f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f

General

Target

f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f.exe
Size

184KB
MD5

23200d05e67026e395f5508e81a6f261
SHA1

84c0011593696bc6cb3fcfe57edf5eb4fbf8b4a5
SHA256

f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f
SHA512

92ca46a53238d28c98c6b16ac075d1c81534408e0f10a04de8195c6e26ee735e5af2d78b05357fac0d58c9b452e0d670ed60d3040fd29fb95a40cea56e47e5d6
SSDEEP

1536:Eq37dumBoEHkqWke1C4kqUDA2n6J8U6FjSHyI9Ng3Xmx:n35PBoEW1TBUP6n6FWlXi

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f.exestartup.bat

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	startup.bat

Executes dropped EXE 2 IoCs

Processes:

startup.batstartup.bat

pid process

1012 startup.bat
2252 startup.bat

pid	process
1012	startup.bat
2252	startup.bat

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3944-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\startup.bat	upx
behavioral2/memory/3944-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2252-14-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1012-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

startup.bat

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	startup.bat
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	startup.bat
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	startup.bat
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	startup.bat
Set value (data)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	startup.bat

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f.exestartup.batstartup.bat

pid process

3944 f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f.exe
1012 startup.bat
2252 startup.bat

pid	process
3944	f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f.exe
1012	startup.bat
2252	startup.bat

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f.exestartup.bat

description	pid	process	target process
PID 3944 wrote to memory of 1012	3944	f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f.exe	startup.bat
PID 3944 wrote to memory of 1012	3944	f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f.exe	startup.bat
PID 3944 wrote to memory of 1012	3944	f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f.exe	startup.bat
PID 1012 wrote to memory of 2252	1012	startup.bat	startup.bat
PID 1012 wrote to memory of 2252	1012	startup.bat	startup.bat
PID 1012 wrote to memory of 2252	1012	startup.bat	startup.bat

C:\Users\Admin\AppData\Local\Temp\f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f.exe
"C:\Users\Admin\AppData\Local\Temp\f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat"
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1012

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\startup.bat
Filesize
184KB

MD5
23200d05e67026e395f5508e81a6f261

SHA1
84c0011593696bc6cb3fcfe57edf5eb4fbf8b4a5

SHA256
f713809dea449815a501976935a6b8ef96ba3921c91989994865ab1ee6c4726f

SHA512
92ca46a53238d28c98c6b16ac075d1c81534408e0f10a04de8195c6e26ee735e5af2d78b05357fac0d58c9b452e0d670ed60d3040fd29fb95a40cea56e47e5d6

Download Submit
memory/1012-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2252-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3944-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3944-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads