26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3

General

Target

26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
Size

4.8MB
MD5

023a6a2fcd387fb9b6a3412f968fe167
SHA1

9b858f357c73500e5f7416b2601ac8bf1eb8009a
SHA256

26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3
SHA512

7f47b2f0cab6e616d58c3f6815ffb8624ad99bf110a68293ac8c6e627e1e18dc99087be889057de53015f762d65009465743d977ddfc09f7530bb41e5fad5b5a
SSDEEP

98304:ComRTpoQB4MBuySrBqf4Y99ca17ZHDjmP38xkt4OqoYXYzBFuDt3v:WRBJuygY9KItGPsxkSh5XY1FuB3v

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/612-1-0x0000000000400000-0x0000000000F25000-memory.dmp	upx
behavioral1/memory/612-0-0x0000000000400000-0x0000000000F25000-memory.dmp	upx
behavioral1/memory/612-2-0x0000000000400000-0x0000000000F25000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\J:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\U:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\V:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\X:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\Y:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\H:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\K:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\N:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\R:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\T:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\G:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\L:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\O:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\Z:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\W:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\I:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\M:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\P:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\Q:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
File opened (read-only)	\??\S:	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe

C:\Users\Admin\AppData\Local\Temp\26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe
"C:\Users\Admin\AppData\Local\Temp\26cbfd3bd15af9ea17d412b0c844ea0b612daa4c1df86f59f96437d62a348ac3.exe"
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
PID:612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-1-0x0000000000400000-0x0000000000F25000-memory.dmp

Filesize
11.1MB

Download
memory/612-0-0x0000000000400000-0x0000000000F25000-memory.dmp

Filesize
11.1MB

Download
memory/612-2-0x0000000000400000-0x0000000000F25000-memory.dmp

Filesize
11.1MB

Download
memory/612-3-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/612-4-0x00000000037E0000-0x0000000003897000-memory.dmp

Filesize
732KB

Download
memory/612-5-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/612-6-0x00000000037E0000-0x0000000003897000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads