24a5dfdd46040c38afdd85c6ecb248abdce920b48d423f0b803ee5e30d284375

General

Target

07a55baff3f0989cff1932de7c2187ed.exe
Size

186KB
MD5

07a55baff3f0989cff1932de7c2187ed
SHA1

cc30f57cbd65b98734158f9734d092fb4f65d801
SHA256

24a5dfdd46040c38afdd85c6ecb248abdce920b48d423f0b803ee5e30d284375
SHA512

b7b0ef41f0a1fb2c880c6beff907d9980aeee0b14c4ec71d920497f709fe7778ca95e54d1a8c8f9cae392ece1bb39ccce8fb3040ea9858afc2e6380b8c556018
SSDEEP

3072:DXsEMh4Qi7+x8a4f58GgyQl3RGzD6uiushKnsQjY4PwUsOUIgESo6OJ4:DXsEHQiI8acMlAsuY0OUhzSoY

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
896	ins2312.exe

Loads dropped DLL 4 IoCs

pid	Process
2304	07a55baff3f0989cff1932de7c2187ed.exe
2304	07a55baff3f0989cff1932de7c2187ed.exe
2304	07a55baff3f0989cff1932de7c2187ed.exe
2304	07a55baff3f0989cff1932de7c2187ed.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2304-0-0x0000000000960000-0x00000000009D9000-memory.dmp	upx
behavioral1/memory/896-20-0x00000000002A0000-0x00000000002E0000-memory.dmp	upx
behavioral1/memory/2304-21-0x0000000000960000-0x00000000009D9000-memory.dmp	upx
behavioral1/memory/2304-26-0x0000000000960000-0x00000000009D9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
896	ins2312.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	896	ins2312.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
896	ins2312.exe
896	ins2312.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 896	2304	07a55baff3f0989cff1932de7c2187ed.exe	15
PID 2304 wrote to memory of 896	2304	07a55baff3f0989cff1932de7c2187ed.exe	15
PID 2304 wrote to memory of 896	2304	07a55baff3f0989cff1932de7c2187ed.exe	15
PID 2304 wrote to memory of 896	2304	07a55baff3f0989cff1932de7c2187ed.exe	15
PID 2304 wrote to memory of 896	2304	07a55baff3f0989cff1932de7c2187ed.exe	15
PID 2304 wrote to memory of 896	2304	07a55baff3f0989cff1932de7c2187ed.exe	15
PID 2304 wrote to memory of 896	2304	07a55baff3f0989cff1932de7c2187ed.exe	15

C:\Users\Admin\AppData\Local\Temp\07a55baff3f0989cff1932de7c2187ed.exe
"C:\Users\Admin\AppData\Local\Temp\07a55baff3f0989cff1932de7c2187ed.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\n2312\ins2312.exe
  "C:\Users\Admin\AppData\Local\Temp\n2312\ins2312.exe" ins.exe /t102c65da4b9349e0615e908f6c7c28 /e12028019 /u17e89388-634a-11e3-b23b-80c16e6f498c
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n2312\ins2312.exe

Filesize
62KB

MD5
133c534f534099fbeb6d9508014388d1

SHA1
4ba9794f3b8b00c9b48fbf841e912c19f0402f01

SHA256
83e2b9ce6b95f20ed5cce74aa6df646a52725d1dde00e980cd259b048c9e120e

SHA512
83c2caebf67113b68e5bf50c054c3fb89ef945c961e0545772ca2579dc482ba65a4751dc627c93fc344b27e50d28e13ec4229e95272b490199a25a733045dd40

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2312\ins2312.exe

Filesize
67KB

MD5
5ef34072035f29418e5000f58b134eba

SHA1
1536da614f66965ae7fd32ff92a61d55b5da9799

SHA256
397b4d7d8232b56217f21e2d6ee4719ae3c6461be0e9022fecd239a1028dcb41

SHA512
ff8d80f691ac394109a01c8839369a689521f2e6b5f3619803f4d7379bd381ab6cc1ff22d0f32582fc538d45c95d86120921f085083fe59f5ff9803c082b11dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2312\ins2312.exe

Filesize
136KB

MD5
892ed108f00e85e09a7eabd74c50f0fb

SHA1
ed412572426a6e82c6c1d5580e067b93425f246e

SHA256
7cd4196b4e5e038dd013474c6b31bbb001476021fa282c8d58390e71f993577d

SHA512
619acd23d0c991617b4614b36f6d6d2f83f1d60247ea7f4dbf284d50f03de219dbde19fcf699238a5c22db1ca7ecbc41b0e4f74d2cccc9f0094e504e74f9ad92

Download Submit
\Users\Admin\AppData\Local\Temp\n2312\ins2312.exe

Filesize
47KB

MD5
1b5b3cc011fc4ac151bb98e881191282

SHA1
8d45401b062b76cd518742d762dabbfb6ff5373d

SHA256
365b7e0569bcf8dd714aea70da4ec81f2bc71b31b06bd38cfeaf282121641f6f

SHA512
f60c98045a9148457990ddb3f3a21d794236608b734457b7a35f65a9b08a3821baaae1511928a6c2499ee1923a53ba3db88d3bb558928e222530545b35e9d0be

Download Submit
\Users\Admin\AppData\Local\Temp\n2312\ins2312.exe

Filesize
61KB

MD5
56dc6ba5ef05ec25239747026cd54f0f

SHA1
ec1ca4f04b4424836c372e7823b5493838208fbd

SHA256
18d36f934d2cdf4eac7fe913a221d63f217c31609f0a49bdfa8c810fb3d27ed2

SHA512
03e6ed413d5e804016e56679248077e0069832d19f90e4531e4e8335a3fa64af60ec425d08f141c3d8b0048c2c3de9bc6d69eff75593ee00bc996c421418be32

Download Submit
\Users\Admin\AppData\Local\Temp\n2312\ins2312.exe

Filesize
52KB

MD5
0f8d8c88d49dfdea376903e838cd5963

SHA1
a33195c49f5dfd6322cf5dd93b68a09145266d23

SHA256
46ab7d1f5c5e1d99e758eeadbe4ffe66d9e0b24c081bbe3d82d1bdcfb8819563

SHA512
86cccf28e195020ffbfe14f36ea1e0061c62809f4a336bc4f80c234fbddab94b9a8d76da35316546a97773a8513e22ba29f5b7314b17fa4f1da380c1782243f2

Download Submit
\Users\Admin\AppData\Local\Temp\n2312\ins2312.exe

Filesize
173KB

MD5
5c674c333ec4a5f37a594b8443b06687

SHA1
85a0f6fc00d7e22270e5f6bb9e7e8b002c74e0c6

SHA256
7c75261fd0099cb8dae538c7729d4a818cfa673e64e29b27ee10b5d3bc51e9d1

SHA512
8d4ffc32ce7ff42a5da8e882502ca6a43290ae84ef3ec01be481b375d59a1424273f668c18821b820b77fbf94743c3cdb8bddd5720186f7d3718f51494729024

Download Submit
memory/896-18-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/896-17-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/896-19-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/896-20-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/896-23-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/896-24-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/896-25-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/2304-5-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2304-0-0x0000000000960000-0x00000000009D9000-memory.dmp

Filesize
484KB

Download
memory/2304-21-0x0000000000960000-0x00000000009D9000-memory.dmp

Filesize
484KB

Download
memory/2304-22-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2304-26-0x0000000000960000-0x00000000009D9000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing