304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5

General

Target

304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
Size

184KB
MD5

4d36e000b64bf076db39a16e2ed6fcdf
SHA1

325887bf4aa370235e6e2ae34faddf56d6143643
SHA256

304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5
SHA512

205cd35991fc2535ddf618c80ab30abaf1bde509007480ecd77cee5eb941e624ba6b92d5e67fe8e40962d4635181e692cb4f0edcc31c3f2bfa06f7e120209795
SSDEEP

3072:9ydJq5oyVzs+h0JI5J0SpUldLS3lgGBd/AkKHBRQ/rPOy9xnnHsGvPwsAvWDA:4W2+tUnoC2/ALhyzpsGvPw6k

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1144	OFFICE~1.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015c60-54.dat	upx
behavioral1/files/0x0006000000015c60-56.dat	upx
behavioral1/files/0x0006000000015c60-58.dat	upx
behavioral1/files/0x0006000000015c60-59.dat	upx
behavioral1/files/0x0006000000015c60-60.dat	upx
behavioral1/files/0x0006000000015c60-61.dat	upx
behavioral1/memory/1144-63-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1144-71-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
304	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
1144	OFFICE~1.EXE
1144	OFFICE~1.EXE
1144	OFFICE~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1452	reg.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 304 wrote to memory of 1144	304	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe	27
PID 304 wrote to memory of 1144	304	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe	27
PID 304 wrote to memory of 1144	304	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe	27
PID 304 wrote to memory of 1144	304	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe	27
PID 304 wrote to memory of 1144	304	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe	27
PID 304 wrote to memory of 1144	304	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe	27
PID 304 wrote to memory of 1144	304	304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe	27
PID 1144 wrote to memory of 2040	1144	OFFICE~1.EXE	28
PID 1144 wrote to memory of 2040	1144	OFFICE~1.EXE	28
PID 1144 wrote to memory of 2040	1144	OFFICE~1.EXE	28
PID 1144 wrote to memory of 2040	1144	OFFICE~1.EXE	28
PID 1144 wrote to memory of 2040	1144	OFFICE~1.EXE	28
PID 1144 wrote to memory of 2040	1144	OFFICE~1.EXE	28
PID 1144 wrote to memory of 2040	1144	OFFICE~1.EXE	28
PID 2040 wrote to memory of 1452	2040	cmd.exe	30
PID 2040 wrote to memory of 1452	2040	cmd.exe	30
PID 2040 wrote to memory of 1452	2040	cmd.exe	30
PID 2040 wrote to memory of 1452	2040	cmd.exe	30
PID 2040 wrote to memory of 1452	2040	cmd.exe	30
PID 2040 wrote to memory of 1452	2040	cmd.exe	30
PID 2040 wrote to memory of 1452	2040	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
"C:\Users\Admin\AppData\Local\Temp\304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\SaveOffice.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\reg.exe
      reg save HKLM\SOFTWARE c:\OfficeRegBak.hiv
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE

Filesize
86KB

MD5
216ecd0bfdbc552f593f05b9ebe5dbfa

SHA1
fe6bb61411801f1a62e133d994455083c5b99820

SHA256
96ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b

SHA512
da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE

Filesize
86KB

MD5
216ecd0bfdbc552f593f05b9ebe5dbfa

SHA1
fe6bb61411801f1a62e133d994455083c5b99820

SHA256
96ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b

SHA512
da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SaveOffice.cmd

Filesize
981B

MD5
b8f78830dd1782e12b8807aea7384ac2

SHA1
bee8e85498a0e0add628bda558dfe652554e0ec4

SHA256
c374fabdfe02c9434af163e230d88c34387a461efb6fe251f602a45766dfba35

SHA512
3799f6d162bdfc01bad49b22490387c8c71c36bf163bca22748b47e5a48c7b9e4b46c40f94246b08368a972e0ade4c6af0b59a681aeb3f77640fdc7e1d01f4fa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE

Filesize
86KB

MD5
216ecd0bfdbc552f593f05b9ebe5dbfa

SHA1
fe6bb61411801f1a62e133d994455083c5b99820

SHA256
96ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b

SHA512
da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE

Filesize
86KB

MD5
216ecd0bfdbc552f593f05b9ebe5dbfa

SHA1
fe6bb61411801f1a62e133d994455083c5b99820

SHA256
96ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b

SHA512
da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE

Filesize
86KB

MD5
216ecd0bfdbc552f593f05b9ebe5dbfa

SHA1
fe6bb61411801f1a62e133d994455083c5b99820

SHA256
96ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b

SHA512
da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE

Filesize
86KB

MD5
216ecd0bfdbc552f593f05b9ebe5dbfa

SHA1
fe6bb61411801f1a62e133d994455083c5b99820

SHA256
96ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b

SHA512
da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb

Download Submit
memory/304-62-0x0000000000160000-0x0000000000185000-memory.dmp

Filesize
148KB

Download
memory/304-70-0x0000000000160000-0x0000000000185000-memory.dmp

Filesize
148KB

Download
memory/1144-57-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1144-63-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1144-64-0x00000000001D0000-0x00000000001F5000-memory.dmp

Filesize
148KB

Download
memory/1144-71-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing