a1314285c4f00bc70746390446a4536a3a8b4d364979fe5a67cb88f8f58b4629

General

Target

9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe
Size

5.2MB
MD5

9c4cc9bcbf6ca8bfa08e2f9621c257d3
SHA1

9458d4363d69088a1be9f9798f280e8eb008e876
SHA256

a1314285c4f00bc70746390446a4536a3a8b4d364979fe5a67cb88f8f58b4629
SHA512

7cec55c3d1b18c130aa282f5ef745c471236050bda3a34e9bae239513e90a51bc85d9406ee15d9f5dc997e812a6b86272fa99dca25aedc0d2afe3fe7239802cd
SSDEEP

192:PhTQ/ufVADygpoewdhxoSjbmwYQZjZMZkPuwj:pUcqDfInjbmwv55j

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-B986-11d2-9CBD-0000F87A369E}	sauae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-B986-11d2-9CBD-0000F87A369E}\ = "Versiob986"	sauae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-B986-11d2-9CBD-0000F87A369E}\stubpath = "C:\\Program Files\\Docmentt\\sauae.exe"	sauae.exe

Deletes itself 1 IoCs

pid	Process
2124	sauae.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	sauae.exe

Loads dropped DLL 1 IoCs

pid	Process
1104	9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2644-0-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1104-3-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/files/0x000c000000015be4-6.dat	upx
behavioral1/files/0x000c000000015be4-9.dat	upx
behavioral1/memory/2124-13-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/files/0x000c000000015be4-11.dat	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Docmentt\sauae.exe	9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe
File opened for modification	C:\Program Files\Docmentt\sauae.exe	9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1104	2644	9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe	28
PID 2644 wrote to memory of 1104	2644	9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe	28
PID 2644 wrote to memory of 1104	2644	9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe	28
PID 2644 wrote to memory of 1104	2644	9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe	28
PID 1104 wrote to memory of 2124	1104	9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe	29
PID 1104 wrote to memory of 2124	1104	9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe	29
PID 1104 wrote to memory of 2124	1104	9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe	29
PID 1104 wrote to memory of 2124	1104	9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe	29

C:\Users\Admin\AppData\Local\Temp\9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe
"C:\Users\Admin\AppData\Local\Temp\9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe
  C:\Users\Admin\AppData\Local\Temp\9c4cc9bcbf6ca8bfa08e2f9621c257d3.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Program Files\Docmentt\sauae.exe
    "C:\Program Files\Docmentt\sauae.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Deletes itself
    - Executes dropped EXE
    PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Docmentt\sauae.exe

Filesize
1.6MB

MD5
58ccc4f7f2cd7095dd7e27f0d5500f3d

SHA1
eb5fe1114c051d85afc0df12c9aa2242bc5d1267

SHA256
b53e732e9d5a90362885410bf276bf62264e12645b73e918f05d6ae252e972ce

SHA512
5de1b88270e76387db0ada2bcfd274d3809aaa80b92a253e8685e8bee799db14b4e2e4eb1e24a2cd2b701daf7c51fbe6830c77d87abf3c19a78125834cf66311

Download Submit
C:\Program Files\Docmentt\sauae.exe

Filesize
2.2MB

MD5
03e1a2180bc1f18d24b992eb44445f3c

SHA1
b4b67584681866f77a45ef23bdf31a005a9fad6a

SHA256
cb729b818f03a8a20d9c638535ce4ab95e12ab94a5f49c6c108215bfd824202f

SHA512
a457c93ef740798d87da3a5019582c87bdb8702e3003f5a059598adc47129b1888fbf7bc82556e079eb5074bff71e26ca13e08f9b602c58e2136aa41e296baa3

Download Submit
\??\c:\SaveTxta986.txt

Filesize
70B

MD5
41c9180685a81ba21f5a32e93de10cc9

SHA1
a5dc5d68bbec079c85dab531f054135a5c9795a0

SHA256
22cb51103843efd6f1b009f1a3e706bce14448d79e19bf12aae4850d310ca050

SHA512
99dce6b378bced2fd5f4146b861b371f2b6cab0f2d33dfa15b8f29471accd42739e24de915ebc5253a125ca37c8df411842118dd1d3dcacbbd71d05b5e22c097

Download Submit
\Program Files\Docmentt\sauae.exe

Filesize
2.0MB

MD5
909aa1705891cf785fae8e4d161a8eeb

SHA1
081a14fc66ec7f9e2c9acef85a00b577614a53d8

SHA256
75fed8fe760191b0336194bf3e2980c5878e2acd5011b24048365e0a37c4fe9b

SHA512
b8c12a348b153ca2784220a93d593d05ac1f110f38e44644e76ab16025699b4663b134fc1017539ccec1b4a157dbf01665c0eb5a990ab717d2da12f9e3b304f4

Download Submit
memory/1104-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1104-10-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/2124-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2644-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2644-1-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads