80bac3a52e58ab6adbe0790ee6481e7ccccf30329081ba9b5392a6eff9fbbdfd

General

Target

80bac3a52e58ab6adbe0790ee6481e7ccccf30329081ba9b5392a6eff9fbbdfd.exe
Size

743KB
MD5

769076779f8cad4a2a065e926d26878b
SHA1

886036bf9554e103ab6969fc3ec7050e0b1c0ef4
SHA256

80bac3a52e58ab6adbe0790ee6481e7ccccf30329081ba9b5392a6eff9fbbdfd
SHA512

ec4be293523c8b067e47e56fa1e7208a403d14cb0174411a984dc2e35a0c7009537eeeb8fc654d5eff2cc3c72b3d5f9a5768c0a48a03645d4c38576108f1ebbb
SSDEEP

12288:qtAdvF9d6ITqN6yOAnMrc4NUYD8VUKHTna+rHTqQNtOUAlvZ19p2YRs64CHEK7M:qed9DiROpKdzasq0A5ZN2YUKEmM

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1220	cam.exe
1784	cam.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-55.dat	upx
behavioral1/files/0x00140000000054ab-57.dat	upx
behavioral1/files/0x00140000000054ab-59.dat	upx
behavioral1/files/0x00140000000054ab-60.dat	upx
behavioral1/files/0x00140000000054ab-67.dat	upx
behavioral1/memory/1220-69-0x0000000000400000-0x00000000004BD000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1956	80bac3a52e58ab6adbe0790ee6481e7ccccf30329081ba9b5392a6eff9fbbdfd.exe
1220	cam.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1220-69-0x0000000000400000-0x00000000004BD000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1220 set thread context of 1784	1220	cam.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1784	cam.exe
1784	cam.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1220	cam.exe
1220	cam.exe
1220	cam.exe
1232	DllHost.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1220	cam.exe
1220	cam.exe
1220	cam.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1220	1956	80bac3a52e58ab6adbe0790ee6481e7ccccf30329081ba9b5392a6eff9fbbdfd.exe	27
PID 1956 wrote to memory of 1220	1956	80bac3a52e58ab6adbe0790ee6481e7ccccf30329081ba9b5392a6eff9fbbdfd.exe	27
PID 1956 wrote to memory of 1220	1956	80bac3a52e58ab6adbe0790ee6481e7ccccf30329081ba9b5392a6eff9fbbdfd.exe	27
PID 1956 wrote to memory of 1220	1956	80bac3a52e58ab6adbe0790ee6481e7ccccf30329081ba9b5392a6eff9fbbdfd.exe	27
PID 1220 wrote to memory of 1784	1220	cam.exe	28
PID 1220 wrote to memory of 1784	1220	cam.exe	28
PID 1220 wrote to memory of 1784	1220	cam.exe	28
PID 1220 wrote to memory of 1784	1220	cam.exe	28
PID 1220 wrote to memory of 1784	1220	cam.exe	28
PID 1220 wrote to memory of 1784	1220	cam.exe	28
PID 1220 wrote to memory of 1784	1220	cam.exe	28
PID 1784 wrote to memory of 1296	1784	cam.exe	14
PID 1784 wrote to memory of 1296	1784	cam.exe	14
PID 1784 wrote to memory of 1296	1784	cam.exe	14
PID 1784 wrote to memory of 1296	1784	cam.exe	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296
- C:\Users\Admin\AppData\Local\Temp\80bac3a52e58ab6adbe0790ee6481e7ccccf30329081ba9b5392a6eff9fbbdfd.exe
  "C:\Users\Admin\AppData\Local\Temp\80bac3a52e58ab6adbe0790ee6481e7ccccf30329081ba9b5392a6eff9fbbdfd.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\cam.exe
    "C:\Users\Admin\AppData\Local\Temp\cam.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\cam.exe
      "C:\Users\Admin\AppData\Local\Temp\cam.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1784

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IMG_0702.JPG

Filesize
128KB

MD5
7eed3a4eb730abbcca07523c721b3781

SHA1
78a5872cce8f21a083a90a59229ad79a481cb5a7

SHA256
e41319d69ee8643e0f2b645322bfe825d0f10fb507ba583097a9bcafdd8a2e08

SHA512
76ae9ca53550b537685299fa5bd4a8752acf2c13fddc51ab72fa9e1bc1ab1d99bcbb281e6d72fe7c79cab86d1320e3144ae61fc78cf3a5c0bc6b6ecdb94df03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cam.exe

Filesize
605KB

MD5
74a3cc36b4a539f8fdbfcbc06be4c4bc

SHA1
bb9edb854771ba2e01ecf5d042e458dfb13b320d

SHA256
1727ca06a418ba7e651195e72de5c5dd214c4984faa2776b9c7955e7d333d554

SHA512
6c49e91189722c02958142cba266f2fc97f83a768399bcfbe3aed2efa43268e81f73ee50c2bf51a23d01a1a5f4308dc8d35e94c27d439d0a152036d65a3d607a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cam.exe

Filesize
605KB

MD5
74a3cc36b4a539f8fdbfcbc06be4c4bc

SHA1
bb9edb854771ba2e01ecf5d042e458dfb13b320d

SHA256
1727ca06a418ba7e651195e72de5c5dd214c4984faa2776b9c7955e7d333d554

SHA512
6c49e91189722c02958142cba266f2fc97f83a768399bcfbe3aed2efa43268e81f73ee50c2bf51a23d01a1a5f4308dc8d35e94c27d439d0a152036d65a3d607a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cam.exe

Filesize
605KB

MD5
74a3cc36b4a539f8fdbfcbc06be4c4bc

SHA1
bb9edb854771ba2e01ecf5d042e458dfb13b320d

SHA256
1727ca06a418ba7e651195e72de5c5dd214c4984faa2776b9c7955e7d333d554

SHA512
6c49e91189722c02958142cba266f2fc97f83a768399bcfbe3aed2efa43268e81f73ee50c2bf51a23d01a1a5f4308dc8d35e94c27d439d0a152036d65a3d607a

Download Submit
\Users\Admin\AppData\Local\Temp\cam.exe

Filesize
605KB

MD5
74a3cc36b4a539f8fdbfcbc06be4c4bc

SHA1
bb9edb854771ba2e01ecf5d042e458dfb13b320d

SHA256
1727ca06a418ba7e651195e72de5c5dd214c4984faa2776b9c7955e7d333d554

SHA512
6c49e91189722c02958142cba266f2fc97f83a768399bcfbe3aed2efa43268e81f73ee50c2bf51a23d01a1a5f4308dc8d35e94c27d439d0a152036d65a3d607a

Download Submit
\Users\Admin\AppData\Local\Temp\cam.exe

Filesize
605KB

MD5
74a3cc36b4a539f8fdbfcbc06be4c4bc

SHA1
bb9edb854771ba2e01ecf5d042e458dfb13b320d

SHA256
1727ca06a418ba7e651195e72de5c5dd214c4984faa2776b9c7955e7d333d554

SHA512
6c49e91189722c02958142cba266f2fc97f83a768399bcfbe3aed2efa43268e81f73ee50c2bf51a23d01a1a5f4308dc8d35e94c27d439d0a152036d65a3d607a

Download Submit
memory/1220-69-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1296-74-0x00000000FFFF0000-0x00000000FFFF7000-memory.dmp

Filesize
28KB

Download
memory/1784-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1784-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1784-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1784-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1784-70-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/1784-77-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing