b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256

General

Target

b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
Size

828KB
MD5

aaf1056265e415fdb0e2675044f0c689
SHA1

3c955a7bcc7b3de726cfa27418993c6a8bed9d3c
SHA256

b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256
SHA512

e32ce8d300e0b8d3b41445c81bbacfec1a9fd76664ab5c7de206619d6a1b242c0f63cbb90d21cb047aa3820855447f180bad1485eb8d35ae761e4ae81d4691d8
SSDEEP

12288:YxfTFVrHJzInf20O3eGAf/7yNwQ0NN13nb8mjEJW++GN8tm43E56TU:AbtInfztfT8IP3nb8HW++6Qm4UL

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
480	iexplorer.exe
3028	iexplorer.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/640-136-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/3816-137-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/3816-143-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/3816-146-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/3816-145-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/files/0x0001000000022dec-148.dat	upx
behavioral2/memory/3816-153-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/files/0x0001000000022dec-155.dat	upx
behavioral2/memory/3028-157-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/480-158-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/640-151-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/files/0x0001000000022dec-149.dat	upx
behavioral2/memory/3028-164-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/3028-165-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/3028-166-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/3028-170-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/480-169-0x0000000000400000-0x000000000051D000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iexplorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	iexplorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\iexplorer.exe	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
File opened for modification	\??\c:\windows\SysWOW64\m2syadll.dll	iexplorer.exe
File created	\??\c:\windows\SysWOW64\iexplorer.exe	iexplorer.exe
File created	\??\c:\windows\SysWOW64\m2syadll.dll	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
File created	\??\c:\windows\SysWOW64\iexplorer.exe	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\ = "StdOleLink"	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\InprocServer32\ = "combase.dll"	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}	iexplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\eohzIOtR\ = "^\\W\|}ksNme]nzly^TtGV\|wCSJmgClkk"	iexplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\tjshvmWIAe\ = "Ai\\tYq^nH{{zgQBDWu_"	iexplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\copgqo\ = "PoKtkuITcciV{aoINYLZA{JPc}gXtwlq"	iexplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\szfrxyb	iexplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\szfrxyb\ = "BrY[DQimTu\\QUWX[}"	iexplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\aFMLDTir\ = "mTK_W\x7fXyumU\x7fnhWC"	iexplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\copgqo\ = "PoKthuITcciVxaoINYLZA{JPc}gXtwlq"	iexplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\clfYhidZG	iexplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\clfYhidZG\ = "ft~c\x7fKRqLL`F\\rw\|KZ]XOC`"	iexplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\eohzIOtR	iexplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\tjshvmWIAe	iexplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\aFMLDTir	iexplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\copgqo	iexplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\WnzNbLgckXn	iexplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\WnzNbLgckXn\ = "O]g}YpJWDd\x7fDcyLE[IqP"	iexplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\WnzNbLgckXn\ = "O]g}YpJWHd\x7fDcyfTCD@P"	iexplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF7E0BD-0CF7-E0BD-0CF7-E0BD0CF7E0BD}\InprocServer32	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3816	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
3816	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
3028	iexplorer.exe
3028	iexplorer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	3816	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
Token: SeIncBasePriorityPrivilege	3816	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
Token: 33	3816	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
Token: SeIncBasePriorityPrivilege	3816	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
Token: 33	3028	iexplorer.exe
Token: SeIncBasePriorityPrivilege	3028	iexplorer.exe
Token: 33	3028	iexplorer.exe
Token: SeIncBasePriorityPrivilege	3028	iexplorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3816	640	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe	27
PID 640 wrote to memory of 3816	640	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe	27
PID 640 wrote to memory of 3816	640	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe	27
PID 640 wrote to memory of 3816	640	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe	27
PID 640 wrote to memory of 3816	640	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe	27
PID 3816 wrote to memory of 480	3816	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe	67
PID 3816 wrote to memory of 480	3816	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe	67
PID 3816 wrote to memory of 480	3816	b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe	67
PID 480 wrote to memory of 3028	480	iexplorer.exe	66
PID 480 wrote to memory of 3028	480	iexplorer.exe	66
PID 480 wrote to memory of 3028	480	iexplorer.exe	66
PID 480 wrote to memory of 3028	480	iexplorer.exe	66
PID 480 wrote to memory of 3028	480	iexplorer.exe	66

C:\Users\Admin\AppData\Local\Temp\b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
"C:\Users\Admin\AppData\Local\Temp\b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe
  "C:\Users\Admin\AppData\Local\Temp\b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256.exe"
  2⤵
  - Checks BIOS information in registry
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\windows\SysWOW64\iexplorer.exe
    "C:\windows\system32\iexplorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:480

C:\windows\SysWOW64\iexplorer.exe
"C:\windows\system32\iexplorer.exe"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\firstrunmagic.txt

Filesize
275B

MD5
0ac54d68398898f69553ccaa548f8113

SHA1
49921557b5a0dc2b271dd7aa94d8934d6f7cec0b

SHA256
aa31f403dc897c55d3335af3eaa331d981c9d38a3d96f3a19a3dbe8205c5b791

SHA512
b491ae1a123acae476f8f6dde2a5043a8ced2d109b24a9f1672487ae6123a76c8845101e04f8e684848c4b18dbf97a900482a3a2d0df32f811a519e291132eb6

Download Submit
C:\Windows\SysWOW64\iexplorer.exe

Filesize
828KB

MD5
aaf1056265e415fdb0e2675044f0c689

SHA1
3c955a7bcc7b3de726cfa27418993c6a8bed9d3c

SHA256
b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256

SHA512
e32ce8d300e0b8d3b41445c81bbacfec1a9fd76664ab5c7de206619d6a1b242c0f63cbb90d21cb047aa3820855447f180bad1485eb8d35ae761e4ae81d4691d8

Download Submit
C:\Windows\SysWOW64\iexplorer.exe

Filesize
828KB

MD5
aaf1056265e415fdb0e2675044f0c689

SHA1
3c955a7bcc7b3de726cfa27418993c6a8bed9d3c

SHA256
b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256

SHA512
e32ce8d300e0b8d3b41445c81bbacfec1a9fd76664ab5c7de206619d6a1b242c0f63cbb90d21cb047aa3820855447f180bad1485eb8d35ae761e4ae81d4691d8

Download Submit
C:\windows\SysWOW64\iexplorer.exe

Filesize
828KB

MD5
aaf1056265e415fdb0e2675044f0c689

SHA1
3c955a7bcc7b3de726cfa27418993c6a8bed9d3c

SHA256
b82992dec3633909e5250dbce207d5b62f3fb1b79323d6ba019f75f8c7b9d256

SHA512
e32ce8d300e0b8d3b41445c81bbacfec1a9fd76664ab5c7de206619d6a1b242c0f63cbb90d21cb047aa3820855447f180bad1485eb8d35ae761e4ae81d4691d8

Download Submit
\??\c:\windows\SysWOW64\m2syadll.dll

Filesize
312KB

MD5
962103d6cb5ddb22134d7b69de0a9a63

SHA1
99477197012958be4d775118b8f2abdcbd855cc5

SHA256
9c6acbb07bf39adb69eef5a08c4c7b49709e6d50e3c66d92b800eb76e9196a33

SHA512
a9f5d9801518665d43ef990e113ca409ac03d69e4ac16a74cd6d0228dea928e3b70659a0c193ce1b0aebf8c154900182b09b8f33603b4694c0c9757a04da07e3

Download Submit
memory/480-169-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/480-158-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/640-151-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/640-136-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3028-171-0x0000000000521000-0x0000000000556000-memory.dmp

Filesize
212KB

Download
memory/3028-170-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3028-166-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3028-164-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3028-157-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3028-165-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3028-159-0x0000000000520000-0x0000000000584000-memory.dmp

Filesize
400KB

Download
memory/3816-145-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3816-154-0x00000000007C1000-0x00000000007F6000-memory.dmp

Filesize
212KB

Download
memory/3816-153-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3816-144-0x00000000007C1000-0x00000000007F6000-memory.dmp

Filesize
212KB

Download
memory/3816-146-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3816-143-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3816-138-0x00000000007C0000-0x0000000000824000-memory.dmp

Filesize
400KB

Download
memory/3816-137-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads