dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae

General

Target

dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
Size

212KB
MD5

dde62651d20d9b8b386b69c9bbb6b1c1
SHA1

6a70a8ff79f53da5954eb6f6fd0f9823710e515b
SHA256

dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae
SHA512

c4bf277723690faf81d6e6cfecccafc62790e24f371a76f18bc14b6749814c3e488d314f005fc3b88b7e4870fe348f89b134887426956d242de00b1ff101ad58
SSDEEP

6144:4ICuxZG0zmll5inya4jE8lPP+YWNwjQ7M:XnG0zgl4nyailHrWN1

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1908	Ymuwoa.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1372-54-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/1372-61-0x0000000000580000-0x00000000005F1000-memory.dmp	upx
behavioral1/files/0x0008000000012300-63.dat	upx
behavioral1/memory/1908-64-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	Ymuwoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\VXEG3ZNNE5 = "C:\\Windows\\Ymuwoa.exe"	Ymuwoa.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
File opened for modification	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
File created	C:\Windows\Ymuwoa.exe	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
File opened for modification	C:\Windows\Ymuwoa.exe	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	Ymuwoa.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1908	Ymuwoa.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
1908	Ymuwoa.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1908	1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe	28
PID 1372 wrote to memory of 1908	1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe	28
PID 1372 wrote to memory of 1908	1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe	28
PID 1372 wrote to memory of 1908	1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe	28
PID 1372 wrote to memory of 1908	1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe	28
PID 1372 wrote to memory of 1908	1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe	28
PID 1372 wrote to memory of 1908	1372	dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe	28

C:\Users\Admin\AppData\Local\Temp\dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe
"C:\Users\Admin\AppData\Local\Temp\dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\Ymuwoa.exe
  C:\Windows\Ymuwoa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Filesize
408B

MD5
13c562fa3087bb35dc6779180c91363b

SHA1
e9dd0f0a9fb2ed73a95221976e3406cf9b64f7b1

SHA256
405c7353696c89facea5b9ebe89f7dd5c55baebd741dab794e54a389542eef21

SHA512
fc38fa1fb8a61df29a3de8e62231d2bcc79c5412f24d48f94ff4f737debbfa1f14a607dfeb7dab8a4bc9f3101c6d6e99575dc80112c3e0db1e4638c74aa5009b

Download Submit
C:\Windows\Ymuwoa.exe

Filesize
212KB

MD5
dde62651d20d9b8b386b69c9bbb6b1c1

SHA1
6a70a8ff79f53da5954eb6f6fd0f9823710e515b

SHA256
dbe85bc7eca62f53d553b6b5ae6a0387dbae71f02d1caf014a78f8b2580723ae

SHA512
c4bf277723690faf81d6e6cfecccafc62790e24f371a76f18bc14b6749814c3e488d314f005fc3b88b7e4870fe348f89b134887426956d242de00b1ff101ad58

Download Submit
memory/1372-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1372-58-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1372-59-0x0000000000230000-0x00000000002A1000-memory.dmp

Filesize
452KB

Download
memory/1372-60-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1372-61-0x0000000000580000-0x00000000005F1000-memory.dmp

Filesize
452KB

Download
memory/1372-54-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1372-72-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/1372-71-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1908-70-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1908-67-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1908-64-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads