f597fa8a95d902f1a2306a9c0ab25bbbcfa2ea2aa073dd0632f6628aac550c9c

General

Target

79e530d7d2ac8b906dc26cc52eee5515.exe
Size

2.5MB
MD5

79e530d7d2ac8b906dc26cc52eee5515
SHA1

fde3b1743b6449ab34501b624fb37b0e35f16a82
SHA256

f597fa8a95d902f1a2306a9c0ab25bbbcfa2ea2aa073dd0632f6628aac550c9c
SHA512

844affc7dbea13c977a70472f59e7904577fa9a3197ebc099a31d050c21fc1174b007c566dbe3c46b7555a0da797290ac32c21914728e7d428a24f957869c2e2
SSDEEP

49152:PmPoEdmbvA6PVFKBZm2LjSLe4kwRXKkxKPkRv0h8//zcfKL9+HbHjjS:egmMY6PVmZvjSa4fRXK/PkRMh+zcg92m

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3232	autorun.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023125-40.dat	upx
behavioral2/memory/3232-42-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-53-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-54-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-55-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-56-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-57-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-58-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-59-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-60-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-61-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-62-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-63-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-64-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-65-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-66-0x0000000000400000-0x00000000008CE000-memory.dmp	upx
behavioral2/memory/3232-67-0x0000000000400000-0x00000000008CE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3232	autorun.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3708	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3708	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3968	79e530d7d2ac8b906dc26cc52eee5515.exe
3968	79e530d7d2ac8b906dc26cc52eee5515.exe
3232	autorun.exe
3232	autorun.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 3232	3968	79e530d7d2ac8b906dc26cc52eee5515.exe	87
PID 3968 wrote to memory of 3232	3968	79e530d7d2ac8b906dc26cc52eee5515.exe	87
PID 3968 wrote to memory of 3232	3968	79e530d7d2ac8b906dc26cc52eee5515.exe	87

C:\Users\Admin\AppData\Local\Temp\79e530d7d2ac8b906dc26cc52eee5515.exe
"C:\Users\Admin\AppData\Local\Temp\79e530d7d2ac8b906dc26cc52eee5515.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\79e530d7d2ac8b906dc26cc52eee5515.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\a.btn

Filesize
4KB

MD5
63c62b458878ab47bb9cb278427cc3c5

SHA1
4a5d4e65c9fbf10aa01b4913e46ab7909d52b9b8

SHA256
4640a724130bc090cc2c91e8075eb5d07a813935457329608a6bb53bd46ca7b2

SHA512
34260d06275d8105679c17066e08149fd9a1ee130595dd4bb0e17e77c9da8df4de4dd57bcaf67ca2153324a5b67f328d27de055e2756aa0d27f05d3734fef0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\error.png

Filesize
4KB

MD5
5505b27b781db31ae327f6efcf129e86

SHA1
73f750338dc7900a29ed3e1db38ef0ceff13f3e9

SHA256
144eb369b0bc645861e9c54ddbff2fdfde5c7b00cdc60fe05843951687737334

SHA512
22fc9d5a74fbc6e0fe85bbbdf31f27230fe0f7f2f27796c6eaa43965293e259fe1160e12574849516f0af3743fdde83de32efcf5ff5e644b9b4454cf52b6a80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\header1.png

Filesize
4KB

MD5
115249a0a4144de32f95e4f43041246e

SHA1
727a819f5668fc35f1eff9cd0e446b0f8451b198

SHA256
a2c548b432c490c8d067e43301e746ad3c2654dd70a790bdd21275ab2c1d32a2

SHA512
b4377ef2c11a63c2bd2c4bdd593abc2d45a591d3249ddf222ff24e095a6af8e69ad66e304e19fd3d7143c78b5aeb2bc44bc380ac5bb5511ee78b7c799c1965f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\icontexto-webdev-cancel-032x032.png

Filesize
2KB

MD5
8540f78d0887b230579230c96dc022ac

SHA1
5b757108d0cbff2f434008686de77391fb329dca

SHA256
a6489affb7dff0e66489b75ada241408767931160c37df0aea44963dca7b355e

SHA512
1a65c7e4897dd65a752e48f0ac3c03b6b8f11caf3a8cd88439e2493568953570a7a15d72f7cf2299053864108752d885e4b26a40305550035f841a7f2d23ca50

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\icontexto-webdev-remove-032x032.png

Filesize
2KB

MD5
c6c2d458c359ba45af1b669a8c2440a6

SHA1
f3fab85f54a9dbad63316f374e7ed4b88ca82b7b

SHA256
cb1bf0b8f1aada4ddde1bf9baea2d9784b0be0da69fc8ea823143ec154d9f69a

SHA512
fd02bfaeb8379d72d778aa502bc45f42295aaf6988ec52246e91f6cfc64cac7fc2b70012f14d2cad3214b8c1a75f060c4e07790970b1325af6df765aaa109915

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
1.1MB

MD5
4ce52eb2a1d8696c1003daccb1287e5b

SHA1
a692059dd130fff5faad88393f46f18358f07814

SHA256
7b1427a91ca0559a1c56b8d38b6c270d796ff01466c91794c1ba158006fa98a1

SHA512
b8db49f0804bc3ddec67779336895f913ee15e07aa09e81695a8de7221f9b0543b0ac84b815a16ef99ecea8417bcecbcdae341ea3298edc32b44560d03251583

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
957KB

MD5
56423d7f3ce83c7ff33f5c65f31aee8d

SHA1
fbde9aa7ef24de55db0c2c3b44bf765e30e7498a

SHA256
df35b8b3746db8eed32cf57cff38912835322cabfda85941252a8d7b82475abe

SHA512
ea4fb1b4801346639faa779134c0d528d64c69883c9e81998e4901e3485cc459546ec38103b544c9432bc221457f6442d89dd11c97e6cb9a60eccef2234fadad

Download Submit
memory/3232-55-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-59-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-54-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-42-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-56-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-57-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-58-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-53-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-60-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-61-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-62-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-63-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-64-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-65-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-66-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3232-67-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing