fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da

General

Target

fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe
Size

134KB
MD5

bf7a574d33ac96a604f47d9a1ad8fd42
SHA1

cea208747404be8840a98662ed671d981f798381
SHA256

fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da
SHA512

7025d63e568dfc97e95d7bf168baeb0c73d60b6a66f059b7b652689ccc6e7021cb406d6610f9ed4c12f2f40fa11b0e2586346549e5768458a55822a899fa5e5a
SSDEEP

1536:YGYU/W2/HG6QMauSV3ixJHABLrmhH7i9eNOOg00GqMIK7aGZh3SOr:YfU/WF6QMauSuiWNi9eNOl0007NZIOr

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/memory/2224-0-0x0000000000F60000-0x0000000000F88000-memory.dmp	UPX
behavioral1/files/0x003500000001415f-5.dat	UPX
behavioral1/memory/2764-6-0x00000000002D0000-0x00000000002F8000-memory.dmp	UPX
behavioral1/memory/2224-7-0x0000000000F60000-0x0000000000F88000-memory.dmp	UPX
behavioral1/memory/2764-9-0x00000000002D0000-0x00000000002F8000-memory.dmp	UPX
behavioral1/memory/2224-10-0x0000000000F60000-0x0000000000F88000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2396	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2764	wuauclt.exe

Loads dropped DLL 1 IoCs

pid	Process
2224	fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2224-0-0x0000000000F60000-0x0000000000F88000-memory.dmp	upx
behavioral1/files/0x003500000001415f-5.dat	upx
behavioral1/memory/2764-6-0x00000000002D0000-0x00000000002F8000-memory.dmp	upx
behavioral1/memory/2224-7-0x0000000000F60000-0x0000000000F88000-memory.dmp	upx
behavioral1/memory/2764-9-0x00000000002D0000-0x00000000002F8000-memory.dmp	upx
behavioral1/memory/2224-10-0x0000000000F60000-0x0000000000F88000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run"	fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2764	2224	fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe	28
PID 2224 wrote to memory of 2764	2224	fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe	28
PID 2224 wrote to memory of 2764	2224	fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe	28
PID 2224 wrote to memory of 2764	2224	fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe	28
PID 2224 wrote to memory of 2396	2224	fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe	29
PID 2224 wrote to memory of 2396	2224	fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe	29
PID 2224 wrote to memory of 2396	2224	fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe	29
PID 2224 wrote to memory of 2396	2224	fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe	29

C:\Users\Admin\AppData\Local\Temp\fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe
"C:\Users\Admin\AppData\Local\Temp\fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2224
- C:\ProgramData\Update\wuauclt.exe
  "C:\ProgramData\Update\wuauclt.exe" /run
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\windows\SysWOW64\cmd.exe
  "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\fb4374ef5f4fefe9270b164405d944d1d42eab5e1277c775d076ac39dfed64da.exe" >> NUL
  2⤵
  - Deletes itself
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Update\wuauclt.exe

Filesize
134KB

MD5
6c1de4c50bedddcb012735be6b3004af

SHA1
bf81f0e06475352505233688dcf27f0d7c990514

SHA256
b3ededc6177b4bdf09aa2f0e4cdb546757db94b38558d9df2a2faf9b0f793dd0

SHA512
0f990647c6b6f1676aa5a2767ea615b31bc9f21d247b535bc834951c4c7009078e5f971cd795209909e3c683099bf700227547853024acdecc7d1b16fe221399

Download Submit
memory/2224-0-0x0000000000F60000-0x0000000000F88000-memory.dmp

Filesize
160KB

Download
memory/2224-7-0x0000000000F60000-0x0000000000F88000-memory.dmp

Filesize
160KB

Download
memory/2224-8-0x00000000002D0000-0x00000000002F8000-memory.dmp

Filesize
160KB

Download
memory/2224-10-0x0000000000F60000-0x0000000000F88000-memory.dmp

Filesize
160KB

Download
memory/2764-6-0x00000000002D0000-0x00000000002F8000-memory.dmp

Filesize
160KB

Download
memory/2764-9-0x00000000002D0000-0x00000000002F8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads