5ea7e1f0bac802c35592fcb8376962518b58841509377f7d4646b7693cbed7da

General

Target

tmp.exe
Size

1.3MB
MD5

85dfaae133455ac2a1a983c68018b959
SHA1

c41d6f393044decaa3c3c0148a1dfad3835912da
SHA256

5ea7e1f0bac802c35592fcb8376962518b58841509377f7d4646b7693cbed7da
SHA512

b412cdf023fb8662f260f82fa756a70cb8b5fc23e54857cf4a9f60331dbec074592d9f63a819734472f8fb7b2522cb16f56340dc2e99d1aa7f35554b5bd97ef1
SSDEEP

24576:yWmAFubSZdt9McpKzfN8w0f/GNuoQk2UeZRf/h4hEKasiX:q2ZdRpKbOwwf1RSKVs6

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
940	Engine.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122f9-55.dat	upx
behavioral1/files/0x000b0000000122f9-57.dat	upx
behavioral1/memory/940-65-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/940-72-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
2024	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
456	powershell.exe
456	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	456	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 940	2024	tmp.exe	27
PID 2024 wrote to memory of 940	2024	tmp.exe	27
PID 2024 wrote to memory of 940	2024	tmp.exe	27
PID 2024 wrote to memory of 940	2024	tmp.exe	27
PID 2024 wrote to memory of 940	2024	tmp.exe	27
PID 2024 wrote to memory of 940	2024	tmp.exe	27
PID 2024 wrote to memory of 940	2024	tmp.exe	27
PID 940 wrote to memory of 676	940	Engine.exe	28
PID 940 wrote to memory of 676	940	Engine.exe	28
PID 940 wrote to memory of 676	940	Engine.exe	28
PID 940 wrote to memory of 676	940	Engine.exe	28
PID 676 wrote to memory of 560	676	cmd.exe	30
PID 676 wrote to memory of 560	676	cmd.exe	30
PID 676 wrote to memory of 560	676	cmd.exe	30
PID 676 wrote to memory of 560	676	cmd.exe	30
PID 560 wrote to memory of 456	560	cmd.exe	31
PID 560 wrote to memory of 456	560	cmd.exe	31
PID 560 wrote to memory of 456	560	cmd.exe	31
PID 560 wrote to memory of 456	560	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\SETUP_29275\Engine.exe
  C:\Users\Admin\AppData\Local\Temp\SETUP_29275\Engine.exe /TH_ID=_2016 /OriginExe="C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd < 8
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SETUP_29275\00000#30

Filesize
970KB

MD5
fc0d1c31d8e7d05ba8111ed9799cf492

SHA1
a9d62107d1da26fd6094000ac0a25ba49d6ca1b0

SHA256
1838b1b4910d1a9ba1edb723dd574ff649f35a1c12a1e5801ff6813873cb5523

SHA512
977d7e32c32cff1729e0ff5dad244410755982471c436233e0eb2889b904ba014e1ca852378f7180826543475ec5464cce5785b6b99f3b71967d399144b6ff9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29275\00001#39

Filesize
872KB

MD5
824b8173f90d902258da3b255519d0c8

SHA1
fbda8221cdb2a44fa6b91a2e407e95cdaccbcb58

SHA256
28da5a81ce518399c6074751b4823e2b1c166b53bcd0a21dcadc87d4496fa8e0

SHA512
1bbc1fe373267a0eeeabde6a8d491b82c0e15b81358fc8a588cd950fbe42b6bed70b28643afa142090a00b7085e3cd239c30151207cb1759578a6583352ae272

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29275\00002#8

Filesize
12KB

MD5
5f0114452c680ae20876ac94c26326bd

SHA1
4d2e23c5928dffe3d958d1ce1c42cbcc76c02dc9

SHA256
b66ea313edb1478de53d964414b2f61177d31d132b3fe1dd205df7dcc3b93019

SHA512
0103f6e25b61322c3f4beb490f96556693fbf2af463a95569c19c984fe8ece242dec0d4180ef903b873c1dd4faa02bf118d419fa0a1c4633df524ac220ed609a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29275\Engine.exe

Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29275\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_29275\Setup.txt

Filesize
2KB

MD5
7de6d0618810234a1fab91b4019fdf66

SHA1
c83ab90f1e25a6289cf854a0755efe7414fe6ca8

SHA256
cd8d8e6a720a16958b46408944d009f726cbbd06ef15660897adb59f870b3d7a

SHA512
cf9795170cc19777bef6948f529fc03ac6240cced4e3942b1abf50f0d68ea3ccb0f93b4bfe81f27e1c9e7a799755e58d74600fa1897ba957288921f857656cec

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP_29275\Engine.exe

Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
memory/456-70-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/456-71-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/940-65-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/940-72-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2024-64-0x0000000002300000-0x0000000002458000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing