ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae

General

Target

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
Size

6.4MB
MD5

e1e2d47aa65335fa2f4afc3cb080d91a
SHA1

0aa097e3cbb9dc3f250fb91c6418ed1cd310aa21
SHA256

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae
SHA512

8f7794f2678704e3ac2637e960dc295b3e06c0487d12db44f9ebfcd58e0f3901fe3471df593fabe69f1b667ec8a8bfcf9102cec0dfb88e4340ca74bd431be554
SSDEEP

98304:/SipA1YsrGQtIsBYpoc6cKu+y1FlSv0ibuhaXhK6UzoK4/V:qxOsSWIFj+u8Apy/V

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3876-132-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Drops file in System32 directory 27 IoCs

Processes:

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rserver30\2052.lng_rad	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\FirewallInstallHelper.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\Radm_log.htm	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\raudiox.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\rserver3.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\mirrorv3.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\rschatx.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\nts64helper.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\rchatx.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\reg.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\FamItrfc.Exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\install.cmd	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\mirrorv3.inf	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\RCursor.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\rsaudiox.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\R_sui.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\ChatLPCx.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\eula.txt	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\rsetup.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File opened for modification	C:\Windows\SysWOW64\rserver30	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\devcon.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\FamItrf2.Exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\mirrorv3.cat	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\CHATLOGS\info.txt	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\rminiv3.sys	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\raddrvv3.sys	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\rsl.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe

pid	process
3876	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
3876	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
3876	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
3876	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe

pid	process
3876	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
3876	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
3876	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe

pid	process
3876	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
3876	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
3876	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe

C:\Users\Admin\AppData\Local\Temp\ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
"C:\Users\Admin\AppData\Local\Temp\ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3876-132-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads