2a60eb4e064ef7da65c69790df433c8774e8f18ef29d12f148d01e0002d59a3f

General

Target

5ba4428428af3443cf2850281cb42733.exe
Size

310KB
MD5

5ba4428428af3443cf2850281cb42733
SHA1

2ccdd810a311f4dc5c5fef60d44396a6ff5088ee
SHA256

2a60eb4e064ef7da65c69790df433c8774e8f18ef29d12f148d01e0002d59a3f
SHA512

08d19e9550cf21ae33618bff62ad0fb23667f2394596d90572f2aadfc36489e607e39495da034a92a5118c55c4143e7a95533566dcebf0ece5057265ef9b2003
SSDEEP

6144:BYDau9n2z+Luag/AGPt/QpAGaeBY4NVYv6mlp18aCUYyVrTtLE:qWukz+Lu35Pt/GAGNNxmlX8aCcVrT5E

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2900-0-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2900-15-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2848-6-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2848-16-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2848-18-0x0000000000400000-0x00000000004BB000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "C:\\Windows\\Explorer32DLL.exe"	5ba4428428af3443cf2850281cb42733.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = "C:\\Windows\\Explorer32DLL.exe"	5ba4428428af3443cf2850281cb42733.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2900-15-0x0000000000400000-0x00000000004BB000-memory.dmp	autoit_exe
behavioral1/memory/2848-6-0x0000000000400000-0x00000000004BB000-memory.dmp	autoit_exe
behavioral1/memory/2848-16-0x0000000000400000-0x00000000004BB000-memory.dmp	autoit_exe
behavioral1/memory/2848-18-0x0000000000400000-0x00000000004BB000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Explorer32DLL.exe	5ba4428428af3443cf2850281cb42733.exe
File opened for modification	C:\Windows\Explorer32DLL.exe	5ba4428428af3443cf2850281cb42733.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2808	2676	WerFault.exe	19

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2848	2900	5ba4428428af3443cf2850281cb42733.exe	18
PID 2900 wrote to memory of 2848	2900	5ba4428428af3443cf2850281cb42733.exe	18
PID 2900 wrote to memory of 2848	2900	5ba4428428af3443cf2850281cb42733.exe	18
PID 2900 wrote to memory of 2848	2900	5ba4428428af3443cf2850281cb42733.exe	18
PID 2900 wrote to memory of 2676	2900	5ba4428428af3443cf2850281cb42733.exe	19
PID 2900 wrote to memory of 2676	2900	5ba4428428af3443cf2850281cb42733.exe	19
PID 2900 wrote to memory of 2676	2900	5ba4428428af3443cf2850281cb42733.exe	19
PID 2900 wrote to memory of 2676	2900	5ba4428428af3443cf2850281cb42733.exe	19
PID 2900 wrote to memory of 2676	2900	5ba4428428af3443cf2850281cb42733.exe	19
PID 2900 wrote to memory of 2676	2900	5ba4428428af3443cf2850281cb42733.exe	19
PID 2900 wrote to memory of 2676	2900	5ba4428428af3443cf2850281cb42733.exe	19
PID 2676 wrote to memory of 2808	2676	5ba4428428af3443cf2850281cb42733.exe	21
PID 2676 wrote to memory of 2808	2676	5ba4428428af3443cf2850281cb42733.exe	21
PID 2676 wrote to memory of 2808	2676	5ba4428428af3443cf2850281cb42733.exe	21
PID 2676 wrote to memory of 2808	2676	5ba4428428af3443cf2850281cb42733.exe	21

C:\Users\Admin\AppData\Local\Temp\5ba4428428af3443cf2850281cb42733.exe
"C:\Users\Admin\AppData\Local\Temp\5ba4428428af3443cf2850281cb42733.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\5ba4428428af3443cf2850281cb42733.exe
  C:\Users\Admin\AppData\Local\Temp\5ba4428428af3443cf2850281cb42733.exe /AutoIt3ExecuteLine "MsgBox('32', 'ROFL', 'DAS IST EIN LOOOOL :D Haha')"
  2⤵
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\5ba4428428af3443cf2850281cb42733.exe
  "C:\Users\Admin\AppData\Local\Temp\5ba4428428af3443cf2850281cb42733.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 36
    3⤵
    - Program crash
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2676-3-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2676-14-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2676-12-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2676-10-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2676-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2676-17-0x0000000000400000-0x0000000000402400-memory.dmp

Filesize
9KB

Download
memory/2848-6-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2848-16-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2848-18-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2900-4-0x00000000036F0000-0x00000000037AB000-memory.dmp

Filesize
748KB

Download
memory/2900-8-0x0000000003A60000-0x0000000003B1B000-memory.dmp

Filesize
748KB

Download
memory/2900-15-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2900-0-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads