e45ddd68e2c71abb60d8043944ce184e0caa8c78ae4745bb7b765baad45823ca

General

Target

7f760c43c35d460c2a6881107f75e425.exe
Size

250KB
MD5

7f760c43c35d460c2a6881107f75e425
SHA1

e16a5eeb71a6d37c5035693d446196cbde7d4d28
SHA256

e45ddd68e2c71abb60d8043944ce184e0caa8c78ae4745bb7b765baad45823ca
SHA512

218968e5c59d88da67b2d01c21d189de5e75f324bcd45079c049d748d98d9e90b033c30310f7d294d394c78a946af5a94d1ed0484bc8d30ad64a8e0a7938c0e3
SSDEEP

6144:0hieuJDr5T8b2ufqBLjSB/MS7irtIa6cwoD8ZroSfjGFA:VeKrJJuf86AYcwoaoSbr

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2924-0-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2924-35-0x0000000000400000-0x00000000004B1000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2924-35-0x0000000000400000-0x00000000004B1000-memory.dmp	autoit_exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR\winrar.jse	7f760c43c35d460c2a6881107f75e425.exe
File created	C:\Program Files\WinRAR\winrar.jse	7f760c43c35d460c2a6881107f75e425.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmc\ = "mmcfile"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\ = "¿ì½Ý·½Ê½"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\IconHandler	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\ContextMenuHandlers	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\NeverShowExt	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\ = "open"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\command\ = "WScript.exe \"C:\\Program Files (x86)\\Winrar\\winrar.jse\" \"%1\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\ContextMenuHandlers\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\DefaultIcon	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\CLSID	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmc	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\IsShortcut	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2540	PING.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2924	7f760c43c35d460c2a6881107f75e425.exe
2924	7f760c43c35d460c2a6881107f75e425.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2924	7f760c43c35d460c2a6881107f75e425.exe
2924	7f760c43c35d460c2a6881107f75e425.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1684	2924	7f760c43c35d460c2a6881107f75e425.exe	17
PID 2924 wrote to memory of 1684	2924	7f760c43c35d460c2a6881107f75e425.exe	17
PID 2924 wrote to memory of 1684	2924	7f760c43c35d460c2a6881107f75e425.exe	17
PID 2924 wrote to memory of 1684	2924	7f760c43c35d460c2a6881107f75e425.exe	17

C:\Users\Admin\AppData\Local\Temp\7f760c43c35d460c2a6881107f75e425.exe
"C:\Users\Admin\AppData\Local\Temp\7f760c43c35d460c2a6881107f75e425.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\WinRAR\winrar.jse"
  2⤵
  - Modifies registry class
  PID:1684
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g8
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\7f760c43c35d460c2a6881107f75e425.exe"
  2⤵
  PID:2468

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:275457 /prefetch:2
1⤵
PID:2832

C:\Windows\SysWOW64\PING.EXE
ping -n 4 127.1
1⤵
- Runs ping.exe
PID:2540

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\winrar.jse

Filesize
11KB

MD5
9208c38b58c7c7114f3149591580b980

SHA1
8154bdee622a386894636b7db046744724c3fc2b

SHA256
cb1b908e509020904b05dc6e4ec17d877d394eb60f6ec0d993ceba5839913a0c

SHA512
a421c6afa6d25185ec52a8218bddf84537407fd2f6cabe38c1be814d97920cfff693a48b4f48eb30c98437cbbb8ad30ccd28c3b4b7c24379ef36ac361ddfdbf1

Download Submit
memory/2720-240-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/2720-845-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/2720-1306-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/2924-0-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2924-35-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing