a0dcda13a3770fd84caba3c3a4034abbdf6a62af3df625d116ce003b0bdd1e03

General

Target

093de472c91e1d33550c94077d9d5ece.exe
Size

558KB
MD5

093de472c91e1d33550c94077d9d5ece
SHA1

9cd727bdcdfb4a661553d048cc4f615a5afc344f
SHA256

a0dcda13a3770fd84caba3c3a4034abbdf6a62af3df625d116ce003b0bdd1e03
SHA512

72dda49cec874896731187bc86e6e58f7f28e36e3e5ff1192b78f3e379803d32ad160c71135532bc5d8a0f18d2e44713c172e22da0e9834a3276e3f1a605574f
SSDEEP

12288:21+vKnoA0cdoIl9jmDBJ4Uh2DEq/51r575O65n9Vl:e+vg0HU9EP4UheEq/B799

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	093de472c91e1d33550c94077d9d5ece.exe

Loads dropped DLL 2 IoCs

pid	Process
1432	093de472c91e1d33550c94077d9d5ece.exe
1432	093de472c91e1d33550c94077d9d5ece.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1432-0-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/files/0x000a00000001225a-10.dat	upx
behavioral1/memory/1432-20-0x0000000000400000-0x0000000000551000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	093de472c91e1d33550c94077d9d5ece.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1432	093de472c91e1d33550c94077d9d5ece.exe
1432	093de472c91e1d33550c94077d9d5ece.exe
1432	093de472c91e1d33550c94077d9d5ece.exe
1432	093de472c91e1d33550c94077d9d5ece.exe
1432	093de472c91e1d33550c94077d9d5ece.exe
1432	093de472c91e1d33550c94077d9d5ece.exe
1432	093de472c91e1d33550c94077d9d5ece.exe
1432	093de472c91e1d33550c94077d9d5ece.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1432	093de472c91e1d33550c94077d9d5ece.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1432	093de472c91e1d33550c94077d9d5ece.exe
1432	093de472c91e1d33550c94077d9d5ece.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 2980	1432	093de472c91e1d33550c94077d9d5ece.exe	28
PID 1432 wrote to memory of 2980	1432	093de472c91e1d33550c94077d9d5ece.exe	28
PID 1432 wrote to memory of 2980	1432	093de472c91e1d33550c94077d9d5ece.exe	28
PID 1432 wrote to memory of 2980	1432	093de472c91e1d33550c94077d9d5ece.exe	28
PID 1432 wrote to memory of 2828	1432	093de472c91e1d33550c94077d9d5ece.exe	29
PID 1432 wrote to memory of 2828	1432	093de472c91e1d33550c94077d9d5ece.exe	29
PID 1432 wrote to memory of 2828	1432	093de472c91e1d33550c94077d9d5ece.exe	29
PID 1432 wrote to memory of 2828	1432	093de472c91e1d33550c94077d9d5ece.exe	29

C:\Users\Admin\AppData\Local\Temp\093de472c91e1d33550c94077d9d5ece.exe
"C:\Users\Admin\AppData\Local\Temp\093de472c91e1d33550c94077d9d5ece.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
2004bcee923b0e0222f4cab87c2c2a3d

SHA1
0a3c122b7cfe403403d913ecc1b328480b1bfc2a

SHA256
f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77

SHA512
cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
721B

MD5
968df8db17e6453470e388ed65127c8a

SHA1
4194115feee57b1514f3518edb22f3744a6a38f0

SHA256
da42abb1d666f48456b5ee8bf45782c60592be7b194707ae618adbcca98c0747

SHA512
cc8d2d7f424dd123d1ef9526d4a2276e0e1df7edcbf2e560fd258f6f3a7a815bf36f2bdf5baf86412dce48e888e25189ea79e0d775712d4338d9cee6bdb8f9d8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
558KB

MD5
8eb1f20ef0150c7389af22f0fa9b5cae

SHA1
5b9652469d7bcdb1a3d4630d0ec50074f864cc4a

SHA256
b06e86dd47d9eeb06de4f42a0052e004f79ee988a1c451aa3a8f2568fa218055

SHA512
7c90190ced190a806a4919b60dc0c30244f03b4e72842b49542a17bf3ccb03a494630db15b1f58b9eebf51f50ed2e5922edec6453936ff9e63ddb25a1ba37ce2

Download Submit
memory/1432-0-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1432-16-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/1432-18-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/1432-20-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1432-22-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/1432-23-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads