c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f

General

Target

c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.exe
Size

242KB
MD5

abb0c2a94362043a2b508383d163a900
SHA1

3c5ad0c8ce0b377d6ff95eeb6e578fa01a77c10c
SHA256

c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f
SHA512

77e152001f086788d0802b81f8b9c724e5792673c789c00d9459b09b258ca34f95154d92d204254fd1b54c3922bf6a0da4eab5e0f2c6adc267ed2727e2eb9ad7
SSDEEP

3072:xN0LwH/hUmnWRdRMtyyYyzwCv2gs3ctDS5as4azG1FKgeXa:xNxPeMg/yzNGctO5as4XbKe

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.~01

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1404-61-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1404	c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.exe
1404	c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.exe
1404	c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.exe
2032	c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.~01

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SYSLIB32.DLL	c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1404	c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.exe
1404	c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2032	1404	c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.exe	28
PID 1404 wrote to memory of 2032	1404	c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.exe	28
PID 1404 wrote to memory of 2032	1404	c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.exe	28
PID 1404 wrote to memory of 2032	1404	c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.exe	28

C:\Users\Admin\AppData\Local\Temp\c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.exe
"C:\Users\Admin\AppData\Local\Temp\c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.~01
  C:\Users\Admin\AppData\Local\Temp\c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.~01
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.~01

Filesize
209KB

MD5
09a25348786b267204b300cfbc9960ec

SHA1
ae5ea881ce110a928b7be791f944e865539adf20

SHA256
4bd77f0d0bc5fb9321ff6c4b42ee8be90149152004752820470f10575d65e61f

SHA512
a82839bf5fab810ad19b741faaf3db5cee59d8b070b5615317a1e08735de0d25cbe2ebc459648aee297ef99152b16a7955359de494e6959921e2297116c9c609

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.~01

Filesize
209KB

MD5
09a25348786b267204b300cfbc9960ec

SHA1
ae5ea881ce110a928b7be791f944e865539adf20

SHA256
4bd77f0d0bc5fb9321ff6c4b42ee8be90149152004752820470f10575d65e61f

SHA512
a82839bf5fab810ad19b741faaf3db5cee59d8b070b5615317a1e08735de0d25cbe2ebc459648aee297ef99152b16a7955359de494e6959921e2297116c9c609

Download Submit
C:\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
f14bd85eeba2b828a655fe62931035e5

SHA1
c6f962ab17705248f1c54675f3f02ee162d5a2b9

SHA256
78350b4add47b0ffa7ad91912fd3937afe19671b08df79463abcbedb12e470db

SHA512
9a825d7976e42259f7396e9bc174ae76a12e3464b7ea452270105a5510f97388c757c70d973fc94eefb715862e3b6c99edbd86b6ca936cd6670c7f3b7ea6fde2

Download Submit
\Users\Admin\AppData\Local\Temp\c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.~01

Filesize
209KB

MD5
09a25348786b267204b300cfbc9960ec

SHA1
ae5ea881ce110a928b7be791f944e865539adf20

SHA256
4bd77f0d0bc5fb9321ff6c4b42ee8be90149152004752820470f10575d65e61f

SHA512
a82839bf5fab810ad19b741faaf3db5cee59d8b070b5615317a1e08735de0d25cbe2ebc459648aee297ef99152b16a7955359de494e6959921e2297116c9c609

Download Submit
\Users\Admin\AppData\Local\Temp\c3cd83b554ec019369244913aaf42338770289e44ef053773d37458847096a5f.~01

Filesize
209KB

MD5
09a25348786b267204b300cfbc9960ec

SHA1
ae5ea881ce110a928b7be791f944e865539adf20

SHA256
4bd77f0d0bc5fb9321ff6c4b42ee8be90149152004752820470f10575d65e61f

SHA512
a82839bf5fab810ad19b741faaf3db5cee59d8b070b5615317a1e08735de0d25cbe2ebc459648aee297ef99152b16a7955359de494e6959921e2297116c9c609

Download Submit
\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
f14bd85eeba2b828a655fe62931035e5

SHA1
c6f962ab17705248f1c54675f3f02ee162d5a2b9

SHA256
78350b4add47b0ffa7ad91912fd3937afe19671b08df79463abcbedb12e470db

SHA512
9a825d7976e42259f7396e9bc174ae76a12e3464b7ea452270105a5510f97388c757c70d973fc94eefb715862e3b6c99edbd86b6ca936cd6670c7f3b7ea6fde2

Download Submit
\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
f14bd85eeba2b828a655fe62931035e5

SHA1
c6f962ab17705248f1c54675f3f02ee162d5a2b9

SHA256
78350b4add47b0ffa7ad91912fd3937afe19671b08df79463abcbedb12e470db

SHA512
9a825d7976e42259f7396e9bc174ae76a12e3464b7ea452270105a5510f97388c757c70d973fc94eefb715862e3b6c99edbd86b6ca936cd6670c7f3b7ea6fde2

Download Submit
memory/1404-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1404-62-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/2032-59-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/2032-65-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing