bbd68336cf1a09f3f81881e94777735c89b8d76bef6244cbd60699e8b4287b68

General

Target

acbb23363c96f5bf2a67009cb5c7f7bb.exe
Size

233KB
MD5

acbb23363c96f5bf2a67009cb5c7f7bb
SHA1

9e6434ae8cfa29860b24e93bab6903d792152496
SHA256

bbd68336cf1a09f3f81881e94777735c89b8d76bef6244cbd60699e8b4287b68
SHA512

0b8ccb419375e0d9e84030e13dd8b5b1158986b25281502a79d01df556911f475a0a17ae592ba44f1e221ffcea3cb9dc97fb1169653b0cbfd2a7de651c502f81
SSDEEP

6144:ASe8ZIdHXmwqih5zsp58YcncKdivrxnLyfC+KdUgO:+814ep5z0C1LyfC+W

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2280	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2396	NAS.exe

Loads dropped DLL 2 IoCs

pid	Process
1224	acbb23363c96f5bf2a67009cb5c7f7bb.exe
1224	acbb23363c96f5bf2a67009cb5c7f7bb.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1224-0-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1224-2-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/files/0x0007000000015c87-4.dat	upx
behavioral1/memory/2396-13-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1224-14-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2396-18-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2396-20-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2396-21-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2396-24-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/1224-32-0x0000000000400000-0x00000000004A3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\NAS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NAS.exe"	NAS.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1224	acbb23363c96f5bf2a67009cb5c7f7bb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2396	1224	acbb23363c96f5bf2a67009cb5c7f7bb.exe	31
PID 1224 wrote to memory of 2396	1224	acbb23363c96f5bf2a67009cb5c7f7bb.exe	31
PID 1224 wrote to memory of 2396	1224	acbb23363c96f5bf2a67009cb5c7f7bb.exe	31
PID 1224 wrote to memory of 2396	1224	acbb23363c96f5bf2a67009cb5c7f7bb.exe	31
PID 1224 wrote to memory of 2280	1224	acbb23363c96f5bf2a67009cb5c7f7bb.exe	37
PID 1224 wrote to memory of 2280	1224	acbb23363c96f5bf2a67009cb5c7f7bb.exe	37
PID 1224 wrote to memory of 2280	1224	acbb23363c96f5bf2a67009cb5c7f7bb.exe	37
PID 1224 wrote to memory of 2280	1224	acbb23363c96f5bf2a67009cb5c7f7bb.exe	37

C:\Users\Admin\AppData\Local\Temp\acbb23363c96f5bf2a67009cb5c7f7bb.exe
"C:\Users\Admin\AppData\Local\Temp\acbb23363c96f5bf2a67009cb5c7f7bb.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\NAS.exe
  C:\Users\Admin\AppData\Local\Temp\NAS.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\deleteself.bat
  2⤵
  - Deletes itself
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\deleteself.bat

Filesize
232B

MD5
89155bddece822383d4b244bc155eff5

SHA1
f852080fa272c2862cf4ac7b3730fb46baa84e60

SHA256
1f5fb5c4abddfcb5227d120bcf272ab0d6a08941faff10b42caefc951b03b46c

SHA512
1189972dd4ba4b6e544b0185a071018fbdc563f5ef295ce2dff89e8a01c34ce0b1eca53513ffddcf7e5f692a88a1e00b41e93acaba318c80f9f65467b339c53e

Download Submit
\Users\Admin\AppData\Local\Temp\NAS.exe

Filesize
233KB

MD5
acbb23363c96f5bf2a67009cb5c7f7bb

SHA1
9e6434ae8cfa29860b24e93bab6903d792152496

SHA256
bbd68336cf1a09f3f81881e94777735c89b8d76bef6244cbd60699e8b4287b68

SHA512
0b8ccb419375e0d9e84030e13dd8b5b1158986b25281502a79d01df556911f475a0a17ae592ba44f1e221ffcea3cb9dc97fb1169653b0cbfd2a7de651c502f81

Download Submit
memory/1224-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1224-2-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1224-11-0x00000000038F0000-0x0000000003993000-memory.dmp

Filesize
652KB

Download
memory/1224-32-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1224-12-0x00000000038F0000-0x0000000003993000-memory.dmp

Filesize
652KB

Download
memory/1224-14-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1224-0-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1224-16-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2396-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2396-20-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2396-21-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2396-23-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2396-24-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2396-18-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2396-13-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads