4d72001a677ed4813f3e2dbff0cc77761f51796c0917050bb59eacc17d8d40b2

General

Target

cf274f67421bbb1738a41d89f971cdb0_exe32.exe
Size

208KB
MD5

cf274f67421bbb1738a41d89f971cdb0
SHA1

d613f67bad5b981f576066acf8ba34f41371bb40
SHA256

4d72001a677ed4813f3e2dbff0cc77761f51796c0917050bb59eacc17d8d40b2
SHA512

661c0f9f2fa2ba41d018309a8f5d57514409771909b47a6c0648a9784870fc74147383726264204728187b1bc67b4c28f55a0b262f2bc70a1b58bc997be5b7d6
SSDEEP

3072:RhWzi7s/Jkug/mBHRasC7KY11IW20ALoE5NPp5+T2WM/+z4NLthEjQT6j:RhYSJ/mlMXKY11hxE5Bp5+aWhQEj1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2868	UNLPQ.exe

Loads dropped DLL 2 IoCs

pid	Process
2564	cmd.exe
2564	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\UNLPQ.exe	cf274f67421bbb1738a41d89f971cdb0_exe32.exe
File opened for modification	C:\windows\SysWOW64\UNLPQ.exe	cf274f67421bbb1738a41d89f971cdb0_exe32.exe
File created	C:\windows\SysWOW64\UNLPQ.exe.bat	cf274f67421bbb1738a41d89f971cdb0_exe32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1720	cf274f67421bbb1738a41d89f971cdb0_exe32.exe
2868	UNLPQ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1720	cf274f67421bbb1738a41d89f971cdb0_exe32.exe
1720	cf274f67421bbb1738a41d89f971cdb0_exe32.exe
2868	UNLPQ.exe
2868	UNLPQ.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2564	1720	cf274f67421bbb1738a41d89f971cdb0_exe32.exe	30
PID 1720 wrote to memory of 2564	1720	cf274f67421bbb1738a41d89f971cdb0_exe32.exe	30
PID 1720 wrote to memory of 2564	1720	cf274f67421bbb1738a41d89f971cdb0_exe32.exe	30
PID 1720 wrote to memory of 2564	1720	cf274f67421bbb1738a41d89f971cdb0_exe32.exe	30
PID 2564 wrote to memory of 2868	2564	cmd.exe	28
PID 2564 wrote to memory of 2868	2564	cmd.exe	28
PID 2564 wrote to memory of 2868	2564	cmd.exe	28
PID 2564 wrote to memory of 2868	2564	cmd.exe	28

C:\Users\Admin\AppData\Local\Temp\cf274f67421bbb1738a41d89f971cdb0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\cf274f67421bbb1738a41d89f971cdb0_exe32.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\UNLPQ.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2564

C:\windows\SysWOW64\UNLPQ.exe
C:\windows\system32\UNLPQ.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\UNLPQ.exe

Filesize
208KB

MD5
f0833be2d90622f0fc8319409da20b0b

SHA1
e055ca328fd289d43a70ac69f45aa8f9297a64f4

SHA256
4173e3fa6c132810f4c8e9b559fa941fe958395358025e2235519139c198dfc7

SHA512
f09355f7b59057c9fc4bbc4ba347b1faa552929727fb315d29c34768e8bdcb475bd0847623fca02e76c9d1f88857f510e139ad5f57011a507503989622263a77

Download Submit
C:\Windows\SysWOW64\UNLPQ.exe.bat

Filesize
74B

MD5
e533fdc272450e28c90ddbfa4c2f6546

SHA1
bb026029645c0c8a7339d41ca2e4cecc0fcedb6c

SHA256
57dbf6211fb08b75b00b86d2a0fd37edc16b0bf3b8dd6ffed4348f158d31d32f

SHA512
0e27a153fa1a2a74ad516f0dc3637b193d36e7f7d524f2fea7098933650fe5381f5e9db317e05c7abae136a9aad01358c5ae5d050d9175c90ffa12b7b60435ad

Download Submit
C:\windows\SysWOW64\UNLPQ.exe

Filesize
208KB

MD5
f0833be2d90622f0fc8319409da20b0b

SHA1
e055ca328fd289d43a70ac69f45aa8f9297a64f4

SHA256
4173e3fa6c132810f4c8e9b559fa941fe958395358025e2235519139c198dfc7

SHA512
f09355f7b59057c9fc4bbc4ba347b1faa552929727fb315d29c34768e8bdcb475bd0847623fca02e76c9d1f88857f510e139ad5f57011a507503989622263a77

Download Submit
C:\windows\SysWOW64\UNLPQ.exe.bat

Filesize
74B

MD5
e533fdc272450e28c90ddbfa4c2f6546

SHA1
bb026029645c0c8a7339d41ca2e4cecc0fcedb6c

SHA256
57dbf6211fb08b75b00b86d2a0fd37edc16b0bf3b8dd6ffed4348f158d31d32f

SHA512
0e27a153fa1a2a74ad516f0dc3637b193d36e7f7d524f2fea7098933650fe5381f5e9db317e05c7abae136a9aad01358c5ae5d050d9175c90ffa12b7b60435ad

Download Submit
\Windows\SysWOW64\UNLPQ.exe

Filesize
208KB

MD5
f0833be2d90622f0fc8319409da20b0b

SHA1
e055ca328fd289d43a70ac69f45aa8f9297a64f4

SHA256
4173e3fa6c132810f4c8e9b559fa941fe958395358025e2235519139c198dfc7

SHA512
f09355f7b59057c9fc4bbc4ba347b1faa552929727fb315d29c34768e8bdcb475bd0847623fca02e76c9d1f88857f510e139ad5f57011a507503989622263a77

Download Submit
\Windows\SysWOW64\UNLPQ.exe

Filesize
208KB

MD5
f0833be2d90622f0fc8319409da20b0b

SHA1
e055ca328fd289d43a70ac69f45aa8f9297a64f4

SHA256
4173e3fa6c132810f4c8e9b559fa941fe958395358025e2235519139c198dfc7

SHA512
f09355f7b59057c9fc4bbc4ba347b1faa552929727fb315d29c34768e8bdcb475bd0847623fca02e76c9d1f88857f510e139ad5f57011a507503989622263a77

Download Submit
memory/1720-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1720-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-15-0x00000000001F0000-0x0000000000228000-memory.dmp

Filesize
224KB

Download
memory/2564-19-0x00000000001F0000-0x0000000000228000-memory.dmp

Filesize
224KB

Download
memory/2564-22-0x00000000001F0000-0x0000000000228000-memory.dmp

Filesize
224KB

Download
memory/2868-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2868-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing