cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d

General

Target

cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
Size

10.5MB
MD5

6919ea6c31f0d014f2e2b255a2fb6bf9
SHA1

4cfd55fea7b78933cd8b219d0c87f4d17d71577d
SHA256

cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d
SHA512

08266e2f2de963aeb3d411108ae363b5a444fd97312d212e01cab17ae20aed354ffa4be0f64a4743f29b8c55548a9d5b9117ecd27e5ca4b41a27030f45fd71c4
SSDEEP

196608:/k/xL+l4ysRAqeXUE0ilKWUGNEoiN/A4sGV5lCh13z/jqRYN7hu+j5JE0FX:/kpLnibopGNvMlA3zr17hznEaX

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2568	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe

Executes dropped EXE 1 IoCs

pid	Process
2568	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe

Loads dropped DLL 2 IoCs

pid	Process
2912	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
2912	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2912-1-0x00000000002A0000-0x00000000002AB000-memory.dmp	upx
behavioral1/memory/2912-2-0x00000000002A0000-0x00000000002AB000-memory.dmp	upx
behavioral1/memory/2568-19-0x0000000000960000-0x000000000096B000-memory.dmp	upx
behavioral1/memory/2568-20-0x0000000000960000-0x000000000096B000-memory.dmp	upx
behavioral1/memory/2912-26-0x00000000002A0000-0x00000000002AB000-memory.dmp	upx
behavioral1/memory/2568-40-0x0000000000960000-0x000000000096B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\E:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\J:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\L:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\U:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\V:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\W:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\Y:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\Z:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\K:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\M:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\N:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\O:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\P:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\Q:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\S:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\G:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\H:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\I:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\T:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\A:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\R:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
File opened (read-only)	\??\X:	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2912	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
2912	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
2912	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
2912	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
2912	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
2568	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
2568	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
2568	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
2568	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
2568	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2568	2912	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe	28
PID 2912 wrote to memory of 2568	2912	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe	28
PID 2912 wrote to memory of 2568	2912	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe	28
PID 2912 wrote to memory of 2568	2912	cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe	28

C:\Users\Admin\AppData\Local\Temp\cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
"C:\Users\Admin\AppData\Local\Temp\cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d\cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
  C:\cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d\cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\080e0f6a642856636c9c63a7b7d8bb6a.txt

Filesize
68B

MD5
47dca828ccbeaf2f72ac0ec36a0dc19e

SHA1
5a7df23a7d626cb40216894e0b0e20a1d7b962bf

SHA256
32111b1edd4943dafc7f605d2c3a763ba5bd9f9d7869cd5891306f54eef2ae3c

SHA512
eb14d71a2e9ba71c04c45b3a780d1c1a5da8b7536bff35d63a295c1f17f58d5d5435102fa9c3db42fa1b0b222eddf7acd1e8e1a1f33078497d543ac0d2da9619

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.dat

Filesize
102B

MD5
d812191ddac6ce8cd746ff35ac8989e6

SHA1
bf23fd7be57f2c63101342024834cc10ce1e748c

SHA256
4155b4b9f168b57756c397c03cc899f633925f82ba23ac71b3be2d8d15ec026c

SHA512
928f50ab209d4aa639d582d796328953d861f3a799c166abc01150498f2f4548927c32a5060e83500177f93dc603693761fdf7d19dfd8932db741edb0692a3f7

Download Submit
\cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d\cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d.exe

Filesize
10.5MB

MD5
6919ea6c31f0d014f2e2b255a2fb6bf9

SHA1
4cfd55fea7b78933cd8b219d0c87f4d17d71577d

SHA256
cb9aac10e81dbafb3c9e71d1aa297014330b457702d4155034071761643ac23d

SHA512
08266e2f2de963aeb3d411108ae363b5a444fd97312d212e01cab17ae20aed354ffa4be0f64a4743f29b8c55548a9d5b9117ecd27e5ca4b41a27030f45fd71c4

Download Submit
memory/2568-22-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2568-23-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2568-48-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2568-42-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2568-18-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2568-40-0x0000000000960000-0x000000000096B000-memory.dmp

Filesize
44KB

Download
memory/2568-38-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2568-19-0x0000000000960000-0x000000000096B000-memory.dmp

Filesize
44KB

Download
memory/2568-20-0x0000000000960000-0x000000000096B000-memory.dmp

Filesize
44KB

Download
memory/2912-17-0x0000000007E60000-0x0000000008226000-memory.dmp

Filesize
3.8MB

Download
memory/2912-26-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/2912-25-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2912-0-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2912-2-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/2912-1-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/2912-16-0x0000000007E60000-0x0000000008226000-memory.dmp

Filesize
3.8MB

Download
memory/2912-5-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2912-4-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2912-3-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing