a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78

General

Target

a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe
Size

111KB
MD5

15d42003e4e92d75bfef96cfe62cf134
SHA1

93b7cf9a302f18b78ecf6c2eba93ded9727a492c
SHA256

a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78
SHA512

2fb33d3452a6514426f986bb9f1ff0f3ac6273f9184e0c3554a062b3b4bcd3de6203616a9a67c7cae2208080ce385f2c40491451017e4c9c385aef58e3111f87
SSDEEP

1536:ELNIW39SaZTbFARlq7jC1OZstZu0TSVEdUJWTWd18f4:ELlbZTZX3BAtTSVEdUJWTWd18f4

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/memory/2036-0-0x0000000000F50000-0x0000000000F6C000-memory.dmp	UPX
behavioral1/files/0x000c00000001316b-2.dat	UPX
behavioral1/memory/2336-6-0x0000000000BB0000-0x0000000000BCC000-memory.dmp	UPX
behavioral1/memory/2036-7-0x0000000000F50000-0x0000000000F6C000-memory.dmp	UPX
behavioral1/memory/2336-9-0x0000000000BB0000-0x0000000000BCC000-memory.dmp	UPX
behavioral1/memory/2036-10-0x0000000000F50000-0x0000000000F6C000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2516	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2336	guifx.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2036-0-0x0000000000F50000-0x0000000000F6C000-memory.dmp	upx
behavioral1/files/0x000c00000001316b-2.dat	upx
behavioral1/memory/2336-6-0x0000000000BB0000-0x0000000000BCC000-memory.dmp	upx
behavioral1/memory/2036-7-0x0000000000F50000-0x0000000000F6C000-memory.dmp	upx
behavioral1/memory/2336-9-0x0000000000BB0000-0x0000000000BCC000-memory.dmp	upx
behavioral1/memory/2036-10-0x0000000000F50000-0x0000000000F6C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graphics = "\"C:\\ProgramData\\Graphics\\guifx.exe\" /run"	a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2336	2036	a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe	28
PID 2036 wrote to memory of 2336	2036	a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe	28
PID 2036 wrote to memory of 2336	2036	a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe	28
PID 2036 wrote to memory of 2336	2036	a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe	28
PID 2036 wrote to memory of 2516	2036	a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe	29
PID 2036 wrote to memory of 2516	2036	a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe	29
PID 2036 wrote to memory of 2516	2036	a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe	29
PID 2036 wrote to memory of 2516	2036	a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe	29

C:\Users\Admin\AppData\Local\Temp\a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe
"C:\Users\Admin\AppData\Local\Temp\a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036
- C:\ProgramData\Graphics\guifx.exe
  "C:\ProgramData\Graphics\guifx.exe" /run
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\windows\SysWOW64\cmd.exe
  "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\a7fa307e6dd0caebb0081e8cf8bdd0beb65191f3ed801ebfbfeab9e27d3b0c78.exe" >> NUL
  2⤵
  - Deletes itself
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Graphics\guifx.exe

Filesize
111KB

MD5
530a13a14a55b37a4360c5fdd12156b6

SHA1
52bca2058257b7135315b911a51b4de8761ff7b3

SHA256
93860e3600448b0c6dfc492a85134bb098d09e457551cc75c197af804c1eb813

SHA512
4fa4d34142125931d475254ae5d89671b1b8c28cf4b63d4b2a5fde936f9cb4102c20bb0070fdf7c93b3da8620cb764b1a00e4072725d8fdfba66b3c957403fd7

Download Submit
memory/2036-0-0x0000000000F50000-0x0000000000F6C000-memory.dmp

Filesize
112KB

Download
memory/2036-7-0x0000000000F50000-0x0000000000F6C000-memory.dmp

Filesize
112KB

Download
memory/2036-8-0x0000000000BB0000-0x0000000000BCC000-memory.dmp

Filesize
112KB

Download
memory/2036-10-0x0000000000F50000-0x0000000000F6C000-memory.dmp

Filesize
112KB

Download
memory/2036-11-0x0000000000BB0000-0x0000000000BCC000-memory.dmp

Filesize
112KB

Download
memory/2336-6-0x0000000000BB0000-0x0000000000BCC000-memory.dmp

Filesize
112KB

Download
memory/2336-9-0x0000000000BB0000-0x0000000000BCC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads