3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406

General

Target

3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe
Size

4.4MB
MD5

fa25ea66f62fc503a570969d431df329
SHA1

5127b92b6fb36944c60a090a01a32a4db54eb05e
SHA256

3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406
SHA512

2cf99eae018604bea3865d468ecc56ee7daec9b8e5b20f1cfdca1b6dc4b4ab6309ccc0303227d6623dbaa9398ffa4f5a8a209e4df60429ae50ec4e2cd08489fe
SSDEEP

98304:rg56a8oxDqU7uHBUD86gpR0Gc18CZctvldxmcFHj+:U5AwYk8TnjcSCZcGc

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
684	mod.exe
1216	file1.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012311-56.dat	upx
behavioral1/files/0x000b000000012311-58.dat	upx
behavioral1/memory/684-59-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/684-64-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
684	mod.exe
684	mod.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/684-59-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/684-64-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mod.exe	3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe
File created	C:\Windows\mod.exe	3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1216	file1.exe
1216	file1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1216	file1.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
684	mod.exe
684	mod.exe
684	mod.exe
684	mod.exe
1216	file1.exe
1216	file1.exe
1216	file1.exe
1216	file1.exe
1216	file1.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
684	mod.exe
684	mod.exe
684	mod.exe
684	mod.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 684	1584	3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe	28
PID 1584 wrote to memory of 684	1584	3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe	28
PID 1584 wrote to memory of 684	1584	3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe	28
PID 1584 wrote to memory of 684	1584	3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe	28
PID 684 wrote to memory of 1216	684	mod.exe	29
PID 684 wrote to memory of 1216	684	mod.exe	29
PID 684 wrote to memory of 1216	684	mod.exe	29
PID 684 wrote to memory of 1216	684	mod.exe	29

C:\Users\Admin\AppData\Local\Temp\3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe
"C:\Users\Admin\AppData\Local\Temp\3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\mod.exe
  C:\Windows/mod.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\AppData\Local\Temp\file1.exe
    C:\Users\Admin\AppData\Local\Temp\file1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
3.9MB

MD5
bb72dc16a5123fc281c3cba1f9746843

SHA1
c1c9dab6e287fb4bb54a95bb1ecefa40997b21b5

SHA256
7c89916c3627988e90459654de59dedd044517c66399e77dd99eef8c3659f0b5

SHA512
cdbdea9ada37d23da8d8a3cb4e77ecd5244d445eba77fa8cd9616dc9fea2ecce0831a6d7689efbfa92c7dc579319a0d3d829c86358fd31bb7efbfea0acd3cc84

Download Submit
C:\Windows\mod.exe

Filesize
3.5MB

MD5
42c9cacf190044844c19ec76f15e6751

SHA1
1d2497ace6a9153f812c49d3160d6ef3bcc3b89f

SHA256
7b7b431db27564a24eaaa6db5bff786aff91abf651a578ccff2ada372cb5d7f5

SHA512
e850b9d571cc86f31fa3c109c4ac4f769ccd5db2cf1e377d44b4b0f503abce98a11189aa9b9278626ecf2b3969c797b83f584f0432bbd36d347f9beb50770b8c

Download Submit
C:\Windows\mod.exe

Filesize
3.5MB

MD5
42c9cacf190044844c19ec76f15e6751

SHA1
1d2497ace6a9153f812c49d3160d6ef3bcc3b89f

SHA256
7b7b431db27564a24eaaa6db5bff786aff91abf651a578ccff2ada372cb5d7f5

SHA512
e850b9d571cc86f31fa3c109c4ac4f769ccd5db2cf1e377d44b4b0f503abce98a11189aa9b9278626ecf2b3969c797b83f584f0432bbd36d347f9beb50770b8c

Download Submit
\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
3.9MB

MD5
bb72dc16a5123fc281c3cba1f9746843

SHA1
c1c9dab6e287fb4bb54a95bb1ecefa40997b21b5

SHA256
7c89916c3627988e90459654de59dedd044517c66399e77dd99eef8c3659f0b5

SHA512
cdbdea9ada37d23da8d8a3cb4e77ecd5244d445eba77fa8cd9616dc9fea2ecce0831a6d7689efbfa92c7dc579319a0d3d829c86358fd31bb7efbfea0acd3cc84

Download Submit
\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
3.9MB

MD5
bb72dc16a5123fc281c3cba1f9746843

SHA1
c1c9dab6e287fb4bb54a95bb1ecefa40997b21b5

SHA256
7c89916c3627988e90459654de59dedd044517c66399e77dd99eef8c3659f0b5

SHA512
cdbdea9ada37d23da8d8a3cb4e77ecd5244d445eba77fa8cd9616dc9fea2ecce0831a6d7689efbfa92c7dc579319a0d3d829c86358fd31bb7efbfea0acd3cc84

Download Submit
memory/684-59-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/684-64-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1584-54-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing