1082be0d813238d5065d3a9bc925c1265bcf365ae991d398486927e121716259

General

Target

0cb4c00f4c216bcd3bc695ee5f1297d6.exe
Size

181KB
MD5

0cb4c00f4c216bcd3bc695ee5f1297d6
SHA1

38f635568878bf724394183d295709e2b6539273
SHA256

1082be0d813238d5065d3a9bc925c1265bcf365ae991d398486927e121716259
SHA512

3f052e21816560a46bef322c72a865e054cf72e43cd274f5af6e54c80d91ac1477da98439638563c11a2e372e2a03565ad446291928514e7833f56307dfbdb34
SSDEEP

3072:KFtj9DZiop52XIGrjKSBUZWijNutqGwSMixZhAJY/UAmFSm:KFZ9DEq52hUZcYGwS/xZ7UWm

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2176	0cb4c00f4c216bcd3bc695ee5f1297d6.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2176-0-0x0000000000290000-0x0000000000306000-memory.dmp	upx
behavioral1/memory/2176-22-0x0000000000290000-0x0000000000306000-memory.dmp	upx
behavioral1/memory/2176-27-0x0000000000290000-0x0000000000306000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2872	2176	0cb4c00f4c216bcd3bc695ee5f1297d6.exe	19
PID 2176 wrote to memory of 2872	2176	0cb4c00f4c216bcd3bc695ee5f1297d6.exe	19
PID 2176 wrote to memory of 2872	2176	0cb4c00f4c216bcd3bc695ee5f1297d6.exe	19
PID 2176 wrote to memory of 2872	2176	0cb4c00f4c216bcd3bc695ee5f1297d6.exe	19

C:\Users\Admin\AppData\Local\Temp\0cb4c00f4c216bcd3bc695ee5f1297d6.exe
"C:\Users\Admin\AppData\Local\Temp\0cb4c00f4c216bcd3bc695ee5f1297d6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\n4702\ins4702.exe
  "C:\Users\Admin\AppData\Local\Temp\n4702\ins4702.exe" ins.exe /e8861235 /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f
  2⤵
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n4702\ins4702.exe

Filesize
29KB

MD5
3c4edc0f9f09bf0793f3673b80ea0079

SHA1
33b3a504b1d9ed426fcddcc06043d4054c004033

SHA256
8e7e77dffb91022e08338e4ca3879f02ad27447d20903a713f7d3a14ec33f5a9

SHA512
1133d795505a6cbf615261e0b179c9ed8382faaef45c58bd472af693f18eabb947ab7829fe3af36647d35b7058959ce7e449f44068a4fd257a1bb303ddf8997f

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4702\ins4702.exe

Filesize
57KB

MD5
1ce3395c24814d6d68e5c8d1019159fb

SHA1
2b222d65a0beb88aaab59f4fda357396a40d67f7

SHA256
e07ba6a5a835e6e711ab95b995451103ac31037472503ec480dc560c6e9c7846

SHA512
3df0a91fe23287717f0a948ac6424762134f1fdbf1b321a47955357511058a507b58effa9f5624a4b75e03867054501c227f8114f817515c3ca8099ccaa6de41

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4702\ins4702.exe

Filesize
29KB

MD5
3dba1f1682921e2c7ae5050679108cab

SHA1
f81cf2a16ebd4f1e285a06ce77872c1fc46e214e

SHA256
80ae7de7b62a8d79345a6f4a114743bc5755870ecac3fbf2b0e19d1ef98f0ac2

SHA512
4f6e83be87a24880f43a5c1e857764028143e8b1f35d66efc5a146a86fb56418a7a4eed8b5e994c95bbec1d3632b18daf4d454f3850f28d9c93f7995fcb5c00a

Download Submit
\Users\Admin\AppData\Local\Temp\n4702\ins4702.exe

Filesize
53KB

MD5
f53b9f08213e275f8d63b4ccee58b6c6

SHA1
075b8e26f876f4af6d33ee08e8e3052341ce3c0a

SHA256
5ab2fe870aad524a4d76e74af853248614dc13599e7ac3ba1edc661a0f75a7f9

SHA512
e459126dd010261fdfdd03ce06138f069c14013d5a2da3b548c89064a3756ae8cb38e3d162ca8b0b1d3d1c540035952b5d3bb30bd51f559d9f15c944cd0b29e4

Download Submit
\Users\Admin\AppData\Local\Temp\n4702\ins4702.exe

Filesize
85KB

MD5
a4e1d65fc6853a20ab9a8c1118272b40

SHA1
3b30439c9da59a3f8a94c8597f2d928f93182d3d

SHA256
e76d8ca6cb944f78cd56eb9ea1e0d31dd0a5e10fce2d469346338641cb64231b

SHA512
f9a5b427b47252a3e54980bb215868c9baafc3d8a609d7a9718b677c14b9cb590fb52ff04c3902c5ab729105516f563a61613007ea1bb578477d2f4c1f30b271

Download Submit
\Users\Admin\AppData\Local\Temp\n4702\ins4702.exe

Filesize
61KB

MD5
eb03ac781e705a0fba25ae43f4e4acb4

SHA1
06b59e487b4dd6d62c553c568f26b683ebda3882

SHA256
9c179b70dd53eaf654ac776783c1dd233e4815de35c0471d030c5acc81c31144

SHA512
82e9fe48b831e2fec94021e772814b34f5fb42220d507c7dbb6858b17c35eb184dcfc2183222cfe964790e5e4a08fc6572bbd487a4b9552263350cd40ab88688

Download Submit
\Users\Admin\AppData\Local\Temp\n4702\ins4702.exe

Filesize
84KB

MD5
22f2dd4a6fd7ff5ae118936847334f71

SHA1
675426d6a66b64e1bbca55b6980b3c09f671a685

SHA256
0b0979a71b802968ce1fa32abe562f33999d64ac868277d008cd5ef305b37edd

SHA512
fd84dc58da6c22eff64e24cca5dc1aa945dfe5f782d1943b42f55f4484bbae8af1c293910a5a68df88c94f8f5629e4906b96eebb525aa62d3b06a5310d4a10b1

Download Submit
memory/2176-23-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2176-3-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2176-22-0x0000000000290000-0x0000000000306000-memory.dmp

Filesize
472KB

Download
memory/2176-0-0x0000000000290000-0x0000000000306000-memory.dmp

Filesize
472KB

Download
memory/2176-27-0x0000000000290000-0x0000000000306000-memory.dmp

Filesize
472KB

Download
memory/2872-17-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-19-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/2872-18-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-20-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/2872-21-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/2872-24-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-25-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-26-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing