ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23

General

Target

ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
Size

12.7MB
MD5

de409a7b55a1d7037f56ada0c1ca1e17
SHA1

1a98420d5b7b7c9948086ff9ed41c3ab8820da24
SHA256

ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23
SHA512

e8846cc29fd9c29cee5a1faaf36fa8c555f92aada66082ba60a8d38576d109c6f3d1fc7b4a0073e7f8148f3e904491a4e494cbacba5ad1e768c617c8531f0753
SSDEEP

196608:/k/xL+l4abylCobjkkC7mWbSZ5l2K9mpQ1sfJKWUGNEoiN/A4s/haq/lfsGBrDLx:/kp0OlWZCGQ2KX1lpGNv5BlFn

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1472	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe

Executes dropped EXE 1 IoCs

pid	Process
1472	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3444-2-0x0000000002690000-0x000000000269B000-memory.dmp	upx
behavioral2/memory/1472-15-0x0000000002990000-0x000000000299B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\O:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\W:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\A:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\E:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\J:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\L:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\N:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\R:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\U:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\X:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\G:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\H:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\K:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\Y:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\Q:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\T:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\V:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\Z:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\B:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\I:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\P:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
File opened (read-only)	\??\S:	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3444	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
3444	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
3444	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
3444	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
3444	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
1472	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
1472	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
1472	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
1472	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
1472	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 1472	3444	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe	94
PID 3444 wrote to memory of 1472	3444	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe	94
PID 3444 wrote to memory of 1472	3444	ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe	94

C:\Users\Admin\AppData\Local\Temp\ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
"C:\Users\Admin\AppData\Local\Temp\ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3444
- C:\ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23\ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
  C:\ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23\ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a9a28345b46991eda8597a9671e90492.txt

Filesize
68B

MD5
2a36682412f3730db250c4dd4e968b29

SHA1
ade01cf95bb1c75482956e72b727f6eb850a7e4c

SHA256
5255fa3ca2362d3c068cc6459e940d71de813ea52ab060d0bc8625db230c51b1

SHA512
b86e7a6ae50bdadbc0b77b3ea8136a5f3b495d14bb382f013dcd97c2790e6773bdece59028bbd93496b6360dcc78a20c72a0102e9ea3c3bbe667eca91943c252

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.dat

Filesize
102B

MD5
d65b557a8a9931907d93589d229a93ad

SHA1
66eee5f9c069ac87c026a9fed81e916988fd076a

SHA256
7d263b158814755fe102ddcade419c91d06c04848adfee62f20309e947e8c3f0

SHA512
6fdece459db11db3d23b8789a5fe72691eb1039ee50937cf670a117b7d1a430e3297f34e85463bd355c8a1219b86b672c827adc0825c191eda31dd76a6042e4e

Download Submit
C:\ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23\ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23.exe

Filesize
12.7MB

MD5
de409a7b55a1d7037f56ada0c1ca1e17

SHA1
1a98420d5b7b7c9948086ff9ed41c3ab8820da24

SHA256
ffaf407d409eb05911de8223d4fceecddd8e78d919cefe75a32b2eabb06ecb23

SHA512
e8846cc29fd9c29cee5a1faaf36fa8c555f92aada66082ba60a8d38576d109c6f3d1fc7b4a0073e7f8148f3e904491a4e494cbacba5ad1e768c617c8531f0753

Download Submit
memory/1472-15-0x0000000002990000-0x000000000299B000-memory.dmp

Filesize
44KB

Download
memory/1472-22-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1472-51-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1472-23-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1472-20-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1472-13-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1472-14-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1472-16-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/3444-0-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/3444-18-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/3444-19-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/3444-3-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/3444-2-0x0000000002690000-0x000000000269B000-memory.dmp

Filesize
44KB

Download
memory/3444-4-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/3444-6-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/3444-1-0x00000000007B1000-0x00000000007B2000-memory.dmp

Filesize
4KB

Download
memory/3444-5-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing