f65bb57608a38be52643c6a989f4ca9897d662bbec9a9be6e4c0dc45d68fcafe

General

Target

f65bb57608a38be52643c6a989f4ca9897d662bbec9a9be6e4c0dc45d68fcafe.exe
Size

272KB
MD5

9e5607ac1dfcc3009de12b87c2501f6e
SHA1

7d1ac7ff5f55bc6f39b876ec63a628c3277ff4df
SHA256

f65bb57608a38be52643c6a989f4ca9897d662bbec9a9be6e4c0dc45d68fcafe
SHA512

71c9563665e61b9fae18c972a847537f56a603e1d65afafef18cdcddf4d4972a6fb7baad3daed8c0db2bd124e7a6adf042ad1e1728e1e5ee8855fdfee6545927
SSDEEP

6144:OPSjeoSEwwwTfwnc8tt2Wv7hf9uYf+6ZX:2SjeoSL6

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2172	b2e.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4080-0-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4080-9-0x0000000000400000-0x000000000048E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 2172	4080	f65bb57608a38be52643c6a989f4ca9897d662bbec9a9be6e4c0dc45d68fcafe.exe	80
PID 4080 wrote to memory of 2172	4080	f65bb57608a38be52643c6a989f4ca9897d662bbec9a9be6e4c0dc45d68fcafe.exe	80
PID 4080 wrote to memory of 2172	4080	f65bb57608a38be52643c6a989f4ca9897d662bbec9a9be6e4c0dc45d68fcafe.exe	80
PID 2172 wrote to memory of 4484	2172	b2e.exe	81
PID 2172 wrote to memory of 4484	2172	b2e.exe	81
PID 2172 wrote to memory of 4484	2172	b2e.exe	81
PID 4484 wrote to memory of 416	4484	cmd.exe	84
PID 4484 wrote to memory of 416	4484	cmd.exe	84
PID 4484 wrote to memory of 416	4484	cmd.exe	84
PID 4484 wrote to memory of 552	4484	cmd.exe	85
PID 4484 wrote to memory of 552	4484	cmd.exe	85
PID 4484 wrote to memory of 552	4484	cmd.exe	85
PID 2172 wrote to memory of 3176	2172	b2e.exe	87
PID 2172 wrote to memory of 3176	2172	b2e.exe	87
PID 2172 wrote to memory of 3176	2172	b2e.exe	87

C:\Users\Admin\AppData\Local\Temp\f65bb57608a38be52643c6a989f4ca9897d662bbec9a9be6e4c0dc45d68fcafe.exe
"C:\Users\Admin\AppData\Local\Temp\f65bb57608a38be52643c6a989f4ca9897d662bbec9a9be6e4c0dc45d68fcafe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\DE2B.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\DE2B.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\DE2B.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\f65bb57608a38be52643c6a989f4ca9897d662bbec9a9be6e4c0dc45d68fcafe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E1C5.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /t REG_DWORD /d "0" /f
      4⤵
      PID:416
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /t REG_DWORD /d "0" /f
      4⤵
      PID:552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DE2B.tmp\b2e.exe

Filesize
8KB

MD5
623e7773936180cccaa1a3d88cbefa0a

SHA1
3f503167bf9935ec09e8035aac2cebd8ded22c34

SHA256
da5b498c138d199044bb99b6c0224ab23f52762a11e5623f4ba7b6e2c3b90cc7

SHA512
8279a64a2f1afc02910578128b013d96495934649ef836269b539fe88bcaa383316ae1bb381053d9ce0a30c72b4fc820efea566798acbcc64eeb8fb0d14f8681

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE2B.tmp\b2e.exe

Filesize
8KB

MD5
623e7773936180cccaa1a3d88cbefa0a

SHA1
3f503167bf9935ec09e8035aac2cebd8ded22c34

SHA256
da5b498c138d199044bb99b6c0224ab23f52762a11e5623f4ba7b6e2c3b90cc7

SHA512
8279a64a2f1afc02910578128b013d96495934649ef836269b539fe88bcaa383316ae1bb381053d9ce0a30c72b4fc820efea566798acbcc64eeb8fb0d14f8681

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE2B.tmp\b2e.exe

Filesize
8KB

MD5
623e7773936180cccaa1a3d88cbefa0a

SHA1
3f503167bf9935ec09e8035aac2cebd8ded22c34

SHA256
da5b498c138d199044bb99b6c0224ab23f52762a11e5623f4ba7b6e2c3b90cc7

SHA512
8279a64a2f1afc02910578128b013d96495934649ef836269b539fe88bcaa383316ae1bb381053d9ce0a30c72b4fc820efea566798acbcc64eeb8fb0d14f8681

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1C5.tmp\batchfile.bat

Filesize
247B

MD5
9ec1b74336ae2528aa5588d50b35f287

SHA1
17a0a94546f2b0a6160987849d26ef19036bb3c0

SHA256
152ce8c75f7a8f4aa517824f2f0b9915348145a072b7b559eaa53f86503ea07f

SHA512
d2e4ee05e95e7f75ae502c46d0b8c354789cdd11deeca19a561042c7df17d26927bcbc6dc751357e192676434eb61b1392c532f9a807bdc5e1c6234903c693b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
973f6ee6a0f9380c583a469d27f69c80

SHA1
8d074b0eb597be9876a1ccad089e104771160bfe

SHA256
7234b9820f63ceafdb0c7be0522cfa38bf586135ebfcb5de366c3fbb2144535f

SHA512
1a36493176e593eeb59843d0abca6912b739b9b8e12293733010d487c02ee5eae94c3db56c1f541ddd8e2048ffb1df876a04a6d8203f88203503871c638377de

Download Submit
memory/2172-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2172-18-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4080-0-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4080-9-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing