82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52

General

Target

82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe
Size

846KB
MD5

1dce52b995321f486cff6a1216b519f7
SHA1

51b7a16d02a7b0b0d8f0277ab4550dfe03511ed2
SHA256

82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52
SHA512

b1bfa1704db578fb9d87e9440e9369120c8e6a565d9fbc3a283687307b8d8cbfa2b6dd15a507b83163ff68c5ec92433acd5d0735a57334768c26369662b67413
SSDEEP

24576:dgRUqgZSQKh5q1B+EChdWCJ4CsnfZz9Q:deUkD7q1BmahCsnfZhQ

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
520	032CA8.exe
1712	006D00

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2036-56-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/520-64-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/2036-70-0x0000000000400000-0x0000000000448000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
2036	82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe
2036	82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe
2036	82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 520	2036	82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe	28
PID 2036 wrote to memory of 520	2036	82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe	28
PID 2036 wrote to memory of 520	2036	82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe	28
PID 2036 wrote to memory of 520	2036	82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe	28
PID 2036 wrote to memory of 1712	2036	82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe	29
PID 2036 wrote to memory of 1712	2036	82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe	29
PID 2036 wrote to memory of 1712	2036	82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe	29
PID 2036 wrote to memory of 1712	2036	82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe	29

C:\Users\Admin\AppData\Local\Temp\82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe
"C:\Users\Admin\AppData\Local\Temp\82c028c4e064a9b11bd85444437b205b3205f58ac309bce42cf7e472c8c21d52.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Roaming\00A040\032CA8.exe
  "C:\Users\Admin\AppData\Roaming\00A040\032CA8.exe" -launcher
  2⤵
  - Executes dropped EXE
  PID:520
- C:\Users\Admin\AppData\Local\Temp\006D00
  "C:\Users\Admin\AppData\Local\Temp\006D00"
  2⤵
  - Executes dropped EXE
  PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\006D00

Filesize
664KB

MD5
3f2b2a833aa3461d83d1a5fb958e7ec2

SHA1
3486d8a229c1cfe387a1a2bac0881a4c4dca48ce

SHA256
23bf382662f8b7a695cb37084176423e96668917cd504568901ad0135f592631

SHA512
0cadca322a44149a7092a0e2cff796cdcf49b73c59381bb9169ff2c1ecc2b6a0b4ac9c1b881ab890c4aac0a582d42c332c9fafecaeb3304b38343a9378a35ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\006D00

Filesize
664KB

MD5
3f2b2a833aa3461d83d1a5fb958e7ec2

SHA1
3486d8a229c1cfe387a1a2bac0881a4c4dca48ce

SHA256
23bf382662f8b7a695cb37084176423e96668917cd504568901ad0135f592631

SHA512
0cadca322a44149a7092a0e2cff796cdcf49b73c59381bb9169ff2c1ecc2b6a0b4ac9c1b881ab890c4aac0a582d42c332c9fafecaeb3304b38343a9378a35ff0

Download Submit
C:\Users\Admin\AppData\Roaming\00A040\032CA8.exe

Filesize
148KB

MD5
8383276dade51daedd5785eb8146a0dd

SHA1
3e3655d0df17b418cbeabf1dc26a6ea40633b811

SHA256
882da8945e89b46e7abb151212216b785b5266a9c8fd6df023c6c55e6a2c9826

SHA512
bfc0bc22d33f5436e0c6d739c28eb6904a9ad6ae668250058903beb60cbf5cf17d674beaaa4df8b05d2aaa6d34579e4dfcdcef23c4be9461dbe60f9f3ec3cfd6

Download Submit
C:\Users\Admin\AppData\Roaming\00A040\032CA8.exe

Filesize
148KB

MD5
8383276dade51daedd5785eb8146a0dd

SHA1
3e3655d0df17b418cbeabf1dc26a6ea40633b811

SHA256
882da8945e89b46e7abb151212216b785b5266a9c8fd6df023c6c55e6a2c9826

SHA512
bfc0bc22d33f5436e0c6d739c28eb6904a9ad6ae668250058903beb60cbf5cf17d674beaaa4df8b05d2aaa6d34579e4dfcdcef23c4be9461dbe60f9f3ec3cfd6

Download Submit
\Users\Admin\AppData\Local\Temp\006D00

Filesize
664KB

MD5
3f2b2a833aa3461d83d1a5fb958e7ec2

SHA1
3486d8a229c1cfe387a1a2bac0881a4c4dca48ce

SHA256
23bf382662f8b7a695cb37084176423e96668917cd504568901ad0135f592631

SHA512
0cadca322a44149a7092a0e2cff796cdcf49b73c59381bb9169ff2c1ecc2b6a0b4ac9c1b881ab890c4aac0a582d42c332c9fafecaeb3304b38343a9378a35ff0

Download Submit
\Users\Admin\AppData\Roaming\00A040\032CA8.exe

Filesize
148KB

MD5
8383276dade51daedd5785eb8146a0dd

SHA1
3e3655d0df17b418cbeabf1dc26a6ea40633b811

SHA256
882da8945e89b46e7abb151212216b785b5266a9c8fd6df023c6c55e6a2c9826

SHA512
bfc0bc22d33f5436e0c6d739c28eb6904a9ad6ae668250058903beb60cbf5cf17d674beaaa4df8b05d2aaa6d34579e4dfcdcef23c4be9461dbe60f9f3ec3cfd6

Download Submit
\Users\Admin\AppData\Roaming\00A040\032CA8.exe

Filesize
148KB

MD5
8383276dade51daedd5785eb8146a0dd

SHA1
3e3655d0df17b418cbeabf1dc26a6ea40633b811

SHA256
882da8945e89b46e7abb151212216b785b5266a9c8fd6df023c6c55e6a2c9826

SHA512
bfc0bc22d33f5436e0c6d739c28eb6904a9ad6ae668250058903beb60cbf5cf17d674beaaa4df8b05d2aaa6d34579e4dfcdcef23c4be9461dbe60f9f3ec3cfd6

Download Submit
memory/520-63-0x0000000000300000-0x0000000000314000-memory.dmp

Filesize
80KB

Download
memory/520-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-57-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/2036-54-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/2036-56-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2036-55-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/2036-70-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing