8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8

General

Target

8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
Size

1.1MB
MD5

df9429e6d8cba999535e34a945b847ef
SHA1

262d84caf14b46c76f91aa6c1ed1b3b5013a7d25
SHA256

8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8
SHA512

a9484bda3fbed8ff84a95be1f25f17b79d57ffe434b3f1e4594d75bdcfdeaa8bc8a0f705175be431357201fa9c1a738fb55a76befe771577c53fc211487699c6
SSDEEP

24576:XOIFnM1rGoN1PSWr47HfgXt6b3sCj8nROEbapxS/TRL4cYUuY:+IUlGWrI/g96rskARokNYM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
668	explorer.exe
1652	taskmgr.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1744-55-0x0000000000400000-0x00000000005E2000-memory.dmp	upx
behavioral1/files/0x000800000001230e-56.dat	upx
behavioral1/files/0x000800000001230e-57.dat	upx
behavioral1/files/0x000800000001230e-59.dat	upx
behavioral1/memory/1744-61-0x0000000000400000-0x00000000005E2000-memory.dmp	upx
behavioral1/files/0x000800000001230e-62.dat	upx
behavioral1/files/0x00090000000122fa-63.dat	upx
behavioral1/files/0x00090000000122fa-64.dat	upx
behavioral1/files/0x00090000000122fa-66.dat	upx
behavioral1/memory/1652-70-0x0000000000400000-0x0000000000525000-memory.dmp	upx
behavioral1/memory/668-71-0x0000000000400000-0x0000000000525000-memory.dmp	upx
behavioral1/memory/1652-74-0x0000000000400000-0x0000000000525000-memory.dmp	upx
behavioral1/memory/668-75-0x0000000000400000-0x0000000000525000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1744	8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
1744	8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
668	explorer.exe
668	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NvCpu = "C:\\Windows\\NvCpu.exe"	8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe	8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
File created	C:\Windows\NvCpu.exe	8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
File created	C:\Windows\4080\Info\explorer.exe	8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
File created	C:\Windows\4080\taskmgr.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
668	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 668	1744	8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe	28
PID 1744 wrote to memory of 668	1744	8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe	28
PID 1744 wrote to memory of 668	1744	8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe	28
PID 1744 wrote to memory of 668	1744	8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe	28
PID 668 wrote to memory of 1652	668	explorer.exe	29
PID 668 wrote to memory of 1652	668	explorer.exe	29
PID 668 wrote to memory of 1652	668	explorer.exe	29
PID 668 wrote to memory of 1652	668	explorer.exe	29

C:\Users\Admin\AppData\Local\Temp\8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
"C:\Users\Admin\AppData\Local\Temp\8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\4080\Info\explorer.exe
  C:\Windows\4080\Info\explorer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\4080\taskmgr.exe
    C:\Windows\4080\taskmgr.exe
    3⤵
    - Executes dropped EXE
    PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\4080\Info\explorer.exe

Filesize
605KB

MD5
8a0b19899cddf09f2385c798674a25ce

SHA1
979a65d873b89896c79c4f3e7a676402d13c9d29

SHA256
bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8

SHA512
dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb

Download Submit
C:\Windows\4080\Info\explorer.exe

Filesize
605KB

MD5
8a0b19899cddf09f2385c798674a25ce

SHA1
979a65d873b89896c79c4f3e7a676402d13c9d29

SHA256
bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8

SHA512
dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb

Download Submit
C:\Windows\4080\taskmgr.exe

Filesize
605KB

MD5
8a0b19899cddf09f2385c798674a25ce

SHA1
979a65d873b89896c79c4f3e7a676402d13c9d29

SHA256
bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8

SHA512
dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb

Download Submit
\Windows\4080\Info\explorer.exe

Filesize
605KB

MD5
8a0b19899cddf09f2385c798674a25ce

SHA1
979a65d873b89896c79c4f3e7a676402d13c9d29

SHA256
bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8

SHA512
dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb

Download Submit
\Windows\4080\Info\explorer.exe

Filesize
605KB

MD5
8a0b19899cddf09f2385c798674a25ce

SHA1
979a65d873b89896c79c4f3e7a676402d13c9d29

SHA256
bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8

SHA512
dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb

Download Submit
\Windows\4080\taskmgr.exe

Filesize
605KB

MD5
8a0b19899cddf09f2385c798674a25ce

SHA1
979a65d873b89896c79c4f3e7a676402d13c9d29

SHA256
bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8

SHA512
dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb

Download Submit
\Windows\4080\taskmgr.exe

Filesize
605KB

MD5
8a0b19899cddf09f2385c798674a25ce

SHA1
979a65d873b89896c79c4f3e7a676402d13c9d29

SHA256
bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8

SHA512
dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb

Download Submit
memory/668-71-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/668-68-0x0000000003690000-0x00000000037B5000-memory.dmp

Filesize
1.1MB

Download
memory/668-69-0x0000000003690000-0x00000000037B5000-memory.dmp

Filesize
1.1MB

Download
memory/668-72-0x0000000003690000-0x00000000037B5000-memory.dmp

Filesize
1.1MB

Download
memory/668-73-0x0000000003690000-0x00000000037B5000-memory.dmp

Filesize
1.1MB

Download
memory/668-75-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/1652-70-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/1652-74-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/1744-61-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/1744-55-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/1744-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing