0f17bf247aeae12c0494dd35025ad54dbaff82370c802a4517ceb48ca284f217

General

Target

74ab50689cd90a013b29d503ce6fa37f.exe
Size

1.5MB
MD5

74ab50689cd90a013b29d503ce6fa37f
SHA1

2a9e783662711a297b5d90a50a24f4655c224c8e
SHA256

0f17bf247aeae12c0494dd35025ad54dbaff82370c802a4517ceb48ca284f217
SHA512

0d9ca64e988ac9e6cbee2ce7c2e227b6fbb266f4bca8a2b426afee6aee1aa920fca6f645f9060e67822f4d84af4bfc1f3d85fa9ad69273ffa67998f9521c93c6
SSDEEP

24576:eOKgjdZ+OKgjd/xF22PE5iehMwXUS7bUMfqxRASTwy9ljS8140/fHcCB:WfAFtsTD7wLcSTwepf

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2832	Rub3.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000014b87-40.dat	upx
behavioral1/memory/2832-53-0x0000000000400000-0x00000000005E3000-memory.dmp	upx
behavioral1/memory/2832-57-0x0000000000400000-0x00000000005E3000-memory.dmp	upx

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\windows\BB3M2RNJYB.dll	74ab50689cd90a013b29d503ce6fa37f.exe
File opened for modification	C:\windows\bind.dll	74ab50689cd90a013b29d503ce6fa37f.exe
File created	C:\windows\Rub3.exe	74ab50689cd90a013b29d503ce6fa37f.exe
File opened for modification	C:\windows\Arabic.ini	74ab50689cd90a013b29d503ce6fa37f.exe
File opened for modification	C:\windows\6YJO6RVJBV.dll	74ab50689cd90a013b29d503ce6fa37f.exe
File created	C:\windows\English.ini	74ab50689cd90a013b29d503ce6fa37f.exe
File opened for modification	C:\windows\D6QJK6D68C.dll	74ab50689cd90a013b29d503ce6fa37f.exe
File opened for modification	C:\windows\Rub3.exe	74ab50689cd90a013b29d503ce6fa37f.exe
File opened for modification	C:\windows\datas.ini	74ab50689cd90a013b29d503ce6fa37f.exe
File created	C:\windows\Arabic.ini	74ab50689cd90a013b29d503ce6fa37f.exe
File opened for modification	C:\windows\Y2PDHNSUW0.dll	74ab50689cd90a013b29d503ce6fa37f.exe
File opened for modification	C:\windows\French.ini	74ab50689cd90a013b29d503ce6fa37f.exe
File opened for modification	C:\windows\28DNIU6RRN.dll	74ab50689cd90a013b29d503ce6fa37f.exe
File opened for modification	C:\windows\joiner.ini	74ab50689cd90a013b29d503ce6fa37f.exe
File created	C:\windows\bind.dll	74ab50689cd90a013b29d503ce6fa37f.exe
File opened for modification	C:\windows\English.ini	74ab50689cd90a013b29d503ce6fa37f.exe
File created	C:\windows\French.ini	74ab50689cd90a013b29d503ce6fa37f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe
1364	74ab50689cd90a013b29d503ce6fa37f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1364	74ab50689cd90a013b29d503ce6fa37f.exe
2832	Rub3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2832	1364	74ab50689cd90a013b29d503ce6fa37f.exe	28
PID 1364 wrote to memory of 2832	1364	74ab50689cd90a013b29d503ce6fa37f.exe	28
PID 1364 wrote to memory of 2832	1364	74ab50689cd90a013b29d503ce6fa37f.exe	28
PID 1364 wrote to memory of 2832	1364	74ab50689cd90a013b29d503ce6fa37f.exe	28

C:\Users\Admin\AppData\Local\Temp\74ab50689cd90a013b29d503ce6fa37f.exe
"C:\Users\Admin\AppData\Local\Temp\74ab50689cd90a013b29d503ce6fa37f.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364
- C:\windows\Rub3.exe
  "C:\windows\Rub3.exe" 0
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Arabic.ini

Filesize
5KB

MD5
84848d3f4e471eaac097b2323a13caf7

SHA1
470bb173a57a15e3a4a1dde4b6b13ad137be14c2

SHA256
06db2893411fd7515edde0b48abcf15890ab1492ee2d4368919438495e2a5d98

SHA512
98b4a177dac3d9fa1af493becf094179ea951fe6f7cfc7b0d8c7ec9659e79cd72be5295b95055bf0062a16b75eca175ce648b801c4c5b6d55e1e06bc4db7f998

Download Submit
C:\Windows\English.ini

Filesize
2KB

MD5
45420fa1d95a3d372f708a482a9692b0

SHA1
18e53d911b09126ed5a71ac19de1644a57737032

SHA256
80f97a5ead5c7ee35c9991da1652cdf953067673bea3a7f16e9d5d4a36f10cc1

SHA512
8288844d46a2e3f6f815325dec89fc47641e2511ae15706c08e98393d575f34244f54516de1fb94e8990fe131aef655a6036ff66b2e1e2b1e179671f33c98829

Download Submit
C:\Windows\French.ini

Filesize
3KB

MD5
5781f38d663625f06735a0ce728971db

SHA1
b428247db073ff8d5aeb7508294f69f44a504aac

SHA256
26a82bd9a0062c63291317a24b81ae454c679eb445f74a6d2bf836c198be43eb

SHA512
db2fa63e8abd561e2cdb52786e25d56232bde19208c311dce8afc2f4efcef2a4403408e1974910d78ce7fc2bd6c555e27d91dbe9834d2e20becffbd43752b34d

Download Submit
C:\Windows\Rub3.exe

Filesize
1001KB

MD5
5f578767d5146131d7382b53dce4519d

SHA1
dbf1792a497865ff8682351857a281db61cf1d41

SHA256
241ad22251b1a298dd5a7162202b57c7fb641a5f9be507be729e0237e023d6a9

SHA512
d5bf39ebbf6a1ca40eb872a22de26cd2900a18d68215a2b2de8182ecd3ff9d0d8978600929cd172a0f4054188d37deacc88adf3bd4026867f34d5ee75a564451

Download Submit
C:\Windows\bind.dll

Filesize
272KB

MD5
1240cfff906d2c3a55be98aba0f1b4ca

SHA1
32fdc127376657b14df4bc38975c5449931e071b

SHA256
68a08fbf0290c2642bc8ae452d3628566150ad020654f3cbb0719224e8dd4d9a

SHA512
fe5cdab30d8b64cb39dfd98cc2e37fc976fbb5605620dac18a94b39e7cbddbff84e8f08b97d7b4856f11419b2217ca6ee6452f075a8efcfab12b6ed9701fad14

Download Submit
C:\Windows\datas.ini

Filesize
213B

MD5
053c399f19be839e7208606f77c36448

SHA1
53b1d8dec031b3cdf9dc6486218f30a7edc9d670

SHA256
24d0c5f0258ce6c35cdfa62a06587dc41e235e48b4df3569d1ad678f99a81c3b

SHA512
da3bd3f1c4a484922d9410c31608a1147e13fedf0e57fa2b5eb603ac392be4f19acbd7405118e32f71cbbc26260608514ae5d0817a22a1d8c6ec489715133f81

Download Submit
memory/1364-51-0x0000000004330000-0x0000000004513000-memory.dmp

Filesize
1.9MB

Download
memory/2832-53-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2832-57-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing