8e18ce0fcf3a245cd6c93befaac0b7c9ec9da415dbfe2dcd5460af71d01a9883

General

Target

2fd909b0064cfb45888c0e2ed57057af.exe
Size

134KB
MD5

2fd909b0064cfb45888c0e2ed57057af
SHA1

8025a807f067e975467fc6f01fb5ea80706ace35
SHA256

8e18ce0fcf3a245cd6c93befaac0b7c9ec9da415dbfe2dcd5460af71d01a9883
SHA512

32023b34503ad33093d17238992855de938daab54bb2a97df7f92264fe24074944d3891cd031d05a579caead58ce96396c2b2aa266b5d7ee5d33dbc3528e2d6c
SSDEEP

3072:Dxaw7lEvFCsE8uKqMJBrHnsAWNqubkdBytQlaVrAUdB1/:TlFstuKqMJ9Hn5WNqub/tpV841

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1776	trys.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2896-1-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2896-47-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2896-49-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2896-85-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2896-31578-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2896-315511-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/760-315518-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/760-315515-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/760-315514-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/760-315513-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/760-315508-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/760-315504-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/760-315502-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000e000000012321-315549.dat	upx
behavioral1/memory/1776-315555-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/760-315543-0x00000000033D0000-0x0000000003440000-memory.dmp	upx
behavioral1/memory/1776-315568-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1776-315608-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/1776-315638-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/760-327724-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1776-345274-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ineter Mc = "C:\\Windows\\trys.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2fd909b0064cfb45888c0e2ed57057af.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2896 set thread context of 760	2896	2fd909b0064cfb45888c0e2ed57057af.exe	30

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\trys.exe	2fd909b0064cfb45888c0e2ed57057af.exe
File opened for modification	C:\Windows\trys.exe	2fd909b0064cfb45888c0e2ed57057af.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2896	2fd909b0064cfb45888c0e2ed57057af.exe
760	2fd909b0064cfb45888c0e2ed57057af.exe
1776	trys.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 760	2896	2fd909b0064cfb45888c0e2ed57057af.exe	30
PID 2896 wrote to memory of 760	2896	2fd909b0064cfb45888c0e2ed57057af.exe	30
PID 2896 wrote to memory of 760	2896	2fd909b0064cfb45888c0e2ed57057af.exe	30
PID 2896 wrote to memory of 760	2896	2fd909b0064cfb45888c0e2ed57057af.exe	30
PID 2896 wrote to memory of 760	2896	2fd909b0064cfb45888c0e2ed57057af.exe	30
PID 2896 wrote to memory of 760	2896	2fd909b0064cfb45888c0e2ed57057af.exe	30
PID 2896 wrote to memory of 760	2896	2fd909b0064cfb45888c0e2ed57057af.exe	30
PID 2896 wrote to memory of 760	2896	2fd909b0064cfb45888c0e2ed57057af.exe	30
PID 760 wrote to memory of 2180	760	2fd909b0064cfb45888c0e2ed57057af.exe	34
PID 760 wrote to memory of 2180	760	2fd909b0064cfb45888c0e2ed57057af.exe	34
PID 760 wrote to memory of 2180	760	2fd909b0064cfb45888c0e2ed57057af.exe	34
PID 760 wrote to memory of 2180	760	2fd909b0064cfb45888c0e2ed57057af.exe	34
PID 2180 wrote to memory of 2084	2180	cmd.exe	33
PID 2180 wrote to memory of 2084	2180	cmd.exe	33
PID 2180 wrote to memory of 2084	2180	cmd.exe	33
PID 2180 wrote to memory of 2084	2180	cmd.exe	33
PID 760 wrote to memory of 1776	760	2fd909b0064cfb45888c0e2ed57057af.exe	32
PID 760 wrote to memory of 1776	760	2fd909b0064cfb45888c0e2ed57057af.exe	32
PID 760 wrote to memory of 1776	760	2fd909b0064cfb45888c0e2ed57057af.exe	32
PID 760 wrote to memory of 1776	760	2fd909b0064cfb45888c0e2ed57057af.exe	32

C:\Users\Admin\AppData\Local\Temp\2fd909b0064cfb45888c0e2ed57057af.exe
"C:\Users\Admin\AppData\Local\Temp\2fd909b0064cfb45888c0e2ed57057af.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\2fd909b0064cfb45888c0e2ed57057af.exe
  "C:\Users\Admin\AppData\Local\Temp\2fd909b0064cfb45888c0e2ed57057af.exe"
  2⤵
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\trys.exe
    "C:\Windows\trys.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\WVJKF.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Ineter Mc" /t REG_SZ /d "C:\Windows\trys.exe" /f
1⤵
- Adds Run key to start application
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WVJKF.bat

Filesize
115B

MD5
721f40b829b989f3ed90feba41b75b51

SHA1
0bc3e723b65a94c6ffbb8e0b32c9aaa24d10fefd

SHA256
641cbc8ccc1d7ffe1030ff40ea930cad57a855c5fa275bff57745b62d4545a15

SHA512
d11fa35712baa83380b1515242d85c1ce84ade1bd3e62144906b40c6e2d42c748d7813faaf05e5514048be3ae47fb29986e0a808c93eabf7128f31300c4d972f

Download Submit
C:\Windows\trys.exe

Filesize
134KB

MD5
a58f7aae8dc8d2f60cb36d7129b79213

SHA1
37b8c6533b801aefbc9457e1dc0b099b8ad1aed3

SHA256
2f7c6a6955be912146dc8210e9ca024eb4ff9cd76a299ee50d58f04b19f4aa99

SHA512
fc0e70a0cb40a911ad9c8018d9585eba2b60cb7a79100a15bc58842ced74042f7ec80203160bc4c6369d4fff84a3a24412b48bce115437814b83a01a0c6dc505

Download Submit
memory/760-315500-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/760-315506-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/760-327724-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/760-315543-0x00000000033D0000-0x0000000003440000-memory.dmp

Filesize
448KB

Download
memory/760-345272-0x00000000033D0000-0x0000000003440000-memory.dmp

Filesize
448KB

Download
memory/760-315518-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/760-315515-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/760-315514-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/760-315513-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/760-315554-0x00000000033D0000-0x0000000003440000-memory.dmp

Filesize
448KB

Download
memory/760-315508-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/760-315551-0x00000000033D0000-0x0000000003440000-memory.dmp

Filesize
448KB

Download
memory/760-315504-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/760-315502-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/760-345270-0x00000000033D0000-0x0000000003440000-memory.dmp

Filesize
448KB

Download
memory/760-337491-0x00000000033D0000-0x0000000003440000-memory.dmp

Filesize
448KB

Download
memory/760-337488-0x00000000033D0000-0x0000000003440000-memory.dmp

Filesize
448KB

Download
memory/760-315552-0x00000000033D0000-0x0000000003440000-memory.dmp

Filesize
448KB

Download
memory/1776-315638-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1776-315555-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1776-345274-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1776-384019-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1776-315568-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1776-315608-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2896-315510-0x00000000026D0000-0x0000000002740000-memory.dmp

Filesize
448KB

Download
memory/2896-327722-0x00000000026D0000-0x0000000002740000-memory.dmp

Filesize
448KB

Download
memory/2896-47-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2896-85-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2896-49-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2896-1-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2896-315511-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2896-31578-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2896-3-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads