e19411b76e85354c5d53a959772efca2ed0315a6e7f74c4bd421edc03022d623

General

Target

611a9e4c291ecd531c6f8f19afc436ea303f5f08.exe
Size

441KB
MD5

6d906bd5d8a13d4f606a3b97fae99ad8
SHA1

611a9e4c291ecd531c6f8f19afc436ea303f5f08
SHA256

e19411b76e85354c5d53a959772efca2ed0315a6e7f74c4bd421edc03022d623
SHA512

eb35fccd3facb2b88c6d0600ae9f2ed188909b63b83f3800d63c37cbb05d596bc8582dc9f691532b3e79102088dcfcf06eb3026e90ecc40c6b29d31857f164ba
SSDEEP

6144:B5aWbksiNTBTSJfzmTFZjI+wCtNNHxfLf0Gq0eMmv+bYR8Byaewr8z5PEtmprDWE:B5atNTFSJfzmTLTxxfo0eMqJut5CeE

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1952	extd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000133af-57.dat	upx
behavioral1/files/0x00070000000133af-59.dat	upx
behavioral1/memory/1952-61-0x0000000000400000-0x00000000004A5000-memory.dmp	upx

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1952	extd.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1356	1684	611a9e4c291ecd531c6f8f19afc436ea303f5f08.exe	29
PID 1684 wrote to memory of 1356	1684	611a9e4c291ecd531c6f8f19afc436ea303f5f08.exe	29
PID 1684 wrote to memory of 1356	1684	611a9e4c291ecd531c6f8f19afc436ea303f5f08.exe	29
PID 1684 wrote to memory of 1356	1684	611a9e4c291ecd531c6f8f19afc436ea303f5f08.exe	29
PID 1356 wrote to memory of 1952	1356	cmd.exe	30
PID 1356 wrote to memory of 1952	1356	cmd.exe	30
PID 1356 wrote to memory of 1952	1356	cmd.exe	30
PID 1356 wrote to memory of 1952	1356	cmd.exe	30
PID 1356 wrote to memory of 588	1356	cmd.exe	31
PID 1356 wrote to memory of 588	1356	cmd.exe	31
PID 1356 wrote to memory of 588	1356	cmd.exe	31
PID 1356 wrote to memory of 1156	1356	cmd.exe	33
PID 1356 wrote to memory of 1156	1356	cmd.exe	33
PID 1356 wrote to memory of 1156	1356	cmd.exe	33
PID 1356 wrote to memory of 680	1356	cmd.exe	34
PID 1356 wrote to memory of 680	1356	cmd.exe	34
PID 1356 wrote to memory of 680	1356	cmd.exe	34
PID 1356 wrote to memory of 1320	1356	cmd.exe	36
PID 1356 wrote to memory of 1320	1356	cmd.exe	36
PID 1356 wrote to memory of 1320	1356	cmd.exe	36
PID 1356 wrote to memory of 1568	1356	cmd.exe	38
PID 1356 wrote to memory of 1568	1356	cmd.exe	38
PID 1356 wrote to memory of 1568	1356	cmd.exe	38

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1320	attrib.exe
1568	attrib.exe

C:\Users\Admin\AppData\Local\Temp\611a9e4c291ecd531c6f8f19afc436ea303f5f08.exe
"C:\Users\Admin\AppData\Local\Temp\611a9e4c291ecd531c6f8f19afc436ea303f5f08.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\36B.tmp\36C.tmp\36D.bat C:\Users\Admin\AppData\Local\Temp\611a9e4c291ecd531c6f8f19afc436ea303f5f08.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\36B.tmp\36C.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\36B.tmp\36C.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1952
- - C:\Windows\system32\reg.exe
    reg delete HKCR/.exe
    3⤵
    PID:588
- - C:\Windows\system32\reg.exe
    reg delete HKCR/.dll
    3⤵
    PID:1156
- - C:\Windows\system32\reg.exe
    reg delete HKCR/*
    3⤵
    PID:680
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h c:bootmgr
    3⤵
    - Views/modifies file attributes
    PID:1320
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h c:bootmgr.sys
    3⤵
    - Views/modifies file attributes
    PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\36B.tmp\36C.tmp\36D.bat

Filesize
45KB

MD5
eefdcdb49c5ba11bb5a074fba1f5240a

SHA1
c3a4b6c2431ed1b1aeb75808ecb507a8a93a27dd

SHA256
ce296af063f09632ba694d3cbf6a8361ebdd1612078c459b214fd178dac734da

SHA512
fc308eb945409fa82eeaf68f0ebd16443b727fc6898639293049f567bc66ef7b44bf00bbb2fb7f3f90267ad651e3cbe0e9ffa0c302aefaa28cd21cbdd73d95c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\36B.tmp\36C.tmp\extd.exe

Filesize
259KB

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\36B.tmp\36C.tmp\extd.exe

Filesize
259KB

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
memory/1684-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/1952-61-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads