eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e

General

Target

eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
Size

3.2MB
MD5

2acc4cff63991eea9db86c537732dbd6
SHA1

81008190bcbbcea323a1ce980f7570822b4346f3
SHA256

eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e
SHA512

86300599a1426d28e2115ff0cf90f79eb80360d34ec3fdd2b47774515e592290b7904ff780a1a3fd2677ba6ccc08ea7914c97caee99a824f62cca34791b8786b
SSDEEP

98304:S45RG0KmFIAG248jUB10g5gxwdg762/lS:LCO48A1x5eph/lS

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1688-1481-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1482-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1483-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1484-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1486-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1488-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1490-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1494-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1492-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1496-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1498-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1500-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1502-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1504-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1506-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1508-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1510-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1512-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1514-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1516-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1518-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1520-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1522-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1688-1524-0x0000000010000000-0x000000001003F000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SuperEC_Hook.dll	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs

pid	Process
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
1688	eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe

C:\Users\Admin\AppData\Local\Temp\eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe
"C:\Users\Admin\AppData\Local\Temp\eb82aaf9a1d2832300b7739a1c3ae0ffec90f6c03a0b959e6a79735e4eeefb4e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-132-0x0000000000400000-0x000000000073E000-memory.dmp

Filesize
3.2MB

Download
memory/1688-133-0x0000000077290000-0x0000000077433000-memory.dmp

Filesize
1.6MB

Download
memory/1688-134-0x0000000076B00000-0x0000000076D15000-memory.dmp

Filesize
2.1MB

Download
memory/1688-136-0x0000000076960000-0x0000000076B00000-memory.dmp

Filesize
1.6MB

Download
memory/1688-137-0x0000000076D20000-0x0000000076D9A000-memory.dmp

Filesize
488KB

Download
memory/1688-1481-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1482-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1483-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1484-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1486-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1488-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1490-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1494-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1492-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1496-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1498-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1500-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1502-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1504-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1506-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1508-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1510-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1512-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1514-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1516-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1518-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1520-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1522-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1524-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1688-1525-0x0000000000400000-0x000000000073E000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing