80c26f68b8a46af63f3ee4b35c8150f1710d7aaa1cf8e39cb5c94ec29e9b7c11

General

Target

83dafce0560e7493e6dae82c270131a5.exe
Size

394KB
MD5

83dafce0560e7493e6dae82c270131a5
SHA1

5fdfe162b399a315508a55535c5b1f31012e4f39
SHA256

80c26f68b8a46af63f3ee4b35c8150f1710d7aaa1cf8e39cb5c94ec29e9b7c11
SHA512

cf2a9c2db3ee19a17979d2b3e92103566a691d59af8f376a56fcc1df1be12a06d47d40c6df0a7e54db4e2575486fd481e95560813721440105e06ba49196e18e
SSDEEP

6144:9bpGtfoVtScw2RCgrzItQB2bpGtfoVtScw:TGtAtScw3qEKBYGtAtScw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4828	VEM.EXE

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	VEM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\XNBQEI.EXE \"%1\" %*"	VEM.EXE

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1876-0-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/files/0x000200000001fafe-22.dat	upx
behavioral2/memory/1876-25-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4828-23-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/files/0x000200000001fafe-21.dat	upx
behavioral2/files/0x0008000000023212-10.dat	upx
behavioral2/memory/4828-30-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4828-33-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4828-34-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4828-36-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4828-37-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4828-40-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4828-41-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4828-43-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CQPNXJ.EXE = "C:\\Users\\CQPNXJ.EXE"	83dafce0560e7493e6dae82c270131a5.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\H:	VEM.EXE
File opened (read-only)	\??\N:	VEM.EXE
File opened (read-only)	\??\Q:	VEM.EXE
File opened (read-only)	\??\V:	VEM.EXE
File opened (read-only)	\??\L:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\I:	VEM.EXE
File opened (read-only)	\??\T:	VEM.EXE
File opened (read-only)	\??\M:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\Q:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\U:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\S:	VEM.EXE
File opened (read-only)	\??\I:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\N:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\S:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\L:	VEM.EXE
File opened (read-only)	\??\P:	VEM.EXE
File opened (read-only)	\??\K:	VEM.EXE
File opened (read-only)	\??\M:	VEM.EXE
File opened (read-only)	\??\G:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\J:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\P:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\T:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\G:	VEM.EXE
File opened (read-only)	\??\O:	VEM.EXE
File opened (read-only)	\??\U:	VEM.EXE
File opened (read-only)	\??\E:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\O:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\V:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\E:	VEM.EXE
File opened (read-only)	\??\J:	VEM.EXE
File opened (read-only)	\??\R:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\H:	83dafce0560e7493e6dae82c270131a5.exe
File opened (read-only)	\??\R:	VEM.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	83dafce0560e7493e6dae82c270131a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	83dafce0560e7493e6dae82c270131a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	83dafce0560e7493e6dae82c270131a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	83dafce0560e7493e6dae82c270131a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	83dafce0560e7493e6dae82c270131a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Users\\CQPNXJ.EXE \"%1\""	83dafce0560e7493e6dae82c270131a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\CQPNXJ.EXE %1"	83dafce0560e7493e6dae82c270131a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Users\\CQPNXJ.EXE \"%1\" %*"	83dafce0560e7493e6dae82c270131a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\odt\\VEM.EXE %1"	83dafce0560e7493e6dae82c270131a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	83dafce0560e7493e6dae82c270131a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	83dafce0560e7493e6dae82c270131a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	83dafce0560e7493e6dae82c270131a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\Users\\CQPNXJ.EXE %1"	83dafce0560e7493e6dae82c270131a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	VEM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\XNBQEI.EXE \"%1\" %*"	VEM.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	83dafce0560e7493e6dae82c270131a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	83dafce0560e7493e6dae82c270131a5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4828	VEM.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 4828	1876	83dafce0560e7493e6dae82c270131a5.exe	18
PID 1876 wrote to memory of 4828	1876	83dafce0560e7493e6dae82c270131a5.exe	18
PID 1876 wrote to memory of 4828	1876	83dafce0560e7493e6dae82c270131a5.exe	18

C:\Users\Admin\AppData\Local\Temp\83dafce0560e7493e6dae82c270131a5.exe
"C:\Users\Admin\AppData\Local\Temp\83dafce0560e7493e6dae82c270131a5.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876
- C:\odt\VEM.EXE
  C:\odt\VEM.EXE
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\odt\VEM.EXE

Filesize
33KB

MD5
82ae0487634fb0810d8fbcfcba44ad67

SHA1
635841e2ab018d1fc2aa0e17d22839d06e0df510

SHA256
9e4c4612963ea499bc430bc9bf69d1adb630eda2feffa256e7ca0f3bc103e0f7

SHA512
58f17a6b61f4d7798290968b684a6a1d7f08b2ab4c7374de3db305d24fd4a07a34b3b30e7e2c02965c575ee465f8c2b4b8cfd28516dde2d302b9022661d7db39

Download Submit
C:\odt\VEM.EXE

Filesize
1KB

MD5
ed1267deeb39291b72351b89af5e81e0

SHA1
45ff406c7bf0fe98cd2eccd65cd353d108986ee3

SHA256
557fda6dd58b2e85e96b00524c163fc1c6c745fe5d8764926481bfc759993b12

SHA512
3b1b4942a1988f36e3377865088885613b5cfa2c2633b7f08df961e0370468b17325d73544581f1daf5d32b94a1cd9d0c335cdee7e7d9826dae3391e94b7257c

Download Submit
memory/1876-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1876-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1876-1-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/4828-31-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4828-36-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-24-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4828-32-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-33-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-34-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-35-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-23-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-37-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-40-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-41-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-42-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4828-43-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads