b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68

General

Target

b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe
Size

685KB
MD5

53558d26234d5ec0db4c18fb33b56fd6
SHA1

b4116048d4f8a36376d07312c664b1098ea02774
SHA256

b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68
SHA512

0e01ed94b4f88a0267c6c603f5f0d736b34d654c7384a17d9783d4f9139e0661909ab27b25bd6e8bb01d553e54e44c9961a5d39257489d2ea7052d6be47a194c
SSDEEP

12288:ySnvpg3jf39d4+MkbGKGd4Zfuh2CN+sid3Bfz1aHggnE2yPLol:ySnvmTf3j4+MkbDGmnCN+td391aHggnP

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-55-0x0000000001C70000-0x0000000001DB5000-memory.dmp	upx
behavioral1/memory/1736-58-0x0000000001C70000-0x0000000001DB5000-memory.dmp	upx
behavioral1/memory/1736-59-0x0000000001C70000-0x0000000001DB5000-memory.dmp	upx
behavioral1/memory/1736-62-0x0000000001C70000-0x0000000001DB5000-memory.dmp	upx
behavioral1/memory/1736-63-0x0000000001C70000-0x0000000001DB5000-memory.dmp	upx
behavioral1/memory/1736-64-0x0000000001C70000-0x0000000001DB5000-memory.dmp	upx
behavioral1/memory/520-67-0x0000000001D80000-0x0000000001EC5000-memory.dmp	upx
behavioral1/memory/520-70-0x0000000001D80000-0x0000000001EC5000-memory.dmp	upx
behavioral1/memory/520-71-0x0000000001D80000-0x0000000001EC5000-memory.dmp	upx
behavioral1/memory/520-72-0x0000000001D80000-0x0000000001EC5000-memory.dmp	upx
behavioral1/memory/520-73-0x0000000001D80000-0x0000000001EC5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1736	b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe
1736	b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1736	b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1736	b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe
1736	b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 520	1736	b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe	28
PID 1736 wrote to memory of 520	1736	b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe	28
PID 1736 wrote to memory of 520	1736	b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe	28
PID 1736 wrote to memory of 520	1736	b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe	28

C:\Users\Admin\AppData\Local\Temp\b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe
"C:\Users\Admin\AppData\Local\Temp\b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe
  "C:\Users\Admin\AppData\Local\Temp\b75a3ba1ffdae84d625971b2dfc267f379a1107ebe346254e914510f6aeafc68.exe" /_ShowProgress
  2⤵
  PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-73-0x0000000001D80000-0x0000000001EC5000-memory.dmp

Filesize
1.3MB

Download
memory/520-72-0x0000000001D80000-0x0000000001EC5000-memory.dmp

Filesize
1.3MB

Download
memory/520-71-0x0000000001D80000-0x0000000001EC5000-memory.dmp

Filesize
1.3MB

Download
memory/520-70-0x0000000001D80000-0x0000000001EC5000-memory.dmp

Filesize
1.3MB

Download
memory/520-67-0x0000000001D80000-0x0000000001EC5000-memory.dmp

Filesize
1.3MB

Download
memory/1736-59-0x0000000001C70000-0x0000000001DB5000-memory.dmp

Filesize
1.3MB

Download
memory/1736-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1736-64-0x0000000001C70000-0x0000000001DB5000-memory.dmp

Filesize
1.3MB

Download
memory/1736-63-0x0000000001C70000-0x0000000001DB5000-memory.dmp

Filesize
1.3MB

Download
memory/1736-62-0x0000000001C70000-0x0000000001DB5000-memory.dmp

Filesize
1.3MB

Download
memory/1736-61-0x0000000000250000-0x00000000002FC000-memory.dmp

Filesize
688KB

Download
memory/1736-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1736-58-0x0000000001C70000-0x0000000001DB5000-memory.dmp

Filesize
1.3MB

Download
memory/1736-55-0x0000000001C70000-0x0000000001DB5000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing