95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6

General

Target

95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Size

3.2MB
MD5

b68428885b7b7ee7f3afcabc87ff6d15
SHA1

fc78f8d9c9e60b0cf4a4139416b321a4dac85f10
SHA256

95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6
SHA512

e1031096530107b068781402c374cbe14993684affd3fcbf6004c93c04193b41a9623ffb0b8f741419c1aac9dacc3af46cea0b3bb3f1af7d758d2b10828e1bc4
SSDEEP

49152:ga7UX7jYG3aoKOi4uYK5vikfADPDJjPKTW7yHO9LhrXbvHNyDSVPuSZcNKGWGop:8XyOi4u+kfADdmTbu99zbyhSO3F0

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1684-55-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral1/memory/1684-68-0x0000000000400000-0x00000000004A7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe

Modifies registry class 10 IoCs

Processes:

95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82184935-B894-4AB2-8590-603BA7D74B71}\LocalServer32	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82184935-B894-4AB2-8590-603BA7D74B71}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe"	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.eProtocol\ = "eProtocol"	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.eProtocol\Clsid	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.eProtocol\Clsid\ = "{82184935-B894-4AB2-8590-603BA7D74B71}"	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82184935-B894-4AB2-8590-603BA7D74B71}\ProgID	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82184935-B894-4AB2-8590-603BA7D74B71}\ProgID\ = "95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.eProtocol"	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82184935-B894-4AB2-8590-603BA7D74B71}	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.eProtocol	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82184935-B894-4AB2-8590-603BA7D74B71}\ = "eProtocol"	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe

pid	process
1684	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
1684	95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe

C:\Users\Admin\AppData\Local\Temp\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
"C:\Users\Admin\AppData\Local\Temp\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1684

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download
memory/1684-55-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1684-68-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads