83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f

General

Target

83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
Size

7.7MB
MD5

31326fa0ec76cb87baaf1f3867ca81f7
SHA1

9fcc73678e157c47874f12d5bb03c2e543313229
SHA256

83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f
SHA512

6f094c2a82b094eedd157f019148087537f96ed01fe7784078ab83739a6a6397094dc7f33d392389b5775e623aadb100382cbcbdee017b965b4adf018107de71
SSDEEP

196608:9wCdpQRxJp/puV3or0Xv+ujBnaiIRFGWTCv+lMjjzqsu0aYTIxDI4aM:dsRLuV3oYX2qnXIRFXXM/bu0zTIxDIHM

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2616	3716783f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe

Loads dropped DLL 2 IoCs

pid	Process
1168	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
2616	3716783f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1168-3-0x0000000000400000-0x0000000000CC2000-memory.dmp	upx
behavioral1/memory/1168-6-0x0000000000400000-0x0000000000CC2000-memory.dmp	upx
behavioral1/memory/1168-7-0x0000000000400000-0x0000000000CC2000-memory.dmp	upx
behavioral1/memory/1168-8-0x0000000000400000-0x0000000000CC2000-memory.dmp	upx
behavioral1/memory/1168-9-0x0000000000400000-0x0000000000CC2000-memory.dmp	upx
behavioral1/files/0x0006000000015e85-39.dat	upx
behavioral1/memory/2616-47-0x0000000000400000-0x0000000000CC2000-memory.dmp	upx
behavioral1/memory/1168-49-0x0000000000400000-0x0000000000CC2000-memory.dmp	upx
behavioral1/memory/2616-76-0x0000000000400000-0x0000000000CC2000-memory.dmp	upx
behavioral1/memory/2616-77-0x0000000000400000-0x0000000000CC2000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\R:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\S:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\T:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\A:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\B:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\K:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\M:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\W:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\Y:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\G:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\H:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\I:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\L:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\N:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\P:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\V:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\X:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\Z:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\E:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\J:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\Q:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
File opened (read-only)	\??\U:	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	3716783f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2616	3716783f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1168	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
1168	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
1168	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
1168	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
2616	3716783f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
2616	3716783f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
2616	3716783f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
2616	3716783f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 2616	1168	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe	29
PID 1168 wrote to memory of 2616	1168	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe	29
PID 1168 wrote to memory of 2616	1168	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe	29
PID 1168 wrote to memory of 2616	1168	83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe	29

C:\Users\Admin\AppData\Local\Temp\83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
"C:\Users\Admin\AppData\Local\Temp\83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168
- C:\·çÔÂ×¨Êô[µÚÆß¾í]\3716783f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
  C:\·çÔÂ×¨Êô[µÚÆß¾í]\3716783f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWTP8BNA\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\f059ce5f7deebcb06d0f9cf7e838c7ea.txt

Filesize
20B

MD5
23fc825e0dab1e2265f5de692943df0c

SHA1
f5c8eefe5e69389837fec1fe769b67afda4751e3

SHA256
e37648564e46292426d0ef77640b58fa43d1e5daedf92a7b66a7250b4aa7856a

SHA512
635f157617207386710e14f54e476ea3e788388889fc2d0846f173772ea3506e04301982aa7c10f283f4ce3ec6f21a9174b3dce436e3b9f9b931ede085849bed

Download Submit
\·çÔÂ×¨Êô[µÚÆß¾í]\3716783f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f.exe

Filesize
7.7MB

MD5
31326fa0ec76cb87baaf1f3867ca81f7

SHA1
9fcc73678e157c47874f12d5bb03c2e543313229

SHA256
83f8b1b370516480b352374a52f9fe36a95e0eca467d060819d276c5749b3b9f

SHA512
6f094c2a82b094eedd157f019148087537f96ed01fe7784078ab83739a6a6397094dc7f33d392389b5775e623aadb100382cbcbdee017b965b4adf018107de71

Download Submit
memory/1168-7-0x0000000000400000-0x0000000000CC2000-memory.dmp

Filesize
8.8MB

Download
memory/1168-8-0x0000000000400000-0x0000000000CC2000-memory.dmp

Filesize
8.8MB

Download
memory/1168-9-0x0000000000400000-0x0000000000CC2000-memory.dmp

Filesize
8.8MB

Download
memory/1168-3-0x0000000000400000-0x0000000000CC2000-memory.dmp

Filesize
8.8MB

Download
memory/1168-43-0x000000000CBD0000-0x000000000D492000-memory.dmp

Filesize
8.8MB

Download
memory/1168-49-0x0000000000400000-0x0000000000CC2000-memory.dmp

Filesize
8.8MB

Download
memory/1168-5-0x0000000000CBA000-0x0000000000CBB000-memory.dmp

Filesize
4KB

Download
memory/1168-6-0x0000000000400000-0x0000000000CC2000-memory.dmp

Filesize
8.8MB

Download
memory/1168-4-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2616-47-0x0000000000400000-0x0000000000CC2000-memory.dmp

Filesize
8.8MB

Download
memory/2616-73-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/2616-76-0x0000000000400000-0x0000000000CC2000-memory.dmp

Filesize
8.8MB

Download
memory/2616-77-0x0000000000400000-0x0000000000CC2000-memory.dmp

Filesize
8.8MB

Download

Analysis

Sharing