00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a

General

Target

00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
Size

14.0MB
MD5

bcd845203afaa5e7201a85c25a355587
SHA1

4826add6a72f8829d2748a270a5c48b4d540cb72
SHA256

00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a
SHA512

f1071d11ea0393b0f305e83092809202b07f2646a3e015b94314cb193d18eb4f0741d47a36ee47ce107d5d015b30e5d0dfe9b52a60ae63de11bb108add6fae38
SSDEEP

393216:SkpyRnJjWx5sCNXFpklRKGM6gvVnD/GWocB6/F3F86uV:0JabtPu7gvVjWl3huV

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2592	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe

Executes dropped EXE 1 IoCs

pid	Process
2592	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe

Loads dropped DLL 2 IoCs

pid	Process
992	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
992	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/992-1-0x0000000000320000-0x000000000032B000-memory.dmp	upx
behavioral1/memory/992-2-0x0000000000320000-0x000000000032B000-memory.dmp	upx
behavioral1/memory/2592-20-0x0000000000320000-0x000000000032B000-memory.dmp	upx
behavioral1/memory/992-25-0x0000000000320000-0x000000000032B000-memory.dmp	upx
behavioral1/memory/2592-57-0x0000000000320000-0x000000000032B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\B:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\K:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\M:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\Q:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\W:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\Y:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\E:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\G:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\H:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\I:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\P:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\T:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\X:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\N:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\O:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\R:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\S:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\V:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\J:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\L:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\U:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
File opened (read-only)	\??\Z:	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
992	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
992	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
992	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
992	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
992	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
2592	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
2592	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
2592	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
2592	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
2592	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 2592	992	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe	28
PID 992 wrote to memory of 2592	992	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe	28
PID 992 wrote to memory of 2592	992	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe	28
PID 992 wrote to memory of 2592	992	00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe	28

C:\Users\Admin\AppData\Local\Temp\00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
"C:\Users\Admin\AppData\Local\Temp\00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992
- C:\×¿Ô½ÓñÍÃol\00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
  C:\×¿Ô½ÓñÍÃol\00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20c193145f9ef1400079c77bd8094934.txt

Filesize
14B

MD5
b08c770c7d6f4155bee76ca2603c0d01

SHA1
404e142bf2ffb5436ca2b4e9849b28a11710fabb

SHA256
d7f9b698c1e220f38b5a7a2cb276d465ce98f9e9f3504646cd74d121528db794

SHA512
61b66b414f6508bc317dd547e4306007b5e641737bbafbc2ef95519fcadbd4c53d500ca182b066cc5be956e372e5a5f8554767f9329e399bdb86e76980c19960

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.dat

Filesize
102B

MD5
628e0fd6eca7b037aa7db60f29ed0971

SHA1
c36f312b68c2a71985525466b2ad768c0bfbd2e3

SHA256
0b768136993581bfeecc7bd204d6b23627a460789fb7406da0b07c43952428cc

SHA512
c6495c001df7e21a776c14de50762fbb3e4137d2c1e4e5a6db2773af15a56fe85526087df965f9d545baf7b695c0dc4066ce3818d78e91dae3c18ed0cbd794a8

Download Submit
\×¿Ô½ÓñÍÃol\00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a.exe

Filesize
14.0MB

MD5
bcd845203afaa5e7201a85c25a355587

SHA1
4826add6a72f8829d2748a270a5c48b4d540cb72

SHA256
00b9c3b18ccba1a6f32d423d6fef32ea005037dd9c1f8d71b178d7515ff1504a

SHA512
f1071d11ea0393b0f305e83092809202b07f2646a3e015b94314cb193d18eb4f0741d47a36ee47ce107d5d015b30e5d0dfe9b52a60ae63de11bb108add6fae38

Download Submit
memory/992-4-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/992-21-0x0000000000400000-0x00000000007B9000-memory.dmp

Filesize
3.7MB

Download
memory/992-0-0x0000000000400000-0x00000000007B9000-memory.dmp

Filesize
3.7MB

Download
memory/992-3-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/992-1-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/992-17-0x00000000081C0000-0x0000000008579000-memory.dmp

Filesize
3.7MB

Download
memory/992-16-0x00000000081C0000-0x0000000008579000-memory.dmp

Filesize
3.7MB

Download
memory/992-2-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/992-25-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/992-5-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2592-22-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2592-23-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2592-20-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/2592-18-0x0000000000400000-0x00000000007B9000-memory.dmp

Filesize
3.7MB

Download
memory/2592-55-0x0000000000400000-0x00000000007B9000-memory.dmp

Filesize
3.7MB

Download
memory/2592-57-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/2592-59-0x0000000000400000-0x00000000007B9000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing