002c839bbd1aac288559ba28e59d9f6d1fc8e2a93f72383e13b7f9f2a47f4214

General

Target

002c839bbd1aac288559ba28e59d9f6d1fc8e2a93f72383e13b7f9f2a47f4214.exe
Size

17.9MB
MD5

559b9d305238419c920edfb123e4be62
SHA1

49182110ad23e65745ccb9687c8f664b6b40d5fa
SHA256

002c839bbd1aac288559ba28e59d9f6d1fc8e2a93f72383e13b7f9f2a47f4214
SHA512

b90cbdf03479be618c980e9eee852c804d5d0dd35696785d122171b02f0b9ba163ee8d6828f746cb349aab9a03e974db3717a5cb20450794ee0311ab43368c12
SSDEEP

393216:0YRQ5UEr2KLc6rM5cbHr8Lkqs5m4LIdgsMn2H6GgVMy5guFqmC06ag151/r/V:w5bLcCXskqD4MdU2HnsgYULzV

Score

8^/10

upx vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

MiTools.exe

pid process

1164 MiTools.exe

pid	process
1164	MiTools.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3496-132-0x0000000000400000-0x00000000004D4000-memory.dmp	upx
behavioral2/memory/1164-139-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-140-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-141-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-143-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-145-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-154-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-158-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-160-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-164-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-166-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-168-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-170-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-172-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-174-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-176-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-178-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-180-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1164-182-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3496-183-0x0000000000400000-0x00000000004D4000-memory.dmp	upx
behavioral2/memory/1164-185-0x0000000010000000-0x000000001003E000-memory.dmp	upx

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MI\MiTools.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\MI\MiTools.exe	vmprotect
behavioral2/memory/1164-136-0x0000000000400000-0x0000000001976000-memory.dmp	vmprotect
behavioral2/memory/1164-146-0x0000000000400000-0x0000000001976000-memory.dmp	vmprotect
behavioral2/memory/1164-184-0x0000000000400000-0x0000000001976000-memory.dmp	vmprotect

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/3496-183-0x0000000000400000-0x00000000004D4000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

MiTools.exe

pid process

1164 MiTools.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MiTools.exe

pid process

1164 MiTools.exe
1164 MiTools.exe
1164 MiTools.exe
1164 MiTools.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MiTools.exe

pid process

1164 MiTools.exe
1164 MiTools.exe
1164 MiTools.exe

pid	process
1164	MiTools.exe

pid	process
1164	MiTools.exe
1164	MiTools.exe
1164	MiTools.exe
1164	MiTools.exe

pid	process
1164	MiTools.exe
1164	MiTools.exe
1164	MiTools.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

002c839bbd1aac288559ba28e59d9f6d1fc8e2a93f72383e13b7f9f2a47f4214.exe

description	pid	process	target process
PID 3496 wrote to memory of 1164	3496	002c839bbd1aac288559ba28e59d9f6d1fc8e2a93f72383e13b7f9f2a47f4214.exe	MiTools.exe
PID 3496 wrote to memory of 1164	3496	002c839bbd1aac288559ba28e59d9f6d1fc8e2a93f72383e13b7f9f2a47f4214.exe	MiTools.exe
PID 3496 wrote to memory of 1164	3496	002c839bbd1aac288559ba28e59d9f6d1fc8e2a93f72383e13b7f9f2a47f4214.exe	MiTools.exe

C:\Users\Admin\AppData\Local\Temp\002c839bbd1aac288559ba28e59d9f6d1fc8e2a93f72383e13b7f9f2a47f4214.exe
"C:\Users\Admin\AppData\Local\Temp\002c839bbd1aac288559ba28e59d9f6d1fc8e2a93f72383e13b7f9f2a47f4214.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Users\Admin\AppData\Local\Temp\MI\MiTools.exe
"C:\Users\Admin\AppData\Local\Temp\MI\MiTools.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MI\MiTools.exe
Filesize
11.3MB

MD5
f7581ce8303fe975ca989acfad7874fd

SHA1
2acbec400337fbd5318999b574838d17ab33e699

SHA256
61bbd194ab480439e364740cfe019666be965a18320d91d85e2d6d123e7aa63b

SHA512
210d55900531f5390b4a62cc9bca12c00dab3b69056d04e433fa970df6dd14a5ab59372a72ffaf3808beb2c65b04cb2e394acbb2822359829ca985acb4472d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\MI\MiTools.exe
Filesize
11.3MB

MD5
f7581ce8303fe975ca989acfad7874fd

SHA1
2acbec400337fbd5318999b574838d17ab33e699

SHA256
61bbd194ab480439e364740cfe019666be965a18320d91d85e2d6d123e7aa63b

SHA512
210d55900531f5390b4a62cc9bca12c00dab3b69056d04e433fa970df6dd14a5ab59372a72ffaf3808beb2c65b04cb2e394acbb2822359829ca985acb4472d37

Download Submit
memory/1164-158-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-136-0x0000000000400000-0x0000000001976000-memory.dmp

Filesize
21.5MB

Download
memory/1164-160-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-139-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-140-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-141-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-143-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-146-0x0000000000400000-0x0000000001976000-memory.dmp

Filesize
21.5MB

Download
memory/1164-145-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-154-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-185-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-133-0x0000000000000000-mapping.dmp

Download
memory/1164-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-164-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-166-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-168-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-170-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-172-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-174-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-176-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-178-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-180-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-182-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1164-184-0x0000000000400000-0x0000000001976000-memory.dmp

Filesize
21.5MB

Download
memory/3496-183-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3496-132-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads