4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d

General

Target

4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe
Size

76KB
MD5

dd10395eceff485ad96f005cf5d6c41c
SHA1

f79881ecc934e9252c515e664de203339f8197a1
SHA256

4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d
SHA512

0d2464a773dfb0286c3632cc38b9ce978b362a29bbcd6b6de03354d61067f32f19ba9f696792860292acf089e5d9352f5eafefc61956889f0953886a9202ab5e
SSDEEP

1536:nsjlOrzYPT8kspp9zNtrIM1nC2719eJsQPNYmuSMoV1TlJe+:nsGzYPTJspp9zbrIM1C2feHlYmutovT7

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2028	8815.exe
1256	xzz.exe
584	ywkkso.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1292-64-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1292	4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe
1292	4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe
1292	4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe
1292	4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ywkkso.exe	8815.exe
File opened for modification	C:\Windows\SysWOW64\ywkkso.exe	8815.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ywkkso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ywkkso.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2028	8815.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2028	1292	4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe	28
PID 1292 wrote to memory of 2028	1292	4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe	28
PID 1292 wrote to memory of 2028	1292	4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe	28
PID 1292 wrote to memory of 2028	1292	4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe	28
PID 1292 wrote to memory of 1256	1292	4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe	29
PID 1292 wrote to memory of 1256	1292	4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe	29
PID 1292 wrote to memory of 1256	1292	4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe	29
PID 1292 wrote to memory of 1256	1292	4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe	29
PID 2028 wrote to memory of 636	2028	8815.exe	31
PID 2028 wrote to memory of 636	2028	8815.exe	31
PID 2028 wrote to memory of 636	2028	8815.exe	31
PID 2028 wrote to memory of 636	2028	8815.exe	31

C:\Users\Admin\AppData\Local\Temp\4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe
"C:\Users\Admin\AppData\Local\Temp\4501b6d2cc01bd22dc1b3d642c51e8102c8ed849f9d6375e518f7f48b45bc64d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\Temp\8815.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\8815.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\Temp\8815.exe > nul
    3⤵
    PID:636
- C:\Users\Admin\AppData\Local\Temp\Temp\xzz.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\xzz.exe"
  2⤵
  - Executes dropped EXE
  PID:1256

C:\Windows\SysWOW64\ywkkso.exe
C:\Windows\SysWOW64\ywkkso.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\8815.exe

Filesize
25KB

MD5
b670560fd3fe66db6cbf3c3a09be99f6

SHA1
e9b63396fcf4a3a919de4c4d8c700608dcdceb35

SHA256
1cee12a950a28cbfc86cac1f33606e76372e36c31243bdff58e018a617058ee4

SHA512
d3564f3a14ec58d4f30e6422d4a5a4632727c59a2fef6971b260f02ec1402c0b194eb48ad312e7863e57b0dfc3f127ea8e4d127a86bc6d1fc52adc48f6e51199

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\8815.exe

Filesize
25KB

MD5
b670560fd3fe66db6cbf3c3a09be99f6

SHA1
e9b63396fcf4a3a919de4c4d8c700608dcdceb35

SHA256
1cee12a950a28cbfc86cac1f33606e76372e36c31243bdff58e018a617058ee4

SHA512
d3564f3a14ec58d4f30e6422d4a5a4632727c59a2fef6971b260f02ec1402c0b194eb48ad312e7863e57b0dfc3f127ea8e4d127a86bc6d1fc52adc48f6e51199

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\xzz.exe

Filesize
20KB

MD5
800377675c1fdd298069fafd66bfeaab

SHA1
25e17dbc635ece894aa50877b171ae9f24c5c284

SHA256
eb64c751cfa7b85b39b4ce9fbf68b033a0f8cddcb2dae1a2a0fb23f2997bff16

SHA512
104fee08bc916205e7b3c0f5fa3f351c48777eaa768bea0eae54ee5a4e06577aec44143803f6808e82dd479a56d4d38eca3a134a68b8b86e1e4e1d3887fc6695

Download Submit
C:\Windows\SysWOW64\ywkkso.exe

Filesize
25KB

MD5
b670560fd3fe66db6cbf3c3a09be99f6

SHA1
e9b63396fcf4a3a919de4c4d8c700608dcdceb35

SHA256
1cee12a950a28cbfc86cac1f33606e76372e36c31243bdff58e018a617058ee4

SHA512
d3564f3a14ec58d4f30e6422d4a5a4632727c59a2fef6971b260f02ec1402c0b194eb48ad312e7863e57b0dfc3f127ea8e4d127a86bc6d1fc52adc48f6e51199

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\8815.exe

Filesize
25KB

MD5
b670560fd3fe66db6cbf3c3a09be99f6

SHA1
e9b63396fcf4a3a919de4c4d8c700608dcdceb35

SHA256
1cee12a950a28cbfc86cac1f33606e76372e36c31243bdff58e018a617058ee4

SHA512
d3564f3a14ec58d4f30e6422d4a5a4632727c59a2fef6971b260f02ec1402c0b194eb48ad312e7863e57b0dfc3f127ea8e4d127a86bc6d1fc52adc48f6e51199

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\8815.exe

Filesize
25KB

MD5
b670560fd3fe66db6cbf3c3a09be99f6

SHA1
e9b63396fcf4a3a919de4c4d8c700608dcdceb35

SHA256
1cee12a950a28cbfc86cac1f33606e76372e36c31243bdff58e018a617058ee4

SHA512
d3564f3a14ec58d4f30e6422d4a5a4632727c59a2fef6971b260f02ec1402c0b194eb48ad312e7863e57b0dfc3f127ea8e4d127a86bc6d1fc52adc48f6e51199

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\xzz.exe

Filesize
20KB

MD5
800377675c1fdd298069fafd66bfeaab

SHA1
25e17dbc635ece894aa50877b171ae9f24c5c284

SHA256
eb64c751cfa7b85b39b4ce9fbf68b033a0f8cddcb2dae1a2a0fb23f2997bff16

SHA512
104fee08bc916205e7b3c0f5fa3f351c48777eaa768bea0eae54ee5a4e06577aec44143803f6808e82dd479a56d4d38eca3a134a68b8b86e1e4e1d3887fc6695

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\xzz.exe

Filesize
20KB

MD5
800377675c1fdd298069fafd66bfeaab

SHA1
25e17dbc635ece894aa50877b171ae9f24c5c284

SHA256
eb64c751cfa7b85b39b4ce9fbf68b033a0f8cddcb2dae1a2a0fb23f2997bff16

SHA512
104fee08bc916205e7b3c0f5fa3f351c48777eaa768bea0eae54ee5a4e06577aec44143803f6808e82dd479a56d4d38eca3a134a68b8b86e1e4e1d3887fc6695

Download Submit
memory/1256-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1256-68-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1256-69-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1292-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1292-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing