6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634

General

Target

6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
Size

14.1MB
MD5

98d5b097a3798f6d1a4a9b7806cea2cd
SHA1

cea88d0aef6fa58320f1f3fb0e851075f036459a
SHA256

6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634
SHA512

7debf0c1a21b5120bb85ba2d4b3dadfa9a64fe128c93125563ef5d4aa6e5fe9d122e1198307889e0e8c210aaa3e062d67898098c3815707561de77d7a8b23623
SSDEEP

393216:fmn32rw3s1JmIqSiLijbBPGcs1hwtwHVLbXQHw9CI0K:f4NuJmJLijb1s1ytGHWK

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2864	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe

Loads dropped DLL 2 IoCs

pid	Process
2188	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
2864	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2188-0-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2188-1-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2188-2-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2188-3-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2188-7-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/files/0x002e000000016b93-8.dat	upx
behavioral1/files/0x002e000000016b93-11.dat	upx
behavioral1/memory/2188-12-0x0000000006490000-0x0000000007CB8000-memory.dmp	upx
behavioral1/memory/2188-13-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2864-14-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/files/0x002e000000016b93-15.dat	upx
behavioral1/memory/2864-18-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2188-19-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/files/0x002e000000016b93-21.dat	upx
behavioral1/memory/2864-20-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2864-155-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2864-158-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2864-162-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2864-164-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2864-166-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2864-167-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2864-168-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2864-169-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2864-170-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2864-171-0x0000000000400000-0x0000000001C28000-memory.dmp	upx
behavioral1/memory/2864-172-0x0000000000400000-0x0000000001C28000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\M:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\P:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\Q:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\S:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\U:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\X:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\A:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\O:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\R:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\Z:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\G:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\K:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\V:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\W:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\B:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\H:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\I:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\L:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\N:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\T:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\Y:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
File opened (read-only)	\??\E:	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2864	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2188	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
2188	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
2188	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
2188	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
2188	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
2864	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
2864	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
2864	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
2864	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
2864	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2864	2188	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe	30
PID 2188 wrote to memory of 2864	2188	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe	30
PID 2188 wrote to memory of 2864	2188	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe	30
PID 2188 wrote to memory of 2864	2188	6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe	30

C:\Users\Admin\AppData\Local\Temp\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
"C:\Users\Admin\AppData\Local\Temp\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
  C:\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe

Filesize
14.1MB

MD5
98d5b097a3798f6d1a4a9b7806cea2cd

SHA1
cea88d0aef6fa58320f1f3fb0e851075f036459a

SHA256
6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634

SHA512
7debf0c1a21b5120bb85ba2d4b3dadfa9a64fe128c93125563ef5d4aa6e5fe9d122e1198307889e0e8c210aaa3e062d67898098c3815707561de77d7a8b23623

Download Submit
C:\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe

Filesize
14.1MB

MD5
98d5b097a3798f6d1a4a9b7806cea2cd

SHA1
cea88d0aef6fa58320f1f3fb0e851075f036459a

SHA256
6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634

SHA512
7debf0c1a21b5120bb85ba2d4b3dadfa9a64fe128c93125563ef5d4aa6e5fe9d122e1198307889e0e8c210aaa3e062d67898098c3815707561de77d7a8b23623

Download Submit
C:\Users\Admin\AppData\Local\Temp\2489764db34f1626f1188088a90da0df.txt

Filesize
67B

MD5
a0e48a925f8eeaa9e4f76be19688e9f2

SHA1
fc7c43a7d5af1121c0741dbf41058c42324fc7b3

SHA256
685b3f284b9838d91a64ace6c12b1844b00c3e9f88fe30196a2a3c72ef6f5456

SHA512
f6168eec920fbb4d8a875137be3707289c7ab0d2bc6ab238da2949bd30855c35e0487f2900960d4a9fddedae4df621ca955c5343d32a0221b9c9ecff95a18a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\855de0bcf6f3f59f6b1dfca2f04577cf.ini

Filesize
2KB

MD5
77ca5b27687a0a74fd4a1a1eb4abe134

SHA1
48a8c4a4432b667b7fcc16c0f424083fc400a65d

SHA256
ace8ccfdcf47bcee5c1fe4a18a4da979fb5492d13b2aff63716b14c0403ec0fc

SHA512
698ab06390a3cb27f4a94ef4f4a0037a0da9a80811d651c1e8ccccf0b699f8efe60b202d73565578cdfa9464eb5955b35ddde5b8b2722d519d183c992175a0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.dat

Filesize
102B

MD5
c258e16bef5360f70199a2b775b2683d

SHA1
ef06241e971f2988c98559783ef375ebe706e87b

SHA256
5c5dfdccbe8f7efc91411b3747ae6c1ed706ce8f2a506f5a875f7d03daa7dc10

SHA512
633195969d59f25d64d056d56842f1c62ecb233590958b1bbd79f26710a9ed95dec50b4af2830b8695c108fd057a5ea942864181a43bbc57ef5c4b8a666de533

Download Submit
\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe

Filesize
14.1MB

MD5
98d5b097a3798f6d1a4a9b7806cea2cd

SHA1
cea88d0aef6fa58320f1f3fb0e851075f036459a

SHA256
6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634

SHA512
7debf0c1a21b5120bb85ba2d4b3dadfa9a64fe128c93125563ef5d4aa6e5fe9d122e1198307889e0e8c210aaa3e062d67898098c3815707561de77d7a8b23623

Download Submit
\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634\6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634.exe

Filesize
14.1MB

MD5
98d5b097a3798f6d1a4a9b7806cea2cd

SHA1
cea88d0aef6fa58320f1f3fb0e851075f036459a

SHA256
6956439551d57e077eb9fe96d2710544c20aa6b9f1cd5d556123dd0118291634

SHA512
7debf0c1a21b5120bb85ba2d4b3dadfa9a64fe128c93125563ef5d4aa6e5fe9d122e1198307889e0e8c210aaa3e062d67898098c3815707561de77d7a8b23623

Download Submit
memory/2188-2-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2188-12-0x0000000006490000-0x0000000007CB8000-memory.dmp

Filesize
24.2MB

Download
memory/2188-13-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2188-1-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2188-7-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2188-3-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2188-19-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2188-0-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-155-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-162-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-20-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-18-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-158-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-160-0x0000000001D10000-0x0000000001D20000-memory.dmp

Filesize
64KB

Download
memory/2864-14-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-25-0x0000000001D10000-0x0000000001D20000-memory.dmp

Filesize
64KB

Download
memory/2864-164-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-166-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-167-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-168-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-169-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-170-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-171-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download
memory/2864-172-0x0000000000400000-0x0000000001C28000-memory.dmp

Filesize
24.2MB

Download

Analysis

Sharing