90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee

General

Target

90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe
Size

252KB
MD5

8c9875d1304bf05a7e0b6b5afbbe19b7
SHA1

45466723a1768bc54728ae85fe6d1258fa945e72
SHA256

90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee
SHA512

fa9d376c384ad7aa893807b3ee32bf2e67b6c79876f5f13de138517684299c2a1242b8cd5709ac71132cb2ddec97d8478c7395a5a849c0814988ed58131602f2
SSDEEP

3072:uvnnEYqhOeU3WEE2XjPyPS+VLY4MMHcq7CV3lFcGam1dtBDSyiHcmaN6G:TOe+qq70keVI3lFcM11S8

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/344-59-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/344-61-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/344-62-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/344-64-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/344-66-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/344-67-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/344-69-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/344-68-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/344-70-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/344-72-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1796	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 748 set thread context of 344	748	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
748	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
748	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe
748	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 344	748	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	28
PID 748 wrote to memory of 344	748	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	28
PID 748 wrote to memory of 344	748	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	28
PID 748 wrote to memory of 344	748	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	28
PID 748 wrote to memory of 344	748	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	28
PID 748 wrote to memory of 344	748	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	28
PID 748 wrote to memory of 344	748	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	28
PID 748 wrote to memory of 344	748	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	28
PID 748 wrote to memory of 344	748	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	28
PID 344 wrote to memory of 1796	344	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	29
PID 344 wrote to memory of 1796	344	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	29
PID 344 wrote to memory of 1796	344	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	29
PID 344 wrote to memory of 1796	344	90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe	29

C:\Users\Admin\AppData\Local\Temp\90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe
"C:\Users\Admin\AppData\Local\Temp\90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe
  C:\Users\Admin\AppData\Local\Temp\90847c831f66fc3f7e19e2d2d2e2e2f7dd7e76cef0737301ed6e64ab33cd1cee.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\d.bat" "
    3⤵
    - Deletes itself
    PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d.bat

Filesize
163B

MD5
4d95b6a27bd1498cb3c8f0ef022b8527

SHA1
967cc754ae147b33342ba3cc1b3a22f7b51f4f4b

SHA256
95b9c2077fa97f43591ae6fb8925e7966c6938bcd04204c02cb01e0ab2d34749

SHA512
6ea995fa2c153bbdc088bc201c402a93c8129d09d7e41b90c7976588494b8b63ecbf905004afa88c2e0d4d3c7b979d36cb214c348f51ad528bbba304446dbb0f

Download Submit
memory/344-64-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/344-63-0x0000000000461E80-mapping.dmp

Download
memory/344-55-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download
memory/344-59-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/344-66-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/344-62-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/344-57-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/344-72-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/344-61-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/344-67-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/344-69-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/344-68-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/344-70-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/748-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/748-58-0x0000000000290000-0x0000000000294000-memory.dmp

Filesize
16KB

Download
memory/1796-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing