5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f

General

Target

5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
Size

7.1MB
MD5

44ed595bdf2594ad908dd1688489e72c
SHA1

61979e0087c08d82590f02ebf9cd04246c4a1fdf
SHA256

5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f
SHA512

b9bb30034bb741ca0512963704c3764914d24dea25ba65b8d9abac08a683fc4cd52c2debedd23576b2069874b379bfacb97768376a4a6a9ea1596f928f96f448
SSDEEP

196608:yk/xL+l4p36Iydc1IAxHbG6rjYgMuUR5nPaGd+uh:ykp/6IzeANC6PYgMTXPa0v

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4752	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe

Executes dropped EXE 1 IoCs

pid	Process
4752	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/244-2-0x0000000002670000-0x000000000267B000-memory.dmp	upx
behavioral2/memory/4752-14-0x0000000000D90000-0x0000000000D9B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\N:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\U:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\M:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\R:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\T:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\X:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\Y:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\G:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\H:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\K:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\S:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\V:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\Z:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\E:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\I:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\P:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\O:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\Q:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\W:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\A:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\B:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
File opened (read-only)	\??\L:	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
244	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
244	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
244	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
244	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
244	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
4752	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
4752	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
4752	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
4752	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
4752	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 4752	244	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe	90
PID 244 wrote to memory of 4752	244	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe	90
PID 244 wrote to memory of 4752	244	5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe	90

C:\Users\Admin\AppData\Local\Temp\5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
"C:\Users\Admin\AppData\Local\Temp\5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:244
- C:\1.76ÎåÔÀ¸´¹Å\5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
  C:\1.76ÎåÔÀ¸´¹Å\5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.76ÎåÔÀ¸´¹Å\5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f.exe

Filesize
7.1MB

MD5
44ed595bdf2594ad908dd1688489e72c

SHA1
61979e0087c08d82590f02ebf9cd04246c4a1fdf

SHA256
5333d7493de096537a2fc3368b5252f4524bc774804a604406e7d78fbbcf6c7f

SHA512
b9bb30034bb741ca0512963704c3764914d24dea25ba65b8d9abac08a683fc4cd52c2debedd23576b2069874b379bfacb97768376a4a6a9ea1596f928f96f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\424b9ea7f037861fec8158894b0319fa.txt

Filesize
16B

MD5
f1a9af0e457c9653bf7381bfa2a3a91d

SHA1
9489479df3eb2b39b4f6f820e398f26afc798868

SHA256
5636f22be2b859643cc29787709c4c1d17c3ce93ea54b27bc14dc2c7949bdd0c

SHA512
d653f5d208ffba8ae5013097ac4ead0634ae0e917912d78400b6e1384957a827c5901510d51689ae9fe369654fc67194e599c561f6b7a76181ab7b9c928dbd4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.dat

Filesize
102B

MD5
f3594f4fe035be8e6ec25421fc7369f1

SHA1
edc048744335ddb5da5dc87366f5108f4876449c

SHA256
83f42b50f522f97c8757902e73679deae5902c15d01e14ec071d438543fe7cd6

SHA512
95eea911e32dd1c40b5bf985a4b75a1218a7ee4bdf6d4944fab397d92a70f076ab4825fd8d9ff1b83fadcba951d063dcbaa32d4b0163d672a1b2bbf5ba35603b

Download Submit
memory/244-19-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/244-0-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/244-2-0x0000000002670000-0x000000000267B000-memory.dmp

Filesize
44KB

Download
memory/244-3-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/244-4-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/244-5-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/244-6-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/244-1-0x00000000007B1000-0x00000000007B2000-memory.dmp

Filesize
4KB

Download
memory/244-16-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/4752-13-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/4752-20-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/4752-17-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/4752-15-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/4752-21-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/4752-14-0x0000000000D90000-0x0000000000D9B000-memory.dmp

Filesize
44KB

Download
memory/4752-30-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing