b219d1944ed41f33d4cf532ffe7428b2f494b9f693a70aa7a9100b5550e794df

General

Target

52fywg.exe
Size

1.0MB
MD5

805dc8ea0c4c626109037b4c6b3f73d2
SHA1

cc4224ed24bc309413f6f4f85dd3ba1cde65c701
SHA256

8748e9a133c0aabc61b04bfe735f1f276157874874a8c08400d8ef21144170cb
SHA512

23a9e2698bd168ce59a2226885b4c6173ff1415a5a843c4d560753a03b51778ad100f7f6765f429048eb6c47ebd4e7ce19097cbc16bb886d6a2b00930e8bd92f
SSDEEP

24576:B8xnT9uMDSdHH2tF7VYPhbQMkDlyGh1l46:B8xxubAWPhbKyGh1l7

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2456	ec.sys

Loads dropped DLL 2 IoCs

pid	Process
2828	52fywg.exe
2828	52fywg.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2828-2-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-4-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-6-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-5-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-8-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-12-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-14-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-20-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-24-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-28-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-31-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-35-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-40-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-42-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-46-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-48-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-50-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-44-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-38-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-33-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-26-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-22-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-18-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-16-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-10-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-7-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/files/0x0007000000015c4b-55.dat	upx
behavioral3/memory/2456-62-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral3/memory/2828-61-0x0000000003210000-0x000000000322A000-memory.dmp	upx
behavioral3/memory/2828-63-0x0000000003210000-0x000000000322A000-memory.dmp	upx
behavioral3/memory/2828-54-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral3/memory/2828-97-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ecmZcUh.sys	52fywg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	52fywg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2828	52fywg.exe
2828	52fywg.exe
2828	52fywg.exe
2828	52fywg.exe
2828	52fywg.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2456	2828	52fywg.exe	29
PID 2828 wrote to memory of 2456	2828	52fywg.exe	29
PID 2828 wrote to memory of 2456	2828	52fywg.exe	29
PID 2828 wrote to memory of 2456	2828	52fywg.exe	29
PID 2456 wrote to memory of 672	2456	ec.sys	30
PID 2456 wrote to memory of 672	2456	ec.sys	30
PID 2456 wrote to memory of 672	2456	ec.sys	30
PID 2456 wrote to memory of 672	2456	ec.sys	30

C:\Users\Admin\AppData\Local\Temp\52fywg.exe
"C:\Users\Admin\AppData\Local\Temp\52fywg.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\Documents\ec.sys
  C:\Users\Admin\Documents\/ec.sys
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\k211.bat" "
    3⤵
    PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11.ca

Filesize
70B

MD5
f7e97e452ebf2e5d1858752e5e51156a

SHA1
ae908c2a8c2e670a425a7aad807f5e40d8f42335

SHA256
94d55dff4eb41cfd8b5ca832b6ecb3f9c6bcf7d96cb84ae24a6496d015511b59

SHA512
3515fc78e868d7a05db3a9f77c2459d9b573d25a9d718335b820becbc296232123f60acb17b5ddc560b259b88caa4eed05e0f77ad4719f07647b7d28df9f7af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\k211.bat

Filesize
2KB

MD5
06af7c4c305e8e390a482e04b5f23a12

SHA1
ee0f2820b9c5da1c243315aec03f1aabe54af2e8

SHA256
97093292b0ea16c6f109e1d2a4c83bd0436da2ea19b8f0fa7dc35e78bfb851c4

SHA512
c71e72924e567c3a7ee5eb3691091b545b55b9e453446ac841a65f93d02c85145d147d856dd7846e3f2843032876730c39e81dc75fdd115f9d581b8fe445135d

Download Submit
\Users\Admin\Documents\ec.sys

Filesize
42KB

MD5
9522a5bbb8a9c5a7033edd962942f0a5

SHA1
89dc94c849c33d754a85ceae5d3a6ef45d56d315

SHA256
f5c9f0063aea62311673c338a8da321a724dcf8f70b33af34d39b07d29ddd5f6

SHA512
6bbcff34c4a7fa3ca0cff2df08ed8667514a42d2d0f2d2ab020f2412918d742c93fd84e75fda2ae96e9b4ac97a5204daed0d87693c76d1588498833e9a3c5e56

Download Submit
memory/2456-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2828-50-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-33-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-14-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-20-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-24-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-28-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-31-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-35-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-40-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-42-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-46-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-48-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-2-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-44-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-38-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-12-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-26-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-22-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-18-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-16-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-10-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-7-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-8-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-5-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-61-0x0000000003210000-0x000000000322A000-memory.dmp

Filesize
104KB

Download
memory/2828-63-0x0000000003210000-0x000000000322A000-memory.dmp

Filesize
104KB

Download
memory/2828-54-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-6-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-4-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-97-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2828-98-0x0000000003210000-0x000000000322A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing