a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450

General

Target

a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe
Size

880KB
MD5

c2ff6714fef06e14be7d7f3e0eaa996e
SHA1

3f8375eee2f9a18b8c2ce0ef4859601a8eb9bfbf
SHA256

a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450
SHA512

1ab82ea065389695554917f169780a0a05f50b86d7f3bfde6f9b4907b2e61481c6c8747ea3f6ed7582ccaf8d4069bac74d08122e5566143d41e3f673f5dd0c36
SSDEEP

12288:SYut6vs+MGBhooAuf5k7S5cMpyPJwRxHdud9DcSllyuXfvq3suRaWTlQFrZh+MWs:VZlUgyabkxx

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4900-133-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-135-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-136-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-137-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-138-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-140-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-142-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-144-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-146-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-154-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-158-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-160-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-164-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-166-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-168-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-170-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-172-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-174-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-176-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-178-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-179-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4900-180-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\IESettingSync	a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4900	a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe
4900	a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4900	a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe
4900	a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe
4900	a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe
4900	a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe
4900	a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe

C:\Users\Admin\AppData\Local\Temp\a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe
"C:\Users\Admin\AppData\Local\Temp\a1db76ab3e2d98e3bbd968579001d6e1ebea8f141ab559b847c61b84278ee450.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4900-132-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/4900-133-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-135-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-136-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-137-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-138-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-140-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-142-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-144-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-146-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-154-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-158-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-160-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-164-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-166-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-168-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-170-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-172-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-174-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-176-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-178-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-179-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-180-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4900-181-0x00000000121C0000-0x00000000121C8000-memory.dmp

Filesize
32KB

Download
memory/4900-182-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing