a0efdf2b522bedd7b7fa90d2687bf7751e7f219c641cc50b9d019cf307d462ce

General

Target

a0efdf2b522bedd7b7fa90d2687bf7751e7f219c641cc50b9d019cf307d462ce.exe
Size

31KB
MD5

506b10c6661320e2de45dd7bf75dee76
SHA1

29079468b60e9e837b6aa503a90819a488e05e83
SHA256

a0efdf2b522bedd7b7fa90d2687bf7751e7f219c641cc50b9d019cf307d462ce
SHA512

bb1776758240f59ad9696b35b978909074e4b9230f6b3d87b241bef0d7a3d3e24bb71b17fc98dfbbd22ef0b149d27d47bc003d68b0cae40784fff28181aec9f9
SSDEEP

768:Bko2dpRW+KGM991JNXQNT7Oi9BJy2x4JvTG0t0LPzxZa:BkVR7+NAQIBJy2wvTQLLTa

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2960	7newbala.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1776-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1776-136-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000600000002314a-140.dat	upx
behavioral2/files/0x000600000002314a-141.dat	upx
behavioral2/memory/2960-145-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\21.25186.bat	a0efdf2b522bedd7b7fa90d2687bf7751e7f219c641cc50b9d019cf307d462ce.exe
File created	C:\Windows\SysWOW64\7newbala.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\7newbala.exe	cmd.exe
File created	C:\Windows\SysWOW64\662.7924.bat	7newbala.exe
File opened for modification	C:\Windows\SysWOW64\7newbala.exe	cmd.exe
File created	C:\Windows\SysWOW64\7newbala.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3200	PING.EXE
4292	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1776	a0efdf2b522bedd7b7fa90d2687bf7751e7f219c641cc50b9d019cf307d462ce.exe
2960	7newbala.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 4600	1776	a0efdf2b522bedd7b7fa90d2687bf7751e7f219c641cc50b9d019cf307d462ce.exe	80
PID 1776 wrote to memory of 4600	1776	a0efdf2b522bedd7b7fa90d2687bf7751e7f219c641cc50b9d019cf307d462ce.exe	80
PID 1776 wrote to memory of 4600	1776	a0efdf2b522bedd7b7fa90d2687bf7751e7f219c641cc50b9d019cf307d462ce.exe	80
PID 4600 wrote to memory of 4292	4600	cmd.exe	82
PID 4600 wrote to memory of 4292	4600	cmd.exe	82
PID 4600 wrote to memory of 4292	4600	cmd.exe	82
PID 4600 wrote to memory of 2960	4600	cmd.exe	85
PID 4600 wrote to memory of 2960	4600	cmd.exe	85
PID 4600 wrote to memory of 2960	4600	cmd.exe	85
PID 2960 wrote to memory of 2464	2960	7newbala.exe	86
PID 2960 wrote to memory of 2464	2960	7newbala.exe	86
PID 2960 wrote to memory of 2464	2960	7newbala.exe	86
PID 2464 wrote to memory of 3200	2464	cmd.exe	88
PID 2464 wrote to memory of 3200	2464	cmd.exe	88
PID 2464 wrote to memory of 3200	2464	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\a0efdf2b522bedd7b7fa90d2687bf7751e7f219c641cc50b9d019cf307d462ce.exe
"C:\Users\Admin\AppData\Local\Temp\a0efdf2b522bedd7b7fa90d2687bf7751e7f219c641cc50b9d019cf307d462ce.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\21.25186.bat
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - Runs ping.exe
    PID:4292
- - C:\Windows\SysWOW64\7newbala.exe
    "C:\Windows\system32\7newbala.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\662.7924.bat
      4⤵
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        5⤵
        Runs ping.exe
        
        PID:3200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\21.25186.bat

Filesize
327B

MD5
a9ed89e2ed4426fce268e9de3f9edc24

SHA1
24fa7ea2d1d13fef0d1f67cc0366af5628ccec22

SHA256
02f78fba52118d569b2d5cfd9c8d4ef8dcd32b6b82f1b5c8631f66feea4507bd

SHA512
e7da28b6e6c4ee93aad59977cd00e32d7df4d2a51fbba92eea7b46e783c06f17247dba1d025b1eefd16cd17a9b61f05e77ee5ab04b3eba875bd8705402f43088

Download Submit
C:\Windows\SysWOW64\662.7924.bat

Filesize
187B

MD5
2bc7e25bb15cfb064aea202681fc7292

SHA1
ba83d866425559e2d03fb7d09b3e510ff8808996

SHA256
d539ee6cd0d7bf5c70c5355fcc1be7bfec5f281a50827349ecc3ad084dcabc07

SHA512
d587cf3b0c716956682428e020f97f42fbf7384e2a09a5c5aab81972571dcacd98e301da26a2e4061ea837e5d6f605aa6ddf6a53f3f79d1bd12d9a769ae1c30c

Download Submit
C:\Windows\SysWOW64\7newbala.exe

Filesize
31KB

MD5
506b10c6661320e2de45dd7bf75dee76

SHA1
29079468b60e9e837b6aa503a90819a488e05e83

SHA256
a0efdf2b522bedd7b7fa90d2687bf7751e7f219c641cc50b9d019cf307d462ce

SHA512
bb1776758240f59ad9696b35b978909074e4b9230f6b3d87b241bef0d7a3d3e24bb71b17fc98dfbbd22ef0b149d27d47bc003d68b0cae40784fff28181aec9f9

Download Submit
C:\Windows\SysWOW64\7newbala.exe

Filesize
31KB

MD5
506b10c6661320e2de45dd7bf75dee76

SHA1
29079468b60e9e837b6aa503a90819a488e05e83

SHA256
a0efdf2b522bedd7b7fa90d2687bf7751e7f219c641cc50b9d019cf307d462ce

SHA512
bb1776758240f59ad9696b35b978909074e4b9230f6b3d87b241bef0d7a3d3e24bb71b17fc98dfbbd22ef0b149d27d47bc003d68b0cae40784fff28181aec9f9

Download Submit
memory/1776-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1776-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2960-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing