d85391521bd9c46bc3a0ecae974f9f985cc0f5bdecf62103409a8d55fbd4ebd8

General

Target

r.exe
Size

726.0MB
MD5

925d0a37d33fdbac9033db87536eb11e
SHA1

e76d4838dd6db6bdf50664652f3cca9bfed6e7a8
SHA256

5177282965eb65aa04252de17b99d0533d82cdddead523238e893dd0d5d1dd54
SHA512

2c2c2c07e0746a5d8c691bd67f28a0077457127ebfb2a43857ab04c445af909d765dbc9eb8f218d7bc9b301ce60243d70352e8a639c86e9d2bf23bd7452de5a8
SSDEEP

49152:J2Ed3BvKmu/5f5tZnmTzXGVpTNkt5jgRqaq8STli:J2G3BSD//tpcCVDsCyTA

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1684	Engine.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012308-55.dat	upx
behavioral1/files/0x000a000000012308-57.dat	upx
behavioral1/memory/1684-65-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/1684-72-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
2004	r.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1824	powershell.exe
1824	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1684	2004	r.exe	28
PID 2004 wrote to memory of 1684	2004	r.exe	28
PID 2004 wrote to memory of 1684	2004	r.exe	28
PID 2004 wrote to memory of 1684	2004	r.exe	28
PID 2004 wrote to memory of 1684	2004	r.exe	28
PID 2004 wrote to memory of 1684	2004	r.exe	28
PID 2004 wrote to memory of 1684	2004	r.exe	28
PID 1684 wrote to memory of 900	1684	Engine.exe	29
PID 1684 wrote to memory of 900	1684	Engine.exe	29
PID 1684 wrote to memory of 900	1684	Engine.exe	29
PID 1684 wrote to memory of 900	1684	Engine.exe	29
PID 900 wrote to memory of 472	900	CmD.exe	31
PID 900 wrote to memory of 472	900	CmD.exe	31
PID 900 wrote to memory of 472	900	CmD.exe	31
PID 900 wrote to memory of 472	900	CmD.exe	31
PID 472 wrote to memory of 1824	472	cmd.exe	32
PID 472 wrote to memory of 1824	472	cmd.exe	32
PID 472 wrote to memory of 1824	472	cmd.exe	32
PID 472 wrote to memory of 1824	472	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\r.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\SETUP_42251\Engine.exe
  C:\Users\Admin\AppData\Local\Temp\SETUP_42251\Engine.exe /TH_ID=_1992 /OriginExe="C:\Users\Admin\AppData\Local\Temp\r.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\CmD.exe
    C:\Windows\system32\CmD.exe /c cmd < 3
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:472
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SETUP_42251\00000#20

Filesize
1.0MB

MD5
b048e735d185f6260169a73b1ba631f4

SHA1
ec7773090f3c286c9ed3d772b6e6837ac0a977b1

SHA256
0fa2825d8008a94bda893ee9ddd625677d9a22d780889a4a829e11f5f6ea807e

SHA512
379a518a8f059056dc4eee421903394ad69231e934f614f347becae75a0b75e853f09d6e612478fce7d56a44af3ad490fb9ccf9d94501aa9ae02a3d51dd08709

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_42251\00001#3

Filesize
13KB

MD5
d648cff5f60e78af8c8edb7b9f42eef4

SHA1
8866de9f6da917c649799b120e29cb0b58ce7135

SHA256
9355727414a677b38c2a86d6d072539d7bf09ecd5fb3e5e94f73907b95088b84

SHA512
df35246cee546084ac9e86e58ec6229a6f945dd6f65fb9a43c1b0072a3c76b7d8c5fe36ee8f45f44a87ec1ce02632694a2d74b1d68feca0d514be4fd25d14447

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_42251\00002#38

Filesize
1.2MB

MD5
ea1dbdf91573d6ef4e1a8cb4cba74426

SHA1
39dbb4b5d77d46d5735a2c21139fa967e1f1ba49

SHA256
1ff0b0af219045a8b695bb372e13d1f763c0e919972bc375d9cad1799f5150d1

SHA512
514c49a1bf5a29fc9fb5f0eafcea52ebaf61fef7eb576df799a84cc7fc24b6fbb9b131eff37f936fe97cee9572760fac503637ecdd88fce31417680abd1db9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_42251\Engine.exe

Filesize
392KB

MD5
50e4b374719400049ef36d2f02dce6a2

SHA1
ed7e29079e42963d7f3418b7c50ae4a747d47064

SHA256
49d492ba33edc5e4da6c24159d44d8c164f5db9504f10efdfeb5e1dc5c660010

SHA512
545b38d0cac594d74ad390dee632ec603a0c78a1887933e59fab469a1e77e83643b6bbc932decc41d439aa82ec761d3f5160b3cde0c974567a492e3ee127c503

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_42251\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_42251\Setup.txt

Filesize
2KB

MD5
adebd1344bfe2a7c7ad77a5442e06448

SHA1
9651dfd8178c4ab2dd41ca61b75fdcbde0b25cbe

SHA256
0e8b7bb6535bac5601bcc79edb89be9a6cd24e492182174ee6279c85e9c56efc

SHA512
c95364ef11e6fdf37114715370ed116522649da07d99ff86e3aac5d66d173e1c916f4ee46df0f6b49b31f92062bbbdd94d7e4ca7a271b4f10627a6f030c99472

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP_42251\Engine.exe

Filesize
392KB

MD5
50e4b374719400049ef36d2f02dce6a2

SHA1
ed7e29079e42963d7f3418b7c50ae4a747d47064

SHA256
49d492ba33edc5e4da6c24159d44d8c164f5db9504f10efdfeb5e1dc5c660010

SHA512
545b38d0cac594d74ad390dee632ec603a0c78a1887933e59fab469a1e77e83643b6bbc932decc41d439aa82ec761d3f5160b3cde0c974567a492e3ee127c503

Download Submit
memory/1684-65-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1684-72-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1824-70-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-71-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-54-0x0000000075151000-0x0000000075153000-memory.dmp

Filesize
8KB

Download
memory/2004-64-0x0000000002380000-0x00000000024D8000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing