a788146a745dc281807c2e13ec5100a75a035695f29735bab4b73b69c4e7beea

General

Target

a788146a745dc281807c2e13ec5100a75a035695f29735bab4b73b69c4e7beea.exe
Size

475KB
MD5

bcb9c7e3e5b15bb7336fd46871fb27fa
SHA1

8aa6967cae8d1f99141d5a4eb35e1ccead187ebb
SHA256

a788146a745dc281807c2e13ec5100a75a035695f29735bab4b73b69c4e7beea
SHA512

0e757cbde504470b24894f31e9c9b9a237adde9bd229a772a4daba78c02ce1fff58d42a4a2375df02acb6c8f52a668a1618351909e83eaf0b3b7b6048f8b0476
SSDEEP

12288:EHLUMuiv9RgfSjAzRtyOLqJs+T1em+Gpsg6jFPoG6Dh:etARGetGp9C9oGuh

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3676	1.exe
1788	2.exe
4740	1.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1436-132-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/1436-139-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1436-132-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe
behavioral2/memory/1436-139-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3676 set thread context of 4740	3676	1.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4740	1.exe
4740	1.exe
4740	1.exe
4740	1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1788	2.exe
3676	1.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 3676	1436	a788146a745dc281807c2e13ec5100a75a035695f29735bab4b73b69c4e7beea.exe	80
PID 1436 wrote to memory of 3676	1436	a788146a745dc281807c2e13ec5100a75a035695f29735bab4b73b69c4e7beea.exe	80
PID 1436 wrote to memory of 3676	1436	a788146a745dc281807c2e13ec5100a75a035695f29735bab4b73b69c4e7beea.exe	80
PID 1436 wrote to memory of 1788	1436	a788146a745dc281807c2e13ec5100a75a035695f29735bab4b73b69c4e7beea.exe	81
PID 1436 wrote to memory of 1788	1436	a788146a745dc281807c2e13ec5100a75a035695f29735bab4b73b69c4e7beea.exe	81
PID 1436 wrote to memory of 1788	1436	a788146a745dc281807c2e13ec5100a75a035695f29735bab4b73b69c4e7beea.exe	81
PID 3676 wrote to memory of 4740	3676	1.exe	82
PID 3676 wrote to memory of 4740	3676	1.exe	82
PID 3676 wrote to memory of 4740	3676	1.exe	82
PID 3676 wrote to memory of 4740	3676	1.exe	82
PID 3676 wrote to memory of 4740	3676	1.exe	82
PID 3676 wrote to memory of 4740	3676	1.exe	82
PID 3676 wrote to memory of 4740	3676	1.exe	82
PID 4740 wrote to memory of 2132	4740	1.exe	54
PID 4740 wrote to memory of 2132	4740	1.exe	54
PID 4740 wrote to memory of 2132	4740	1.exe	54
PID 4740 wrote to memory of 2132	4740	1.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2132
- C:\Users\Admin\AppData\Local\Temp\a788146a745dc281807c2e13ec5100a75a035695f29735bab4b73b69c4e7beea.exe
  "C:\Users\Admin\AppData\Local\Temp\a788146a745dc281807c2e13ec5100a75a035695f29735bab4b73b69c4e7beea.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    C:\Users\Admin\AppData\Local\Temp/1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      C:\Users\Admin\AppData\Local\Temp\1.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4740
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    C:\Users\Admin\AppData\Local\Temp/2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
188KB

MD5
fe5fd3aae117d7049d7f2daad7227d32

SHA1
ca2b7e25f1703454de6bcf9bb7cb194c592f52de

SHA256
aa21e47dee710f5d0af8e63ab606965d7e62d9181f684e84f6278246380ffa4c

SHA512
ab45d43702407eda7c8ceef4d0f73bba22d7db3c64838657ce5d083d200912239d8f020bd6ffc169eb9a731e464c83821db627136668a4cf7b54ef2c9f9c2761

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
188KB

MD5
fe5fd3aae117d7049d7f2daad7227d32

SHA1
ca2b7e25f1703454de6bcf9bb7cb194c592f52de

SHA256
aa21e47dee710f5d0af8e63ab606965d7e62d9181f684e84f6278246380ffa4c

SHA512
ab45d43702407eda7c8ceef4d0f73bba22d7db3c64838657ce5d083d200912239d8f020bd6ffc169eb9a731e464c83821db627136668a4cf7b54ef2c9f9c2761

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
188KB

MD5
fe5fd3aae117d7049d7f2daad7227d32

SHA1
ca2b7e25f1703454de6bcf9bb7cb194c592f52de

SHA256
aa21e47dee710f5d0af8e63ab606965d7e62d9181f684e84f6278246380ffa4c

SHA512
ab45d43702407eda7c8ceef4d0f73bba22d7db3c64838657ce5d083d200912239d8f020bd6ffc169eb9a731e464c83821db627136668a4cf7b54ef2c9f9c2761

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
16KB

MD5
b891ac4ae5ca629e498241d512710d27

SHA1
03882df23f76cba98170ea433aca8870abd5cf2a

SHA256
d83d88f724043721d6c1c0fd92e7c221a55463b2d9aecd979cd020848eadabf8

SHA512
a1fd1d3de3fc9e31f9b588aba5c76504b8f56fcbb2783e367004598575755e96d87e56d8a96ca07a0e2990c51e8ea34c094cdbeb91de0af396db6fcb2a466ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
16KB

MD5
b891ac4ae5ca629e498241d512710d27

SHA1
03882df23f76cba98170ea433aca8870abd5cf2a

SHA256
d83d88f724043721d6c1c0fd92e7c221a55463b2d9aecd979cd020848eadabf8

SHA512
a1fd1d3de3fc9e31f9b588aba5c76504b8f56fcbb2783e367004598575755e96d87e56d8a96ca07a0e2990c51e8ea34c094cdbeb91de0af396db6fcb2a466ec5

Download Submit
memory/1436-139-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1436-132-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1788-136-0x0000000000000000-mapping.dmp

Download
memory/2132-153-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3676-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3676-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3676-150-0x0000000000780000-0x0000000000784000-memory.dmp

Filesize
16KB

Download
memory/3676-151-0x0000000002060000-0x0000000002099000-memory.dmp

Filesize
228KB

Download
memory/3676-133-0x0000000000000000-mapping.dmp

Download
memory/4740-146-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4740-145-0x0000000000000000-mapping.dmp

Download
memory/4740-152-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/4740-154-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing