a217823069ebb747fd86e5e4d4a2d41b27ffc6d48fdfbd04dd3ba550f26fb7d6

General

Target

1fd17abb1a0e8eff6031a5140870c155.exe
Size

928KB
MD5

1fd17abb1a0e8eff6031a5140870c155
SHA1

1e4dce9c3d6db3616e0a757524387ec5d7d6b608
SHA256

a217823069ebb747fd86e5e4d4a2d41b27ffc6d48fdfbd04dd3ba550f26fb7d6
SHA512

5370244df83c3865d371cf5bfbc455c32c27fd3735068650e11969ec71b6f992d2a4c179a025200976bf815e57c4fbcef6e882711e4b835d628738e82772e2c0
SSDEEP

24576:ih63DSP3ZP/jXRKT3h3pcWE4fq5iq/cPGvH36mxFL73sxwmQLNozu0MkWtoYfR:J65jXRKT3PctRPX36mjL7cCtyN/bY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2176	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	963079270.exe

Loads dropped DLL 3 IoCs

pid	Process
2176	cmd.exe
2888	963079270.exe
2888	963079270.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1640-1-0x0000000001000000-0x0000000001575000-memory.dmp	upx
behavioral1/files/0x0008000000012254-21.dat	upx
behavioral1/files/0x0008000000012254-20.dat	upx
behavioral1/memory/2888-24-0x0000000001000000-0x0000000001575000-memory.dmp	upx
behavioral1/files/0x0008000000012254-19.dat	upx
behavioral1/files/0x0008000000012254-27.dat	upx
behavioral1/files/0x0008000000012254-32.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\963079270 = "\"C:\\Users\\Admin\\AppData\\Local\\963079270.exe\" 0 29 "	963079270.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\1fd17abb1a0e8eff6031a5140870c155 = "\"C:\\Users\\Admin\\AppData\\Local\\963079270.exe\" 0 33 "	1fd17abb1a0e8eff6031a5140870c155.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2852	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2888	963079270.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2888	963079270.exe
2888	963079270.exe
2888	963079270.exe
2888	963079270.exe
2888	963079270.exe
2888	963079270.exe
2888	963079270.exe
2888	963079270.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2888	963079270.exe
2888	963079270.exe
2888	963079270.exe
2888	963079270.exe
2888	963079270.exe
2888	963079270.exe
2888	963079270.exe
2888	963079270.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2176	1640	1fd17abb1a0e8eff6031a5140870c155.exe	29
PID 1640 wrote to memory of 2176	1640	1fd17abb1a0e8eff6031a5140870c155.exe	29
PID 1640 wrote to memory of 2176	1640	1fd17abb1a0e8eff6031a5140870c155.exe	29
PID 1640 wrote to memory of 2176	1640	1fd17abb1a0e8eff6031a5140870c155.exe	29
PID 2176 wrote to memory of 2852	2176	cmd.exe	30
PID 2176 wrote to memory of 2852	2176	cmd.exe	30
PID 2176 wrote to memory of 2852	2176	cmd.exe	30
PID 2176 wrote to memory of 2852	2176	cmd.exe	30
PID 2176 wrote to memory of 2888	2176	cmd.exe	31
PID 2176 wrote to memory of 2888	2176	cmd.exe	31
PID 2176 wrote to memory of 2888	2176	cmd.exe	31
PID 2176 wrote to memory of 2888	2176	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\1fd17abb1a0e8eff6031a5140870c155.exe
"C:\Users\Admin\AppData\Local\Temp\1fd17abb1a0e8eff6031a5140870c155.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\3021676.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 1fd17abb1a0e8eff6031a5140870c155 /f
    3⤵
    - Modifies registry key
    PID:2852
- - C:\Users\Admin\AppData\Local\963079270.exe
    C:\Users\Admin\AppData\Local\963079~1.EXE -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\963079270.exe

Filesize
284KB

MD5
b6bae5f5f786d218a7e6ce7b3e3607a8

SHA1
614e356c0db2631a1f071c129a5850533c1337e3

SHA256
daf773809c10fd475a17d8386a340cfc1c46b219bf9dd2aba97169aeaa4188cf

SHA512
73030c2bdf33eeda1fed76a5270d1f65e78ca98a501d32753f209c89cc477d113bf0eeb77d937c1de5170ce2f484d4f977a12f8073eb9f68c775e5ecc851ef80

Download Submit
C:\Users\Admin\AppData\Local\963079270.exe

Filesize
271KB

MD5
ea92248cc5ed5c39ae763e24c54695d2

SHA1
74bee7a653c5b4d23a55a862dc1a96ab47f15024

SHA256
4962252a1220eb6eaee1b2ecb5d1da95483b745145a64a89ee2b3b3616d899db

SHA512
8a50118f1155acfb86379acb149e34a87ec3f8a77bcc386c0e88bd1d842fb928ba0d76678f42568213aec72bcac2966b298aa9b488292f04f5f0bbf9848cf0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3021676.bat

Filesize
425B

MD5
21286e99891dc8613dbed963a33e6889

SHA1
54baf0571f15d1359318c4b9266c58b0bfac06d7

SHA256
1b0a4640e5c030cd4c335370253bbb41d6b717e0de63e143e474285db28e10b4

SHA512
cfcda33a87fc35c95d53ce8bd110c40b9141a8e3da4bf5c7d430447481378fa2221d664f6e88d9dd198227fa6cb9dbda06765bb2ed6728deea5049ecb926411f

Download Submit
\Users\Admin\AppData\Local\963079270.exe

Filesize
94KB

MD5
4c148eb9efee1a2e423d5b39dba1d075

SHA1
46bb568de10ee09b6fdd75e99dfa1927eb5461ad

SHA256
030cbd66749dd8139fc26c77e32d153764663a5a759dc65e647d9d463867d038

SHA512
84a92a3157ad824b4df59c9939fd3021ab863f753e83347b940e9142c40d2be5ba554626a531d058e56388460f928bf4c9e084fc66aa6d06053337d93488965f

Download Submit
\Users\Admin\AppData\Local\963079270.exe

Filesize
431KB

MD5
f475d40bdda9e5ad3de956b2090287f3

SHA1
c84f624be0cf1dd95de4e9a036b109466cf35567

SHA256
3d45c8da5ea572ebd1258442f6ca8376bafe1c00c204d519ee83231ff045697b

SHA512
60c4eacb692dc3eb3a4cfed99008166643ad9e64caccb5e47846a16590ee94be4644f674e1ff127dd22d14889e2f1ce47c36bafddf8947a853e891cc959d1244

Download Submit
\Users\Admin\AppData\Local\963079270.exe

Filesize
928KB

MD5
1fd17abb1a0e8eff6031a5140870c155

SHA1
1e4dce9c3d6db3616e0a757524387ec5d7d6b608

SHA256
a217823069ebb747fd86e5e4d4a2d41b27ffc6d48fdfbd04dd3ba550f26fb7d6

SHA512
5370244df83c3865d371cf5bfbc455c32c27fd3735068650e11969ec71b6f992d2a4c179a025200976bf815e57c4fbcef6e882711e4b835d628738e82772e2c0

Download Submit
memory/1640-5-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/1640-9-0x0000000003580000-0x0000000003AF5000-memory.dmp

Filesize
5.5MB

Download
memory/1640-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1640-17-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/1640-4-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/1640-3-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/1640-2-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/1640-0-0x00000000004C0000-0x00000000008F1000-memory.dmp

Filesize
4.2MB

Download
memory/1640-1-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2176-22-0x0000000002100000-0x0000000002675000-memory.dmp

Filesize
5.5MB

Download
memory/2888-30-0x00000000032B0000-0x0000000003825000-memory.dmp

Filesize
5.5MB

Download
memory/2888-38-0x00000000032B0000-0x0000000003825000-memory.dmp

Filesize
5.5MB

Download
memory/2888-25-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-31-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2888-28-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-26-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-34-0x0000000003970000-0x0000000003980000-memory.dmp

Filesize
64KB

Download
memory/2888-24-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-35-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-36-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-37-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-29-0x00000000002C0000-0x00000000002C2000-memory.dmp

Filesize
8KB

Download
memory/2888-41-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-42-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-43-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-44-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-45-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-46-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-47-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-48-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download
memory/2888-49-0x0000000001000000-0x0000000001575000-memory.dmp

Filesize
5.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads