1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc

General

Target

1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
Size

12.9MB
MD5

f2b2e465c87336bcfa9031cf67352d9f
SHA1

205393c0440366d5718306bf355d2d0057306a6d
SHA256

1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc
SHA512

abbb8f0c303dadaa445651f26dd156efb118394942464dd10a56e8947ff5c7cd5d687d0017195d47c2b6baff3e8bf559f143d91cabe4cdf70f038dbfd9366936
SSDEEP

393216:skp4W171LyjG920082mFFE5Z4xLZbji5TQ:8mpLi1uNdsTQ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4628	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe

Executes dropped EXE 1 IoCs

pid	Process
4628	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2484-2-0x0000000002510000-0x000000000251B000-memory.dmp	upx
behavioral2/memory/4628-15-0x0000000000DB0000-0x0000000000DBB000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\Q:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\U:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\S:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\T:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\X:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\Y:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\A:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\E:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\G:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\P:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\Z:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\H:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\I:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\M:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\R:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\O:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\V:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\W:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\B:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\J:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\L:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
File opened (read-only)	\??\N:	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2484	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
2484	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
2484	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
2484	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
2484	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
4628	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
4628	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
4628	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
4628	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
4628	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4628	2484	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe	93
PID 2484 wrote to memory of 4628	2484	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe	93
PID 2484 wrote to memory of 4628	2484	1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe	93

C:\Users\Admin\AppData\Local\Temp\1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
"C:\Users\Admin\AppData\Local\Temp\1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484
- C:\92pkÌìÑÄÌØ½ä\1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
  C:\92pkÌìÑÄÌØ½ä\1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\92pkÌìÑÄÌØ½ä\1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc.exe

Filesize
12.9MB

MD5
f2b2e465c87336bcfa9031cf67352d9f

SHA1
205393c0440366d5718306bf355d2d0057306a6d

SHA256
1066eec974a49a38c6926650d2a13720a61df1e3be7f72fa46543e1e9fd2d5fc

SHA512
abbb8f0c303dadaa445651f26dd156efb118394942464dd10a56e8947ff5c7cd5d687d0017195d47c2b6baff3e8bf559f143d91cabe4cdf70f038dbfd9366936

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.dat

Filesize
102B

MD5
0bfa03b69330413e7867e14c06f06074

SHA1
2910918c4c59f341f696d4b3482268e8d96d5976

SHA256
83477dbc7b6936a19f2b552b07439612caf781fdcda189582a1a127a11960926

SHA512
3b39a2c1b233db8a0efed8fac31b8989424b27c825608bbcbdffaf5644b2dde735da2d3742fa396a444928c16233383050d03057c28745cc73acd3fd89ec508d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec43e2d953fe04e382b6eaaad8a95dc9.txt

Filesize
16B

MD5
7bc1bde1478322d5237e89b121ea1d3f

SHA1
fcded47249c42cfef574d2f085484a1c7f5ed51e

SHA256
6b48814c42b8009c986f97ddc2f9b92fcd60a64eceb850b362228049d2bebf75

SHA512
cffdd0409d760e1f12d65a8a003e77323c366a94175ba89faf0468f8fac0e44f7bb6866980f21f12d5b5f45dd131d4eb54a6baea8131b8a700305779e626bdb9

Download Submit
memory/2484-17-0x0000000000400000-0x00000000007D7000-memory.dmp

Filesize
3.8MB

Download
memory/2484-0-0x0000000000400000-0x00000000007D7000-memory.dmp

Filesize
3.8MB

Download
memory/2484-2-0x0000000002510000-0x000000000251B000-memory.dmp

Filesize
44KB

Download
memory/2484-3-0x0000000000400000-0x00000000007D7000-memory.dmp

Filesize
3.8MB

Download
memory/2484-4-0x0000000000400000-0x00000000007D7000-memory.dmp

Filesize
3.8MB

Download
memory/2484-5-0x0000000000400000-0x00000000007D7000-memory.dmp

Filesize
3.8MB

Download
memory/2484-6-0x0000000000400000-0x00000000007D7000-memory.dmp

Filesize
3.8MB

Download
memory/2484-1-0x00000000007B1000-0x00000000007B2000-memory.dmp

Filesize
4KB

Download
memory/2484-21-0x0000000000400000-0x00000000007D7000-memory.dmp

Filesize
3.8MB

Download
memory/4628-13-0x0000000000400000-0x00000000007D7000-memory.dmp

Filesize
3.8MB

Download
memory/4628-19-0x0000000000400000-0x00000000007D7000-memory.dmp

Filesize
3.8MB

Download
memory/4628-18-0x0000000000400000-0x00000000007D7000-memory.dmp

Filesize
3.8MB

Download
memory/4628-16-0x0000000000400000-0x00000000007D7000-memory.dmp

Filesize
3.8MB

Download
memory/4628-15-0x0000000000DB0000-0x0000000000DBB000-memory.dmp

Filesize
44KB

Download
memory/4628-14-0x0000000000400000-0x00000000007D7000-memory.dmp

Filesize
3.8MB

Download
memory/4628-40-0x0000000000400000-0x00000000007D7000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing