4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095

General

Target

4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe
Size

367KB
MD5

11d7d9c2e707a037548289460f3bd190
SHA1

3cc5abc0848570d4b32143deee6a10619c3013e3
SHA256

4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095
SHA512

ed081e4d21d7c9de03c05acfb90ee444623a1ec25c0a20f60348e4ec695e97efd4a07015925164808ffb7ba92f92beaddd5401c00ad21da9fd2f4a9f16b533bd
SSDEEP

6144:ewIfZhMW0plCSbCRYGIqnTW3JvPM5GYQwQjYZ3Z4ge1Y2MdHAtInkmZp1QORLUAF:kfZSnCIqnToFPM5T7ZJvi4dHAqnrp1QS

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1500	008738.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1672-56-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/1500-64-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral1/memory/1672-70-0x0000000000400000-0x0000000000440000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe
1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1788	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1788	EXCEL.EXE
1788	EXCEL.EXE
1788	EXCEL.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1500	1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe	27
PID 1672 wrote to memory of 1500	1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe	27
PID 1672 wrote to memory of 1500	1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe	27
PID 1672 wrote to memory of 1500	1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe	27
PID 1672 wrote to memory of 1788	1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe	28
PID 1672 wrote to memory of 1788	1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe	28
PID 1672 wrote to memory of 1788	1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe	28
PID 1672 wrote to memory of 1788	1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe	28
PID 1672 wrote to memory of 1788	1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe	28
PID 1672 wrote to memory of 1788	1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe	28
PID 1672 wrote to memory of 1788	1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe	28
PID 1672 wrote to memory of 1788	1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe	28
PID 1672 wrote to memory of 1788	1672	4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe	28

C:\Users\Admin\AppData\Local\Temp\4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe
"C:\Users\Admin\AppData\Local\Temp\4f71ff3c31b0c71ed13c7c7e44a325856f60cb9a4f128e91f162b15545a1b095.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Roaming\037978\008738.exe
  "C:\Users\Admin\AppData\Roaming\037978\008738.exe" -launcher
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
  2⤵
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\037978\008738.exe

Filesize
148KB

MD5
8383276dade51daedd5785eb8146a0dd

SHA1
3e3655d0df17b418cbeabf1dc26a6ea40633b811

SHA256
882da8945e89b46e7abb151212216b785b5266a9c8fd6df023c6c55e6a2c9826

SHA512
bfc0bc22d33f5436e0c6d739c28eb6904a9ad6ae668250058903beb60cbf5cf17d674beaaa4df8b05d2aaa6d34579e4dfcdcef23c4be9461dbe60f9f3ec3cfd6

Download Submit
C:\Users\Admin\AppData\Roaming\037978\008738.exe

Filesize
148KB

MD5
8383276dade51daedd5785eb8146a0dd

SHA1
3e3655d0df17b418cbeabf1dc26a6ea40633b811

SHA256
882da8945e89b46e7abb151212216b785b5266a9c8fd6df023c6c55e6a2c9826

SHA512
bfc0bc22d33f5436e0c6d739c28eb6904a9ad6ae668250058903beb60cbf5cf17d674beaaa4df8b05d2aaa6d34579e4dfcdcef23c4be9461dbe60f9f3ec3cfd6

Download Submit
\Users\Admin\AppData\Roaming\037978\008738.exe

Filesize
148KB

MD5
8383276dade51daedd5785eb8146a0dd

SHA1
3e3655d0df17b418cbeabf1dc26a6ea40633b811

SHA256
882da8945e89b46e7abb151212216b785b5266a9c8fd6df023c6c55e6a2c9826

SHA512
bfc0bc22d33f5436e0c6d739c28eb6904a9ad6ae668250058903beb60cbf5cf17d674beaaa4df8b05d2aaa6d34579e4dfcdcef23c4be9461dbe60f9f3ec3cfd6

Download Submit
\Users\Admin\AppData\Roaming\037978\008738.exe

Filesize
148KB

MD5
8383276dade51daedd5785eb8146a0dd

SHA1
3e3655d0df17b418cbeabf1dc26a6ea40633b811

SHA256
882da8945e89b46e7abb151212216b785b5266a9c8fd6df023c6c55e6a2c9826

SHA512
bfc0bc22d33f5436e0c6d739c28eb6904a9ad6ae668250058903beb60cbf5cf17d674beaaa4df8b05d2aaa6d34579e4dfcdcef23c4be9461dbe60f9f3ec3cfd6

Download Submit
memory/1500-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-63-0x00000000005D0000-0x00000000005E4000-memory.dmp

Filesize
80KB

Download
memory/1500-61-0x00000000005D0000-0x00000000005E4000-memory.dmp

Filesize
80KB

Download
memory/1672-70-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/1788-66-0x000000002FF91000-0x000000002FF94000-memory.dmp

Filesize
12KB

Download
memory/1788-67-0x00000000712F1000-0x00000000712F3000-memory.dmp

Filesize
8KB

Download
memory/1788-68-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1788-69-0x00000000722DD000-0x00000000722E8000-memory.dmp

Filesize
44KB

Download
memory/1788-71-0x00000000722DD000-0x00000000722E8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing