52f7af1287c4299fd4e172f60c78075264a47ef60668e2ea08da4f9353c38559

General

Target

03497796a77fc8fd57d50823f52429a1.exe
Size

133KB
MD5

03497796a77fc8fd57d50823f52429a1
SHA1

a1a3c275c80eb011e1a2b9b9996946010d997761
SHA256

52f7af1287c4299fd4e172f60c78075264a47ef60668e2ea08da4f9353c38559
SHA512

5f2329d3dcc274ff74759cc7673e1df621aca1d3c897da4e8eb2e18f8fa1409cbb4e50c7ee46f82a6ea9d1daa26f449484bc3b162ec87b748da72c820ef1b84b
SSDEEP

3072:mwqGxkdRG5leY2uFKUOHtCc2iF/kdlO8hCMvoN8s:mieRE2x9HdF/6lH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2660	msa.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2324-2-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2324-0-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/files/0x0032000000014713-10.dat	upx
behavioral1/memory/2660-14-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2660-13-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/files/0x0032000000014713-9.dat	upx
behavioral1/memory/2324-41239-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2660-41240-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2324-41241-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/files/0x0032000000014713-41242.dat	upx
behavioral1/memory/2660-41243-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2660-41245-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2660-41247-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2660-41249-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2660-41250-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2660-41252-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2660-41253-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2660-41254-0x0000000000400000-0x0000000000472000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\ROUA3O12PW = "C:\\Windows\\msa.exe"	msa.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	03497796a77fc8fd57d50823f52429a1.exe
File opened for modification	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	03497796a77fc8fd57d50823f52429a1.exe
File created	C:\Windows\msa.exe	03497796a77fc8fd57d50823f52429a1.exe
File opened for modification	C:\Windows\msa.exe	03497796a77fc8fd57d50823f52429a1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2324	03497796a77fc8fd57d50823f52429a1.exe
2660	msa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2660	2324	03497796a77fc8fd57d50823f52429a1.exe	28
PID 2324 wrote to memory of 2660	2324	03497796a77fc8fd57d50823f52429a1.exe	28
PID 2324 wrote to memory of 2660	2324	03497796a77fc8fd57d50823f52429a1.exe	28
PID 2324 wrote to memory of 2660	2324	03497796a77fc8fd57d50823f52429a1.exe	28

C:\Users\Admin\AppData\Local\Temp\03497796a77fc8fd57d50823f52429a1.exe
"C:\Users\Admin\AppData\Local\Temp\03497796a77fc8fd57d50823f52429a1.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\msa.exe
  C:\Windows\msa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Filesize
344B

MD5
464703730ed854cde1dcecaeb9485665

SHA1
130bf37d71c54033a10690646d411b1cc2e26e0f

SHA256
18e744a1dee6c3109c1fb59c990aa2f9107779ccaba12c1ca9df2e240c42c46f

SHA512
83345469fa4a60c7e16d16a9328e5d4b252bd5326e6dcff0b853388061c842faf2b536cab9f81b2f5a36b86fbebda0aec7e3880de9154222cd90e2f934fc23df

Download Submit
C:\Windows\msa.exe

Filesize
26KB

MD5
04119c8a9b38c3242a1e6edd76dc3a24

SHA1
fb7f4fddf13a491b99afff0624932399398f63d3

SHA256
d8329508ae22f6e391245396f7a9e1ddf11733b4f15bdb11b1bc739cac4b4f74

SHA512
ee87f882b5c4795d27d1ee60303ff270c705f9c0fbd15e81408cdb8dec6610b84392a3dfda892938d70500abd711e84ac8af1bc218974e8827a9b34e4f0af754

Download Submit
C:\Windows\msa.exe

Filesize
58KB

MD5
52753e186045fd9817ae08443a5c65ae

SHA1
bf4a4c093716801d4edf8a245efb54da9e9c0a24

SHA256
143b43c8ee582b4d3680d28dfcf90abff2da9fb82d50060928b35468389ec2a0

SHA512
73082851b73bb01d58aaef1141e798b78d1ad5a2b3a5c54a2441dd92a2e2f20845973001b27fa8e7d87f74c1c5b2db4b07b744c7cf5b09b3a3f95a042dd8cd0e

Download Submit
C:\Windows\msa.exe

Filesize
10KB

MD5
7600cf736fc986d2e562866beb4a3e59

SHA1
e279258273c7c9c49194905aa3f8b28f00c0a500

SHA256
f33200a1229fbee68fe31d9a9016073348368630a016b11d45b4b73237f54f86

SHA512
27701f263971623a15391644848389e9578783ce770678cbb004ccb0f178f24b1328d7487feae3bf69f1f00b41388f2f6edc1218a70be08be35e10533bf7d70a

Download Submit
memory/2324-2-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2324-1-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2324-0-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2324-41241-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2324-11-0x00000000022B0000-0x0000000002322000-memory.dmp

Filesize
456KB

Download
memory/2324-41239-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2660-41240-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2660-13-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2660-14-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2660-41243-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2660-41245-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2660-41247-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2660-41249-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2660-41250-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2660-41252-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2660-41253-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2660-41254-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads