f450e7ab58e7ec8298127012ccc234e08f52fa004f579ab44459dcf081862824

General

Target

tmp.exe
Size

660KB
MD5

9a3e1eee1cc88d5e7955f8a42f9cce61
SHA1

817e02a3ce12dda64703d29c2ff2de7d882dee82
SHA256

f450e7ab58e7ec8298127012ccc234e08f52fa004f579ab44459dcf081862824
SHA512

4a870fbd5a941db961c4f0444f44193c36c1eb9f0e55f4bd3de937204f5d461367f05f024052bece87b5cc24ca7c4039e72afa3810bfabedead16a87e056e34b
SSDEEP

12288:8HLUMuiv9RgfSjAzRty26xGJeMTE3Z2ap4srKWLZ6JCtXZYJfme:WtARD6EAMC41o6Jfme

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/652-133-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-1520-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-1521-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-2499-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-2500-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-2501-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-2502-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-2503-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-2504-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-2505-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-2506-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-2507-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-2508-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-2509-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-2510-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral2/memory/652-2511-0x0000000000400000-0x00000000004B0000-memory.dmp	upx

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/652-1520-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-1521-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-2499-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-2500-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-2501-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-2502-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-2503-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-2504-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-2505-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-2506-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-2507-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-2508-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-2509-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-2510-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/memory/652-2511-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	34	AutoIt3Script

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2416	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
652	tmp.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
652	tmp.exe
652	tmp.exe
652	tmp.exe
652	tmp.exe
652	tmp.exe
652	tmp.exe
652	tmp.exe
652	tmp.exe
652	tmp.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
652	tmp.exe
652	tmp.exe
652	tmp.exe
652	tmp.exe
652	tmp.exe
652	tmp.exe
652	tmp.exe
652	tmp.exe
652	tmp.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2416	EXCEL.EXE
2416	EXCEL.EXE
2416	EXCEL.EXE
2416	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:652

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup_zffz.ini

Filesize
9KB

MD5
c56e7fe3064647acf29cc3602cdb8a08

SHA1
9ebd7913801303341781910a78e49c8bd7bec793

SHA256
fe8ce7c137aaf654dfd3b8a1aed37698da503ad519c4b4bfc9d47708afefbec0

SHA512
a443c2996bcaeab2a824f37eb74fb4b964816b54e2e0e619a451c9ff51418fb02430479ed841a1d54dda0ac68373a03f62b98e81458708cfb79361186193851f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup_zffz.ini

Filesize
9KB

MD5
e3ead1177ce2090c5e123a6990b40598

SHA1
66d8602e42e215a58287930692e6944a2e428acd

SHA256
14c38337872ff297567e961dd29363556f9fc433efa8fdeb85f61c048cddf235

SHA512
4f49b9071fe8f60e093e6fb52ed7c6cf0997f0038f7c799d08312d93462afa1137d9bd95b23ae8789a8aebe8d25065d5b5928c35c1f75726ff043b8977ee053d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup_zffz.ini

Filesize
3KB

MD5
408517d48b642ac8ce921f1be818eece

SHA1
061d596b0a57fa26587fff15042fd87168e90b05

SHA256
234d92c63572769b6af6c3a0e3154679650a9b574a809d12660099c20cd389da

SHA512
eca5a8eb92fbd110a0d1763cc87e14b579cda57161eede271c305cb4dc33ef742450fe274d05f2a08ecd09f7785d2be131e8706ae0d20b33c0090f4a0dd28cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup_zffz.ini

Filesize
9KB

MD5
e3ead1177ce2090c5e123a6990b40598

SHA1
66d8602e42e215a58287930692e6944a2e428acd

SHA256
14c38337872ff297567e961dd29363556f9fc433efa8fdeb85f61c048cddf235

SHA512
4f49b9071fe8f60e093e6fb52ed7c6cf0997f0038f7c799d08312d93462afa1137d9bd95b23ae8789a8aebe8d25065d5b5928c35c1f75726ff043b8977ee053d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup_zffz.ini

Filesize
9KB

MD5
e3ead1177ce2090c5e123a6990b40598

SHA1
66d8602e42e215a58287930692e6944a2e428acd

SHA256
14c38337872ff297567e961dd29363556f9fc433efa8fdeb85f61c048cddf235

SHA512
4f49b9071fe8f60e093e6fb52ed7c6cf0997f0038f7c799d08312d93462afa1137d9bd95b23ae8789a8aebe8d25065d5b5928c35c1f75726ff043b8977ee053d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup_zffz.ini

Filesize
10KB

MD5
0e9caee9767989c220f2a671a9e6ca60

SHA1
99e0a3e7b98ed3500121697942f6b7bbf4df88aa

SHA256
881982af78c434328c71ad286b11f4d05e7424a31081b7fed09895e0d81ca9ec

SHA512
ec1dcb7aae84085c9a5eaef54b3a8550c2631268b60fcccdc962afad0351ca9a395fc492ca3902998fcea9230083458873191dbe7da040ef82f4f076b6864069

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjafu_zffz\028C\TEmp$$$$__myInetGetFile_20230528211938.ini

Filesize
954B

MD5
b4983c1aa57201d8866994cdbd8e8af8

SHA1
b963a5dec73daa8676520ef15faf484cee9dfe4c

SHA256
e182b5459c11004906d3e528e55f713e7c8602e006810fdce003bfd0f64c7c29

SHA512
31252c4717be4c3e8eab5c56504e9065d05fd92ae75fcf849a3e6b8f1d1f81847a77b88ca7bee53551eb651d29d7be5906a55958d26e916b89b3e03e0a1f5414

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjafu_zffz\028C\TEmp$$$$__myInetGetFile_20230528211941.ini

Filesize
107KB

MD5
2d03ff1b012497ff72fe803b4617b9e9

SHA1
0295e20a4727ae30b386a943e8870b4466664d7d

SHA256
3596e8fcb1cd8510afc78c5724ffe5741c3bcc149c03ff8ed6e227902275afd7

SHA512
61436da13151a8bf214c933c7f7de266000bbea3ad261a6fe8c74256e7caf7d7f20209c4c8659bbe2b49d62fec840f62464c416980d4939bf783e742b1277922

Download Submit
memory/652-2505-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-2504-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-1520-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-1521-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-2510-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-2509-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-2508-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-2507-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-2499-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-2503-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-2502-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-133-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-2501-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-2511-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-2506-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/652-2500-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2416-207-0x00007FFAD5AF0000-0x00007FFAD5B00000-memory.dmp

Filesize
64KB

Download
memory/2416-145-0x00007FFAD5AF0000-0x00007FFAD5B00000-memory.dmp

Filesize
64KB

Download
memory/2416-146-0x00007FFAD5AF0000-0x00007FFAD5B00000-memory.dmp

Filesize
64KB

Download
memory/2416-205-0x00007FFAD5AF0000-0x00007FFAD5B00000-memory.dmp

Filesize
64KB

Download
memory/2416-151-0x00007FFAD3820000-0x00007FFAD3830000-memory.dmp

Filesize
64KB

Download
memory/2416-147-0x00007FFAD5AF0000-0x00007FFAD5B00000-memory.dmp

Filesize
64KB

Download
memory/2416-148-0x00007FFAD5AF0000-0x00007FFAD5B00000-memory.dmp

Filesize
64KB

Download
memory/2416-149-0x00007FFAD5AF0000-0x00007FFAD5B00000-memory.dmp

Filesize
64KB

Download
memory/2416-150-0x00007FFAD3820000-0x00007FFAD3830000-memory.dmp

Filesize
64KB

Download
memory/2416-208-0x00007FFAD5AF0000-0x00007FFAD5B00000-memory.dmp

Filesize
64KB

Download
memory/2416-206-0x00007FFAD5AF0000-0x00007FFAD5B00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads