485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f

General

Target

485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe
Size

463KB
MD5

7f73f204b535f946bcd1141b55d8a060
SHA1

66f636387f4278b2a0242be56313e0e32d6e8d7d
SHA256

485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f
SHA512

b49532ce9a03567800925a97a08a7f57a3e6b9c1e0d2fd835ac5921508a180126aa920cb58ad383233703e65a129c4f9f8d1efef63e248fbeb4f6397881515e1
SSDEEP

6144:ZlNqaVi7q+6ym2xpYnASBJwYYN/zk3WEouhDCoXZ6K8LrhbQ/sl:7AaVi+0pY38YY9W99DX0K21b7

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2616	netsh.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1052-134-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/1052-136-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/1052-137-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/1052-138-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/1052-139-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YOUTUBE.PLAYER.exe	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\engel = "C:\\Users\\Admin\\AppData\\Roaming\\updates\\updates.exe"	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3448 set thread context of 1052	3448	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DHCP = "1513910"	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DNS	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 1052	3448	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe	83
PID 3448 wrote to memory of 1052	3448	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe	83
PID 3448 wrote to memory of 1052	3448	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe	83
PID 3448 wrote to memory of 1052	3448	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe	83
PID 3448 wrote to memory of 1052	3448	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe	83
PID 3448 wrote to memory of 1052	3448	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe	83
PID 3448 wrote to memory of 1052	3448	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe	83
PID 3448 wrote to memory of 1052	3448	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe	83
PID 1052 wrote to memory of 2616	1052	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe	85
PID 1052 wrote to memory of 2616	1052	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe	85
PID 1052 wrote to memory of 2616	1052	485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe	85

C:\Users\Admin\AppData\Local\Temp\485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe
"C:\Users\Admin\AppData\Local\Temp\485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe
  C:\Users\Admin\AppData\Local\Temp\485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe
  2⤵
  - Modifies firewall policy service
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\485fa1d30f5041c5bc87af22a37141e4e28d9971c1ca9d47a880a87ee9b7a64f.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1052-134-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1052-136-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1052-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1052-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1052-139-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3448-132-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads