bd284862b9c40907cb8e8fcc25122dbb95066ccfce453d9244a44e102a45ff26

General

Target

3bb0f7d1717c35600768f7d561a314a8.exe
Size

2.3MB
MD5

3bb0f7d1717c35600768f7d561a314a8
SHA1

49c73c3f6cda798fef0bde61c3a8480d0a7c8a79
SHA256

bd284862b9c40907cb8e8fcc25122dbb95066ccfce453d9244a44e102a45ff26
SHA512

05a266dad80b4717429c995f96f0ed76c319e99c62a732d628a3c0708fd825b696ac4564716cca17c27bb7f12ea4a59302fe939b1557a8d693c6f2e7c63ce06a
SSDEEP

24576:J7FosV8/Q8z9Gh8jyQ3s1smCkv6oqpumCkv6Pu4/QJQHCkv6oqpumCkv6PurCkx:8/p9GijymsepA66pA6m4/erA66pA6m+g

Score

8^/10

persistence upx

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ms.sys\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ms.sys"	i.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	i.exe

Loads dropped DLL 2 IoCs

pid	Process
2444	3bb0f7d1717c35600768f7d561a314a8.exe
2444	3bb0f7d1717c35600768f7d561a314a8.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2444-0-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/files/0x000b000000012242-3.dat	upx
behavioral1/memory/2736-12-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2444-11-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/files/0x000b000000012242-10.dat	upx
behavioral1/files/0x000b000000012242-9.dat	upx
behavioral1/files/0x000b000000012242-6.dat	upx
behavioral1/memory/2444-5-0x0000000002E00000-0x0000000002EFF000-memory.dmp	upx
behavioral1/memory/2736-26-0x0000000000400000-0x00000000004FF000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2736	i.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	i.exe
Token: SeLoadDriverPrivilege	2736	i.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2736	i.exe
2736	i.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2736	i.exe
2736	i.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2736	i.exe
2736	i.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2736	2444	3bb0f7d1717c35600768f7d561a314a8.exe	28
PID 2444 wrote to memory of 2736	2444	3bb0f7d1717c35600768f7d561a314a8.exe	28
PID 2444 wrote to memory of 2736	2444	3bb0f7d1717c35600768f7d561a314a8.exe	28
PID 2444 wrote to memory of 2736	2444	3bb0f7d1717c35600768f7d561a314a8.exe	28
PID 2736 wrote to memory of 2792	2736	i.exe	31
PID 2736 wrote to memory of 2792	2736	i.exe	31
PID 2736 wrote to memory of 2792	2736	i.exe	31
PID 2736 wrote to memory of 2792	2736	i.exe	31

C:\Users\Admin\AppData\Local\Temp\3bb0f7d1717c35600768f7d561a314a8.exe
"C:\Users\Admin\AppData\Local\Temp\3bb0f7d1717c35600768f7d561a314a8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\i.exe
  C:\Users\Admin\AppData\Local\Temp\i.exe -run
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\i.bat" "
    3⤵
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\i.exe

Filesize
894KB

MD5
efedfd528da80c363bc6eef902a74e6f

SHA1
5ad7917ef7963a6aa8f747b2798de332c7cb6923

SHA256
ed8cc68cdf1fbc9251a58871d38428411710ce4b96a67cfdd7be47d2b598382a

SHA512
f3db4435cfa9e47d232a5d298cd1e7008ebdf2c6cecf4334858b20bd52fa2e817702a2dbe705a03f22c7770f59657a381e2b8dbb562e2b49aff16717ca18f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\i.exe

Filesize
1.1MB

MD5
f55de6582b15bd9d6cab83e162a67383

SHA1
b0616ff11c67824cf17356a3e76d7f1f13ba79a9

SHA256
0a306c0058a4bac2e788f351f0deb4d240090432094db1fa446f0ef57de920c5

SHA512
d563ee77088e8de39c4c51c435e8bed9f71b0e4290d8cbfee067b20eff3d660fa2d08172dfb97f031a33eef422397b1ef14515dd8a862fd30b09ec48a4fddf5b

Download Submit
\Users\Admin\AppData\Local\Temp\i.exe

Filesize
1.5MB

MD5
8d29ddde96ba8551b50a4b115d794c40

SHA1
7f8b95f5154643c8c8e52ddd9a2feb13877847e5

SHA256
f5769fdd5e272862f526eb2107c7e2a51370a4e5ea792a4157f5530cb6d28c71

SHA512
17b5418705ab1cbf675dbcd851ecb9593ad652786cb8b85ff5bc28cb77fedd9da3b0687aa6cf8a28e24017cee82c8e7ecac783ace4d9f57a5b88e909c6423f7d

Download Submit
\Users\Admin\AppData\Local\Temp\i.exe

Filesize
1.4MB

MD5
ea975f01dc473cf723f765688ad0f423

SHA1
1dc9f0ee43e86f508c8b9f7b2f759eeeb0a0f535

SHA256
24eceae949f2dd15cd8d8598f322e435039280991e3eef699ce735c2ce59cb80

SHA512
b6ae724db0154ce967eee169422e1d29283501c790c37420fad510a4d277efdea183b9e2bb9538df98dae3d707b315da5cff484254fda7f87c8e3fd1dc556390

Download Submit
memory/2444-0-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2444-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2444-11-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2444-5-0x0000000002E00000-0x0000000002EFF000-memory.dmp

Filesize
1020KB

Download
memory/2736-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2736-12-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2736-26-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads