f764dfc1d7d2ffd0ee8d867390ebee1cc5d81106851dc11b6f4b14c19d5c2ec9

General

Target

f764dfc1d7d2ffd0ee8d867390ebee1cc5d81106851dc11b6f4b14c19d5c2ec9.exe
Size

79KB
MD5

5007ec5baa165a11b765c039884368a4
SHA1

ee33a856f27f4331aa4d033b689e3f25068c0167
SHA256

f764dfc1d7d2ffd0ee8d867390ebee1cc5d81106851dc11b6f4b14c19d5c2ec9
SHA512

1590f88fd9dee95635bf16ac40b161ed99ac35d86b6d2aecbaa0b39bcd980475387d722b9ecd762e4450820d9abfb778aeec0cb3c50d46ef65ce848bf986c63e
SSDEEP

1536:CZFJTafg3hnfq4yyFBrRyyeBaiRTxRwvru8G:yFGgRfqI2z

Score

9^/10

Malware Config

Signatures

Detects executables built or packed with MPress PE compressor 5 IoCs

resource	yara_rule
behavioral1/memory/2936-0-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0009000000015b6f-11.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2936-13-0x0000000001DD0000-0x0000000001DE2000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2852-17-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2852-27-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2852	retro.exe

Loads dropped DLL 1 IoCs

pid	Process
2936	f764dfc1d7d2ffd0ee8d867390ebee1cc5d81106851dc11b6f4b14c19d5c2ec9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2936	f764dfc1d7d2ffd0ee8d867390ebee1cc5d81106851dc11b6f4b14c19d5c2ec9.exe
2852	retro.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2852	2936	f764dfc1d7d2ffd0ee8d867390ebee1cc5d81106851dc11b6f4b14c19d5c2ec9.exe	28
PID 2936 wrote to memory of 2852	2936	f764dfc1d7d2ffd0ee8d867390ebee1cc5d81106851dc11b6f4b14c19d5c2ec9.exe	28
PID 2936 wrote to memory of 2852	2936	f764dfc1d7d2ffd0ee8d867390ebee1cc5d81106851dc11b6f4b14c19d5c2ec9.exe	28
PID 2936 wrote to memory of 2852	2936	f764dfc1d7d2ffd0ee8d867390ebee1cc5d81106851dc11b6f4b14c19d5c2ec9.exe	28

C:\Users\Admin\AppData\Local\Temp\f764dfc1d7d2ffd0ee8d867390ebee1cc5d81106851dc11b6f4b14c19d5c2ec9.exe
"C:\Users\Admin\AppData\Local\Temp\f764dfc1d7d2ffd0ee8d867390ebee1cc5d81106851dc11b6f4b14c19d5c2ec9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\retro.exe
  "C:\Users\Admin\AppData\Local\Temp\retro.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ce03b364457412a094000f3f5c20590a

SHA1
3e072a4718b149dee2c1340390b93d16c59eb473

SHA256
ea70ffd95f544b631a8cd1cb473a6f7f08b755a014edaad2d2c0d1102bfd443f

SHA512
e7aa7dd809f92756247a432e97d56f51ce800fd5f7ffa6fc70ec82279435d302572620d370784fba3da8a5e615097f6379a020d2ce9996135383021a43047057

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8654.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
\Users\Admin\AppData\Local\Temp\retro.exe

Filesize
79KB

MD5
4c70c996bf6fe5e2f2382cd8c61c39f1

SHA1
77198cf288a06e7b7d918b84df88ab5b46edee4a

SHA256
88fdb5872357cb2ba24d51fbcbbd1297d9d000e337f4a2b0182b2d7632c37c40

SHA512
49cd14b960bc600054ff791247d4ce58f9ced71fa9e2b96b02010ceb4d3ef8c860007fbcd8f34b9e1ad89227842ddf341c813fbb2dfc48210b0bcc15e39c4b55

Download Submit
memory/2852-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2852-26-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/2852-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2936-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2936-13-0x0000000001DD0000-0x0000000001DE2000-memory.dmp

Filesize
72KB

Download
memory/2936-6-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2936-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2936-1-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing