119c638ebfa6bfa3e479b9c605697878150dd88bf48e741ca06e0c21a5dc64b5

General

Target

YjreQbD.exe
Size

990KB
MD5

f0ee6ef61625a24692eb732cbae38181
SHA1

b0b3947af97884acb97f5bd7adec93174909723c
SHA256

9ed18a0b5e15bd4ecb73c5428e208b5d1b162274cfb0d6c62f7b5c3a04ec4d56
SHA512

f55a977927704fd37e280b3209e2c2512b6f46716a0d85622940b9eb158a0587eb45ec4f4575df97b69a68ee0730fc9a8ebf5a78e5832eceb33758732f707434
SSDEEP

24576:z7WQaGJy0sHg3fyKXLrlX1vFO88UbPdZYLP:WuJ3sA5MoBZ2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1376 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Copriva.exe.pif

pid process

1544 Copriva.exe.pif
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

568 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1312 tasklist.exe
640 tasklist.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 1312 tasklist.exe
Token: SeDebugPrivilege 640 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Copriva.exe.pif

pid process

1544 Copriva.exe.pif
1544 Copriva.exe.pif
1544 Copriva.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Copriva.exe.pif

pid process

1544 Copriva.exe.pif
1544 Copriva.exe.pif
1544 Copriva.exe.pif

pid	process
1376	cmd.exe

pid	process
1544	Copriva.exe.pif

pid	process
568	cmd.exe

pid	process
1312	tasklist.exe
640	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	1312	tasklist.exe
Token: SeDebugPrivilege	640	tasklist.exe

pid	process
1544	Copriva.exe.pif
1544	Copriva.exe.pif
1544	Copriva.exe.pif

pid	process
1544	Copriva.exe.pif
1544	Copriva.exe.pif
1544	Copriva.exe.pif

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

YjreQbD.execmd.execmd.exe

description	pid	process	target process
PID 1676 wrote to memory of 864	1676	YjreQbD.exe	dllhost.exe
PID 1676 wrote to memory of 864	1676	YjreQbD.exe	dllhost.exe
PID 1676 wrote to memory of 864	1676	YjreQbD.exe	dllhost.exe
PID 1676 wrote to memory of 864	1676	YjreQbD.exe	dllhost.exe
PID 1676 wrote to memory of 848	1676	YjreQbD.exe	cmd.exe
PID 1676 wrote to memory of 848	1676	YjreQbD.exe	cmd.exe
PID 1676 wrote to memory of 848	1676	YjreQbD.exe	cmd.exe
PID 1676 wrote to memory of 848	1676	YjreQbD.exe	cmd.exe
PID 848 wrote to memory of 568	848	cmd.exe	cmd.exe
PID 848 wrote to memory of 568	848	cmd.exe	cmd.exe
PID 848 wrote to memory of 568	848	cmd.exe	cmd.exe
PID 848 wrote to memory of 568	848	cmd.exe	cmd.exe
PID 568 wrote to memory of 1312	568	cmd.exe	tasklist.exe
PID 568 wrote to memory of 1312	568	cmd.exe	tasklist.exe
PID 568 wrote to memory of 1312	568	cmd.exe	tasklist.exe
PID 568 wrote to memory of 1312	568	cmd.exe	tasklist.exe
PID 568 wrote to memory of 1496	568	cmd.exe	find.exe
PID 568 wrote to memory of 1496	568	cmd.exe	find.exe
PID 568 wrote to memory of 1496	568	cmd.exe	find.exe
PID 568 wrote to memory of 1496	568	cmd.exe	find.exe
PID 568 wrote to memory of 640	568	cmd.exe	tasklist.exe
PID 568 wrote to memory of 640	568	cmd.exe	tasklist.exe
PID 568 wrote to memory of 640	568	cmd.exe	tasklist.exe
PID 568 wrote to memory of 640	568	cmd.exe	tasklist.exe
PID 568 wrote to memory of 1460	568	cmd.exe	find.exe
PID 568 wrote to memory of 1460	568	cmd.exe	find.exe
PID 568 wrote to memory of 1460	568	cmd.exe	find.exe
PID 568 wrote to memory of 1460	568	cmd.exe	find.exe
PID 568 wrote to memory of 1860	568	cmd.exe	findstr.exe
PID 568 wrote to memory of 1860	568	cmd.exe	findstr.exe
PID 568 wrote to memory of 1860	568	cmd.exe	findstr.exe
PID 568 wrote to memory of 1860	568	cmd.exe	findstr.exe
PID 568 wrote to memory of 1544	568	cmd.exe	Copriva.exe.pif
PID 568 wrote to memory of 1544	568	cmd.exe	Copriva.exe.pif
PID 568 wrote to memory of 1544	568	cmd.exe	Copriva.exe.pif
PID 568 wrote to memory of 1544	568	cmd.exe	Copriva.exe.pif
PID 1676 wrote to memory of 1376	1676	YjreQbD.exe	cmd.exe
PID 1676 wrote to memory of 1376	1676	YjreQbD.exe	cmd.exe
PID 1676 wrote to memory of 1376	1676	YjreQbD.exe	cmd.exe
PID 1676 wrote to memory of 1376	1676	YjreQbD.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\YjreQbD.exe
"C:\Users\Admin\AppData\Local\Temp\YjreQbD.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Inebriato.wpd
2⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
4⤵
PID:1496

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
4⤵
PID:1460

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^hnmMYJRRrqYoFrCUDeZcgiwUFGxeTZLSdTQAAjLpnOemEnUaaWmdmmnybFisgOYrfuSMjezssQXAtBfuMwJXAxzRxKeVyzUJPZlnGiyfCiYJCYqVfqFhywCUMqaCZbjYVhKys$" Chiederai.wpd
4⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Copriva.exe.pif
Copriva.exe.pif o
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
2⤵
- Deletes itself
PID:1376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
186B

MD5
80f5d7b8923f76f75a9d0b7d869faf70

SHA1
5c727f73630593fdb3e68889adc6fc3b455bca32

SHA256
2469dab56f3df8b32182486bb0cf502c1f37529f89a016909d9ae6da8baa8ec2

SHA512
82a6968865951e260df306004abc01727fcc26344f109bd7251c668a4dd4fcf5056e20c2174ebc5a86ae96f979e5bce60b81b68bb9350c1ea4091bfa4ae918a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
186B

MD5
80f5d7b8923f76f75a9d0b7d869faf70

SHA1
5c727f73630593fdb3e68889adc6fc3b455bca32

SHA256
2469dab56f3df8b32182486bb0cf502c1f37529f89a016909d9ae6da8baa8ec2

SHA512
82a6968865951e260df306004abc01727fcc26344f109bd7251c668a4dd4fcf5056e20c2174ebc5a86ae96f979e5bce60b81b68bb9350c1ea4091bfa4ae918a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiederai.wpd
Filesize
872KB

MD5
4b084812c6fb13ba05a4be0758e66ccf

SHA1
0a2faed7c7e7486c71eb79b14c6e256b6c2b7598

SHA256
5d332940731caff69ab83afc4d6a8d24afbd145ec4ff1df52d89c7fc3005fe8f

SHA512
732800942e1a6660c5aacce488d798e220b959239d93a519ae9a41fd5b471be959077f3b630414ed4de1338f38fc72b551d01bf94801df27b7659104ae16793c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Copriva.exe.pif
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Copriva.exe.pif
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Egli.wpd
Filesize
866KB

MD5
c5ac89ff9e331db45cc5c117f6fac7fb

SHA1
39eae354ab757f49538c487de0996ed86dfe4628

SHA256
ef26635708a4a1a6dfefec2d4c434e62a40a14ada8816fd91ffb3b9ea9b49dd3

SHA512
2603880655da83f4304561b25961eadcb693876cfe50fb439e33d9eab89170eb505aee6b1ead3a4f29159cbb8bd053f39154b9c518ca69dc44b930d4509f760e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Inebriato.wpd
Filesize
12KB

MD5
0e7fa1e0cf013f39c47894a8cab1888c

SHA1
73f43280ad9becd805cdb3fa73cdd8cee60f5942

SHA256
c30f814d105434302bf0cba8962d19249558fea60d6c7ed1b11693e1d7debe92

SHA512
16f8d55bf1d60d344a3c6ae2e29a3fc6a4ccd5bd083a6dcb003448585a0d6913c6a817ebb16ddd057ef4952e3c80900ef7c6a578f509ea59ef7112d98fc2906d

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Copriva.exe.pif
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit

Analysis

Sharing