f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5

General

Target

f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
Size

13.4MB
MD5

7377b1e9953e1d970f1bfddb757fa044
SHA1

a267f7a162984b29332e6c3281d3b051e487a9f6
SHA256

f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5
SHA512

6dcdf13c4435e1f175d0a57980678ddba11dfe7ec19f9117840778220df8817fbe3864c911c443127d50254ab6c027994ebde51d6437a8522bb66312bd970dea
SSDEEP

393216:/kpuAy0ztGnT6g0Knjp+/uP+RQGPA0vo+zn6kuSF//cauM:wbQnT13F+/g1U65w3cg

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1324	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe

Executes dropped EXE 1 IoCs

pid	Process
1324	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3260-2-0x0000000002770000-0x000000000277B000-memory.dmp	upx
behavioral2/memory/1324-15-0x0000000002540000-0x000000000254B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\T:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\U:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\M:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\O:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\Q:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\R:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\P:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\V:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\Z:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\A:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\H:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\J:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\N:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\X:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\G:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\K:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\L:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\W:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\B:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\E:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\I:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
File opened (read-only)	\??\Y:	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3260	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
3260	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
3260	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
3260	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
3260	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
1324	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
1324	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
1324	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
1324	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
1324	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 1324	3260	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe	92
PID 3260 wrote to memory of 1324	3260	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe	92
PID 3260 wrote to memory of 1324	3260	f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe	92

C:\Users\Admin\AppData\Local\Temp\f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
"C:\Users\Admin\AppData\Local\Temp\f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Çå·ç³ÁÄ¬Î¢¶Ë\f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
  C:\Çå·ç³ÁÄ¬Î¢¶Ë\f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9aae321000da3185363c1bc09ae68eba.txt

Filesize
16B

MD5
cd81767f8622b1c76a29e6cb6b719c49

SHA1
96d671cd62e7e15a2827b9cf3849ef026b38aff3

SHA256
247a026c986309a35d3a8579bea1c6e198786b8509120e502bc08f97ccc2663c

SHA512
52ec3a0f18babf6af987fe06bf276b0460661371a7e4aa9773d9a825c41439e042b9e7f565914a070516723c4f004df75946e403a59fe5e1b449ce2269054e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.dat

Filesize
102B

MD5
a7949392dbe15cc39cae4dd0a464a16d

SHA1
b244d62c86ed285e213d24e50b5ba92f1e6be680

SHA256
3a101a04406906237bd364502a81837cadbfb529d99ab0ca7816c9608565cdb7

SHA512
0680aaf0c0ce1bce273513aa6fc8e0e45c2e5cd42ec696dd8e5b999434c219a8d2b86eb90ee2169117401f3ab55fe10db0290763d3fced47bd659a42cb2f3938

Download Submit
C:\Çå·ç³ÁÄ¬Î¢¶Ë\f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5.exe

Filesize
13.4MB

MD5
7377b1e9953e1d970f1bfddb757fa044

SHA1
a267f7a162984b29332e6c3281d3b051e487a9f6

SHA256
f7a76577a371c6f5f833d85b50c7613d8c90e744f8a988112ddf1f3c619239d5

SHA512
6dcdf13c4435e1f175d0a57980678ddba11dfe7ec19f9117840778220df8817fbe3864c911c443127d50254ab6c027994ebde51d6437a8522bb66312bd970dea

Download Submit
memory/1324-20-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1324-16-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1324-45-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1324-23-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1324-21-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1324-13-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1324-14-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1324-15-0x0000000002540000-0x000000000254B000-memory.dmp

Filesize
44KB

Download
memory/3260-19-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/3260-4-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/3260-17-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/3260-3-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/3260-0-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/3260-2-0x0000000002770000-0x000000000277B000-memory.dmp

Filesize
44KB

Download
memory/3260-6-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/3260-1-0x00000000007B1000-0x00000000007B2000-memory.dmp

Filesize
4KB

Download
memory/3260-5-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing