a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a

General

Target

a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe
Size

17KB
MD5

682322be78c09391a2498fff0b68b26e
SHA1

fdfcd40ad53875b872ee0d184b10a7b4028d877d
SHA256

a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a
SHA512

f746be52f5ea5b1ac7e8a12e710911922b5bab142c6c5fe1ded61d6aba563c2a36c59b976285b9a3f4e791111e15569d7d0970d63b4458adcaa7bb87889f12a2
SSDEEP

384:c2CXSCCyEl3w5E3sxJg9OVkMlOpnAQxmatqGfry6LUq:Nysw5E32cOVkMl+AQxzq0ry0

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1832-56-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1748	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
848	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sys.tmp	rundll32.exe
File opened for modification	C:\Windows\sys.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "regedit.exe /s \"%1\""	rundll32.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1932	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
848	rundll32.exe
848	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1136	1832	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	27
PID 1832 wrote to memory of 1136	1832	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	27
PID 1832 wrote to memory of 1136	1832	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	27
PID 1832 wrote to memory of 1136	1832	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	27
PID 1832 wrote to memory of 1748	1832	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	29
PID 1832 wrote to memory of 1748	1832	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	29
PID 1832 wrote to memory of 1748	1832	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	29
PID 1832 wrote to memory of 1748	1832	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	29
PID 1136 wrote to memory of 848	1136	cmd.exe	31
PID 1136 wrote to memory of 848	1136	cmd.exe	31
PID 1136 wrote to memory of 848	1136	cmd.exe	31
PID 1136 wrote to memory of 848	1136	cmd.exe	31
PID 1136 wrote to memory of 848	1136	cmd.exe	31
PID 1136 wrote to memory of 848	1136	cmd.exe	31
PID 1136 wrote to memory of 848	1136	cmd.exe	31
PID 848 wrote to memory of 2004	848	rundll32.exe	33
PID 848 wrote to memory of 2004	848	rundll32.exe	33
PID 848 wrote to memory of 2004	848	rundll32.exe	33
PID 848 wrote to memory of 2004	848	rundll32.exe	33
PID 2004 wrote to memory of 1932	2004	cmd.exe	34
PID 2004 wrote to memory of 1932	2004	cmd.exe	34
PID 2004 wrote to memory of 1932	2004	cmd.exe	34
PID 2004 wrote to memory of 1932	2004	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe
"C:\Users\Admin\AppData\Local\Temp\a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\zt2.tmp1 St C:\Users\Admin\AppData\Local\Temp\a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\zt2.tmp1 St C:\Users\Admin\AppData\Local\Temp\a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\a.reg
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\SysWOW64\regedit.exe
        
        "regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\a.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\del.bat
  2⤵
  - Deletes itself
  PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.reg

Filesize
152B

MD5
b100f5324ef74ded0b998e64d07a2e19

SHA1
40b0d7f51bf2dd8451f1b723d21355c471a5fa46

SHA256
3db613d24a75ae220891698c055e1c580a42e58564f568a0510db87581cc2042

SHA512
c12391bb37c334074f7d7e1257b6364fd5cbce848e0a8fe15b8326f54fd9568fe3baec58618c4334027a774a06a08ec249cb71db925c1f85feee6a3d3a816c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
400B

MD5
990c5a4e5c0d1661df2a1b0d48e605ba

SHA1
ce4488ca3f405a1bb2011fd88ce03ac2cbca0ca9

SHA256
ac6e2468883791fd0d514efd912169089db872e38d66d96a5321a3ebe6d9ee01

SHA512
0d0fc16eb0cc9e1afa05ec1183a25ff408716ee99a240d7dd994de50339847ccf4ea6caf8d06c2353747ddd5ddd5c32cb3ca1cbdd36b86b22adf5079d5ea0321

Download Submit
C:\Users\Admin\AppData\Local\Temp\zt2.tmp

Filesize
36KB

MD5
b67510f5bd4bdbf04f393fd330f1b7d7

SHA1
62a96cb022bc96194328889f59d0d41e7a4f2e20

SHA256
b816e930e2a3654a83a47714f60645f869fe10467b6014af1151a5567551afc5

SHA512
3bd8a6c8268ba1c681dd5b7414f0d11069ace54240f7ac6c2e3a574de779b5e0f734545f1f5635408ea23dcb148f861038372d36dfa967f29ea3f965ec2f450f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zt2.tmp1

Filesize
36KB

MD5
b67510f5bd4bdbf04f393fd330f1b7d7

SHA1
62a96cb022bc96194328889f59d0d41e7a4f2e20

SHA256
b816e930e2a3654a83a47714f60645f869fe10467b6014af1151a5567551afc5

SHA512
3bd8a6c8268ba1c681dd5b7414f0d11069ace54240f7ac6c2e3a574de779b5e0f734545f1f5635408ea23dcb148f861038372d36dfa967f29ea3f965ec2f450f

Download Submit
\Users\Admin\AppData\Local\Temp\zt2.tmp1

Filesize
36KB

MD5
b67510f5bd4bdbf04f393fd330f1b7d7

SHA1
62a96cb022bc96194328889f59d0d41e7a4f2e20

SHA256
b816e930e2a3654a83a47714f60645f869fe10467b6014af1151a5567551afc5

SHA512
3bd8a6c8268ba1c681dd5b7414f0d11069ace54240f7ac6c2e3a574de779b5e0f734545f1f5635408ea23dcb148f861038372d36dfa967f29ea3f965ec2f450f

Download Submit
memory/848-59-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1832-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing