7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a

General

Target

7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
Size

11.8MB
MD5

5f227ea33d9907bd4baf01d8d338982f
SHA1

2475beb0899e8c9f1b4e9ddc75a0410743e80607
SHA256

7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a
SHA512

75a6d052d25cfb57fd866dfc17e67e5dbcfa52f7d0af612740ac1c3656e1927fb839fd6b8c1a36ae0fa98524ab87954e81832b0de844dd496d37c11a8793b089
SSDEEP

196608:yk/xL+l4wCekpX3oqoV+0XKIKWUGNEoiN/A4saY636Iydc1IAxHbG6rjYKx0cyMn:ykp2CektYxojtpGNvaYK6IzeANC6PYK9

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3684	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe

Executes dropped EXE 1 IoCs

pid	Process
3684	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1200-2-0x0000000002770000-0x000000000277B000-memory.dmp	upx
behavioral2/memory/3684-12-0x0000000002530000-0x000000000253B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\N:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\Q:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\V:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\G:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\I:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\M:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\R:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\U:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\L:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\O:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\P:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\Y:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\A:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\B:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\E:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\H:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\K:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\S:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\T:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\W:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\X:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
File opened (read-only)	\??\Z:	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1200	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
1200	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
1200	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
1200	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
1200	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
3684	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
3684	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
3684	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
3684	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
3684	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 3684	1200	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe	89
PID 1200 wrote to memory of 3684	1200	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe	89
PID 1200 wrote to memory of 3684	1200	7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe	89

C:\Users\Admin\AppData\Local\Temp\7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
"C:\Users\Admin\AppData\Local\Temp\7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200
- C:\°åÇÅ´«ÆæÎ¢¶Ë[×îÐÂ]\7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
  C:\°åÇÅ´«ÆæÎ¢¶Ë[×îÐÂ]\7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b74602e1079aa1544d0fbe7dd2b284b9.txt

Filesize
22B

MD5
f47eb11a163f86a374531c400c645bdb

SHA1
51430dd8857722fef44cbc1d7951a736b8d87f35

SHA256
0d4606f972c089788f2ede410ca098db7f5514f7a7cf5431aa518f94d0c4a62a

SHA512
a861b75eaca0f06189aab1cef86a1c5db26252d8d906fb92229e5b6d56b245d6c5ba9330e1942f1e1bcb2aa391bbcad1f51e5fdb635668b773845b1bb506d876

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.dat

Filesize
102B

MD5
93c45aa60c5422e4c835e70a2921c1b0

SHA1
a89d008b19ac22b2ceb7c5787b868b14cb2e50f6

SHA256
2a282ef7a39b0974b1991046b59c5355b68176204fc7ee33584e0753a5f00999

SHA512
27a274f9237292b221de820d432d42879a9ca155028a06507da112068ae1597132d131f7912f3481de8dca2ed38874ea41851b641251d65498d159901d9cff6d

Download Submit
C:\°åÇÅ´«ÆæÎ¢¶Ë[×îÐÂ]\7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a.exe

Filesize
11.8MB

MD5
5f227ea33d9907bd4baf01d8d338982f

SHA1
2475beb0899e8c9f1b4e9ddc75a0410743e80607

SHA256
7c1081ac7208565b6448166544600fd579f54e0a8a1b57c248330fd148fdd98a

SHA512
75a6d052d25cfb57fd866dfc17e67e5dbcfa52f7d0af612740ac1c3656e1927fb839fd6b8c1a36ae0fa98524ab87954e81832b0de844dd496d37c11a8793b089

Download Submit
memory/1200-14-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1200-4-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1200-3-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1200-17-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1200-1-0x00000000007B1000-0x00000000007B2000-memory.dmp

Filesize
4KB

Download
memory/1200-2-0x0000000002770000-0x000000000277B000-memory.dmp

Filesize
44KB

Download
memory/1200-0-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3684-11-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3684-12-0x0000000002530000-0x000000000253B000-memory.dmp

Filesize
44KB

Download
memory/3684-13-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3684-15-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3684-18-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3684-30-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing