14edc7e17f0f54eb4c750ef54e79b7241b77094ffe6d39f2a7e6d5583dead4b0

General

Target

11ea1cac1b6a156f34248849aa7907cb.exe
Size

522KB
MD5

11ea1cac1b6a156f34248849aa7907cb
SHA1

8c11db6b05f2878e263279296e8105136baebb92
SHA256

14edc7e17f0f54eb4c750ef54e79b7241b77094ffe6d39f2a7e6d5583dead4b0
SHA512

624f2f6ceebab94d66475403d4f0ccb116ac317f586b017a8c64b80caa6fa2fcfe8a324b6b5a5a6797dc9958ae41d4ed4fefe8915058b88d1131e53a19a365e0
SSDEEP

12288:wMgDksy9lYyxFSMZQ+peBI+lkHQ4jC9FfmiqZZ4C8+db:vH3YyxFhZ8rKHXcFf5qECJb

Score

7^/10

persistence upx

Malware Config

Signatures

Loads dropped DLL 5 IoCs

Processes:

11ea1cac1b6a156f34248849aa7907cb.exe

pid	process
292	11ea1cac1b6a156f34248849aa7907cb.exe
292	11ea1cac1b6a156f34248849aa7907cb.exe
292	11ea1cac1b6a156f34248849aa7907cb.exe
292	11ea1cac1b6a156f34248849aa7907cb.exe
292	11ea1cac1b6a156f34248849aa7907cb.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/292-1-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral1/memory/2884-38-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral1/memory/292-37-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
behavioral1/memory/2524-51-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2524-47-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2524-46-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2884-45-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral1/memory/2524-42-0x0000000000400000-0x000000000045D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe	upx
behavioral1/memory/2524-54-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2524-56-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2524-55-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2524-58-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2524-60-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2524-63-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2524-64-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2524-66-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2524-67-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SerbianPersian = "C:\\Users\\Admin\\AppData\\Roaming\\SerbianPersia\\SerbianPersia.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

2860 reg.exe
1888 reg.exe
2856 reg.exe
2848 reg.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

11ea1cac1b6a156f34248849aa7907cb.exe

pid process

292 11ea1cac1b6a156f34248849aa7907cb.exe

pid	process
2860	reg.exe
1888	reg.exe
2856	reg.exe
2848	reg.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

11ea1cac1b6a156f34248849aa7907cb.execmd.exe

description	pid	process	target process
PID 292 wrote to memory of 1404	292	11ea1cac1b6a156f34248849aa7907cb.exe	cmd.exe
PID 292 wrote to memory of 1404	292	11ea1cac1b6a156f34248849aa7907cb.exe	cmd.exe
PID 292 wrote to memory of 1404	292	11ea1cac1b6a156f34248849aa7907cb.exe	cmd.exe
PID 292 wrote to memory of 1404	292	11ea1cac1b6a156f34248849aa7907cb.exe	cmd.exe
PID 1404 wrote to memory of 2768	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 2768	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 2768	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 2768	1404	cmd.exe	reg.exe
PID 292 wrote to memory of 2884	292	11ea1cac1b6a156f34248849aa7907cb.exe	SerbianPersia.exe
PID 292 wrote to memory of 2884	292	11ea1cac1b6a156f34248849aa7907cb.exe	SerbianPersia.exe
PID 292 wrote to memory of 2884	292	11ea1cac1b6a156f34248849aa7907cb.exe	SerbianPersia.exe
PID 292 wrote to memory of 2884	292	11ea1cac1b6a156f34248849aa7907cb.exe	SerbianPersia.exe

C:\Users\Admin\AppData\Local\Temp\11ea1cac1b6a156f34248849aa7907cb.exe
"C:\Users\Admin\AppData\Local\Temp\11ea1cac1b6a156f34248849aa7907cb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
"C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe"
2⤵
PID:2884

C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
"C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe"
3⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259396730.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SerbianPersian" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe" /f
1⤵
- Adds Run key to start application
PID:2768

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\i4i.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\i4i.exe:*:Enabled:Windows Messanger" /f
1⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\i4i.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\i4i.exe:*:Enabled:Windows Messanger" /f
2⤵
- Modifies registry key
PID:2856

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies registry key
PID:2848

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies registry key
PID:2860

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies registry key
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe:*:Enabled:Windows Messanger" /f
1⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259396730.bat
Filesize
161B

MD5
fd6ff0018e5f38a1f58149ab5042d0bf

SHA1
ead83b25ace051ba0215997f54e1a5b72b33e112

SHA256
da8ef51f8e28c04cefe22ec5e08569de5cd64a984d35b4cd9b9cfab0218bf6ce

SHA512
21b2500fac940978b1d606f321dc120c33b910822b96b4a5a1c0ebd8584e207a39961d1bb7ad833112a5832d56c1a2acd0491b3b62bde8c3648296886353a256

Download Submit
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
452KB

MD5
89dbe79b07d30bad2c11442b3eb01ae9

SHA1
bf7e3d205af53879cc6eefd6dc04d2f7c6255a88

SHA256
ad91a604e6e890522030d6f4dd6acd391da8342be816bba9e58c9e5ee594b832

SHA512
ec2debe4d12fcb5a7bf7c892d5f193398b0a17fdda0104c58d065cbf3998babed8291f360c4595b4fb6e6763c01b7b5957f7c377e5031d832c554dea0a92a934

Download Submit
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
462KB

MD5
ae8995f7e79da213b5145e0e3f85bd75

SHA1
3db0e8b485bdb07fab3573f094a55cbc2f530280

SHA256
6877ea8b72a23ae38c25d871fd04df64e4c73201274e3a601fe6ee2e9a3b7745

SHA512
ede53a5e2e7f25886bb12e9b32e09db72e4ec3db2ee6483193f68efc817c6f9b8df7fed5be1e42578cf8d96622d7e952aa9484afa7ec6fb0ace334e19395cd57

Download Submit
C:\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
96KB

MD5
802afbc736d84248911ec801162974a8

SHA1
9c2522279807d5da79431cb760a33cfb365d67ff

SHA256
03dcc6c01bec1804c7952343d7c721ef278cc80fe2b7707a50094424238ebf6d

SHA512
4def897cc3d2ab4da91600b637652154d6ab519d1ddf82e2322f399363bdc715ea9c0fd55ccfff50c8b8fc9b3240fa687ed6c3aafb9ab135baaafbc53217f8dc

Download Submit
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
510KB

MD5
170d82b9e7edd70a536e4cb5d504f2ed

SHA1
77d0d9f7f357666deb67e77cf4da8828914d72f8

SHA256
c24965d5f09d0342eb53aaccf27e55433c4ee337f53373d833b4302855f7575a

SHA512
c07459fd8528fb1f013c2ea2c27be6002f45e9adb766d22ada82380fe21e425b0a9db8b7186862134399d61fe4232cf4aa341873f5ed3f845673894a2bf83421

Download Submit
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
479KB

MD5
166138267d9ce92a1d57d18aadc96965

SHA1
df84f861a9c78565907ef8effbefa4db7a0d82f2

SHA256
7bb7069884979755edda9c33d6241cd1819588ba55afb2a56e5280044c66e5fd

SHA512
07e54538c6f8918d92e8055d404edd7d5d3b6b3828cb62c969363afded9754097ef0a7923849aaec1040c2fe27db17761a225f03cbbce558c49595f66f161e30

Download Submit
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
522KB

MD5
1125d22adfbc45db8730321c0791a8f0

SHA1
213513bcc8eb3f7ae498d0131efe01544add52d2

SHA256
5aa263d00b5e1ee174bd300eceb7f58ad00e5281e97636ce8626c5a677f03c48

SHA512
9314400973e4708f437469db0c2e3cfc56ea5e61903edbed9637120114114da9ebcd28ae0dd6ae40913f0910768fe3b1040d8c6ee1e12c761de27cbe3b247b69

Download Submit
\Users\Admin\AppData\Roaming\SerbianPersia\SerbianPersia.exe
Filesize
411KB

MD5
d83be65b9beb96c6ecdf41671f1418be

SHA1
5ce6fa8ccae242c20394aef3035b06c41953bf0e

SHA256
ba0d8a976797e425c3ff1c3ca5148c1c0f4d16e3add3b7011d89eb07cf514f26

SHA512
17b982477745b222c99155a1b9e07f3bc4c21d239975983110f919f531febc01c1def69e995f9ecfb67353b341f91b6053be047c6c4a505a462c22874abfdc5e

Download Submit
memory/292-1-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/292-37-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/292-35-0x0000000003F10000-0x00000000040BF000-memory.dmp

Filesize
1.7MB

Download
memory/2524-47-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-56-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-46-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-71-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-42-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-67-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-54-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-51-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-55-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-58-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-60-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-63-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-64-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-66-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2884-38-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2884-45-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads