e989f0886cc1a989479cfe91d0f660223e486de22ee05749dc93ebb4a31f6acf

General

Target

e1f72ed816664b86d4db6555ca67c02a.exe
Size

1.9MB
MD5

e1f72ed816664b86d4db6555ca67c02a
SHA1

2076dfc63d22fc991c8b8216757d22a34ec19f0c
SHA256

e989f0886cc1a989479cfe91d0f660223e486de22ee05749dc93ebb4a31f6acf
SHA512

3cacb0a979be4b7b89d830dc47ce3a139da47dfe21543aef092678c9d1129ed3e99d60cd027768c5a2405a580bea9e39b120c4f3b79e2de06f1ae83abb1c8288
SSDEEP

49152:ydOjNXMu8VaWg/IbwsYRxUGXET3pbjX6JyytOdsi3:IOjtMaWZUxUfT35X06si

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

Cloud AV 2012v121.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Cloud AV 2012v121.exe
Executes dropped EXE 2 IoCs

Processes:

Cloud AV 2012v121.exeCloud AV 2012v121.exe

pid process

4512 Cloud AV 2012v121.exe
2056 Cloud AV 2012v121.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Cloud AV 2012v121.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4364-1-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/4364-7-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/4512-10-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/4512-15-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/2056-18-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/2056-89-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/2056-100-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/2056-105-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/2056-110-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/2056-123-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/2056-134-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/2056-155-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/2056-188-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/2056-232-0x0000000000400000-0x0000000000917000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e1f72ed816664b86d4db6555ca67c02a.exeCloud AV 2012v121.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sK8fRZ9hTwU8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe"	e1f72ed816664b86d4db6555ca67c02a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\v5sWJ7fELg8234A = "C:\\Users\\Admin\\AppData\\Roaming\\pH6dWK8fR9TwUeI\\Cloud AV 2012v121.exe"	Cloud AV 2012v121.exe

Drops file in System32 directory 2 IoCs

Processes:

Cloud AV 2012v121.exee1f72ed816664b86d4db6555ca67c02a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	Cloud AV 2012v121.exe
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	e1f72ed816664b86d4db6555ca67c02a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Cloud AV 2012v121.exeCloud AV 2012v121.exe

pid	process
4512	Cloud AV 2012v121.exe
4512	Cloud AV 2012v121.exe
4512	Cloud AV 2012v121.exe
4512	Cloud AV 2012v121.exe
4512	Cloud AV 2012v121.exe
4512	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 3528 msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	3528	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Cloud AV 2012v121.exe

pid	process
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Cloud AV 2012v121.exe

pid	process
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

e1f72ed816664b86d4db6555ca67c02a.exeCloud AV 2012v121.exeCloud AV 2012v121.exe

pid	process
4364	e1f72ed816664b86d4db6555ca67c02a.exe
4512	Cloud AV 2012v121.exe
4512	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe
2056	Cloud AV 2012v121.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e1f72ed816664b86d4db6555ca67c02a.exeCloud AV 2012v121.exe

description	pid	process	target process
PID 4364 wrote to memory of 4512	4364	e1f72ed816664b86d4db6555ca67c02a.exe	Cloud AV 2012v121.exe
PID 4364 wrote to memory of 4512	4364	e1f72ed816664b86d4db6555ca67c02a.exe	Cloud AV 2012v121.exe
PID 4364 wrote to memory of 4512	4364	e1f72ed816664b86d4db6555ca67c02a.exe	Cloud AV 2012v121.exe
PID 4512 wrote to memory of 2056	4512	Cloud AV 2012v121.exe	Cloud AV 2012v121.exe
PID 4512 wrote to memory of 2056	4512	Cloud AV 2012v121.exe	Cloud AV 2012v121.exe
PID 4512 wrote to memory of 2056	4512	Cloud AV 2012v121.exe	Cloud AV 2012v121.exe

C:\Users\Admin\AppData\Local\Temp\e1f72ed816664b86d4db6555ca67c02a.exe
"C:\Users\Admin\AppData\Local\Temp\e1f72ed816664b86d4db6555ca67c02a.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\Cloud AV 2012v121.exe
C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\e1f72ed816664b86d4db6555ca67c02a.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Roaming\pH6dWK8fR9TwUeI\Cloud AV 2012v121.exe
C:\Users\Admin\AppData\Roaming\pH6dWK8fR9TwUeI\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2056

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ahst.lni
Filesize
610B

MD5
1ed9210fcca2209be0c1b09130d052a3

SHA1
33313c228948960884977055e1bd40e79bc934aa

SHA256
805e90e7a3229b7e1aa849eb1258e466e78b3317dcaa6af7e9ef60d8b3aa600c

SHA512
523239ccc72bf3290c44347caa2fe55694de4f15d9f6372a58c419ce2075ec079d32f05587e5e83ab2e167eb2a9cb954d0bfac0f29fe4e2376d9a5624f47c844

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni
Filesize
1KB

MD5
bd9d05b9bc6fc3f980d31aceeac87755

SHA1
d68a9ccbd2ac6ff96201aae255de0df4294dea89

SHA256
6a0636b73198edb94b0ba9336d051805407b8be01c51b7754eb2fa67b85e66df

SHA512
4e576688903973f42e1ebc2d3abdc1ab83c6a9f0f4ddffb105bcce247bce6fb1cf4fdeeecd277a62436710e84ad5c5d2b8596ee98bd84c226dabde00de4430c9

Download Submit
C:\Windows\SysWOW64\Cloud AV 2012v121.exe
Filesize
1.9MB

MD5
e1f72ed816664b86d4db6555ca67c02a

SHA1
2076dfc63d22fc991c8b8216757d22a34ec19f0c

SHA256
e989f0886cc1a989479cfe91d0f660223e486de22ee05749dc93ebb4a31f6acf

SHA512
3cacb0a979be4b7b89d830dc47ce3a139da47dfe21543aef092678c9d1129ed3e99d60cd027768c5a2405a580bea9e39b120c4f3b79e2de06f1ae83abb1c8288

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
1KB

MD5
50ab0dd716dd66ad0c3eb5fb63f2f118

SHA1
bd9641078264b2135d3b3b0007c98f977d057960

SHA256
1f9037b078250201c92f8e1ea1ad3023011039c76a5aa74d3710edc452fc6517

SHA512
24c0b8ca8650fb50f81b9a89bbb7e8e5492b303b065fbf846c55aeb76c9fc41ebb5b9c6163d168a1362941720473486fdf2596dab4764176ebb348ad264b61d6

Download Submit
memory/2056-110-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2056-134-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2056-232-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2056-188-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2056-18-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2056-155-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2056-123-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2056-105-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2056-89-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2056-100-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/4364-2-0x0000000002F40000-0x0000000003365000-memory.dmp

Filesize
4.1MB

Download
memory/4364-1-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/4364-7-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/4364-8-0x0000000002F40000-0x0000000003365000-memory.dmp

Filesize
4.1MB

Download
memory/4512-10-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/4512-15-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/4512-11-0x0000000002BC0000-0x0000000003A0F000-memory.dmp

Filesize
14.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads