVPAPH3\6jnSJilI\Setup.exe --relaunch
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:752

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a28RVPAPH3\6jnSJilI\Setup.exe
Filesize
464KB

MD5
90db9ee9a2be838479ab2e70e4dfd936

SHA1
59de7435ffd0cb577e05d2360ba3af0570b788d8

SHA256
1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923

SHA512
615d3f1e58dc58e8045db4be0a58d273b1e402a8513a678aa5f00cf18f0e76507ebee4befc72a2cb52d465960fe614c8c0d9f6cbfce41c78e0e6d50751536df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a28RVPAPH3\6jnSJilI\Setup.exe
Filesize
464KB

MD5
90db9ee9a2be838479ab2e70e4dfd936

SHA1
59de7435ffd0cb577e05d2360ba3af0570b788d8

SHA256
1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923

SHA512
615d3f1e58dc58e8045db4be0a58d273b1e402a8513a678aa5f00cf18f0e76507ebee4befc72a2cb52d465960fe614c8c0d9f6cbfce41c78e0e6d50751536df3

Download Submit
\Users\Admin\AppData\Local\Temp\a28RVPAPH3\6jnSJilI\Setup.exe
Filesize
464KB

MD5
90db9ee9a2be838479ab2e70e4dfd936

SHA1
59de7435ffd0cb577e05d2360ba3af0570b788d8

SHA256
1797455f05cd7e4b398731fcd19e4a78d23d3a1730244106c1f0051b5d710923

SHA512
615d3f1e58dc58e8045db4be0a58d273b1e402a8513a678aa5f00cf18f0e76507ebee4befc72a2cb52d465960fe614c8c0d9f6cbfce41c78e0e6d50751536df3

Download Submit
memory/752-57-0x0000000000000000-mapping.dmp

Download
memory/752-62-0x0000000000C10000-0x0000000000D43CA0-memory.dmp

Filesize
1.2MB

Download
memory/752-64-0x0000000000C10000-0x0000000000D43CA0-memory.dmp

Filesize
1.2MB

Download
memory/752-65-0x0000000000C10000-0x0000000000D43CA0-memory.dmp

Filesize
1.2MB

Download
memory/1476-54-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/1476-55-0x0000000000C40000-0x0000000000D73CA0-memory.dmp

Filesize
1.2MB

Download
memory/1476-61-0x0000000003F40000-0x0000000004074000-memory.dmp

Filesize
1.2MB

Download
memory/1476-63-0x0000000000C40000-0x0000000000D73CA0-memory.dmp

Filesize
1.2MB

Download
memory/1476-66-0x0000000000C40000-0x0000000000D73CA0-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads