922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7

General

Target

922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
Size

7.5MB
MD5

ca1ebdc2376812aca799e6115226b3a2
SHA1

d3fbf1051bc8cc75d2152b84f6fb176ff3beb2d6
SHA256

922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7
SHA512

e199cfaa6d758225634cd9ca20ea18620603c66917c14d4514b10aa69bbbb245031d926bc72083b7a1b05e9ad1dd3b7fcab0a88085541f10a8df11c73eda84df
SSDEEP

196608:gqKoY7V6HlI1PFWUs8bb2s73QFqENscckrtfFqTyOrZY:5Pm6H6FFWUs4CszQFq0sccDNO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2268	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe

Executes dropped EXE 1 IoCs

pid	Process
2268	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1712-2-0x0000000002690000-0x000000000269B000-memory.dmp	upx
behavioral2/memory/2268-17-0x0000000002540000-0x000000000254B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\Z:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\N:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\P:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\R:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\S:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\V:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\H:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\I:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\M:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\Y:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\K:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\Q:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\X:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\J:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\L:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\O:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\T:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\U:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\A:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\B:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\E:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
File opened (read-only)	\??\W:	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1712	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
1712	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
1712	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
1712	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
1712	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
2268	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
2268	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
2268	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
2268	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
2268	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2268	1712	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe	94
PID 1712 wrote to memory of 2268	1712	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe	94
PID 1712 wrote to memory of 2268	1712	922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe	94

C:\Users\Admin\AppData\Local\Temp\922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
"C:\Users\Admin\AppData\Local\Temp\922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7\922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
  C:\922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7\922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4016 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7\922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7.exe

Filesize
7.5MB

MD5
ca1ebdc2376812aca799e6115226b3a2

SHA1
d3fbf1051bc8cc75d2152b84f6fb176ff3beb2d6

SHA256
922de1dcb8e8e236de95a4755d195c3097c697ea259d92192f793ba58b5d8cb7

SHA512
e199cfaa6d758225634cd9ca20ea18620603c66917c14d4514b10aa69bbbb245031d926bc72083b7a1b05e9ad1dd3b7fcab0a88085541f10a8df11c73eda84df

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8c43851e4766c1e7628f67a5ed53b3e.txt

Filesize
68B

MD5
a5d1d9e2c24b012bd44b6c2d33b99f76

SHA1
43fa374f4253d1068f01b76d49a0ea9b3e69cff5

SHA256
fd9629f28d5079107c4745791939d39ded15fb60df3108ea178e6ba7a51083f6

SHA512
61f2cc8d3ede819b05b1ef2ce99a26a2bccd9e379656b17e94232d5080e255be9650740ec221bb9e1f7251e710142124316e98a7ac3490928a866096c4ebe911

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.dat

Filesize
102B

MD5
992e64060a260acbc74826a6c07f8b1f

SHA1
007d62046356d9e42153689de2d3d32b19c6c2a6

SHA256
c09b890e9df9d83428b511d721c9570ef9f9d6c07c3d92198196c41c760439f6

SHA512
7ff2c867e20ce71f17ad52946d468c489ce16a0bfe4f37b836280bc6994eab3ba560b6ba8da23ae1f0bad722e9ff7c7e66d6caec747f5e6ea202783026cbb28b

Download Submit
memory/1712-5-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1712-22-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1712-6-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1712-0-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1712-7-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1712-3-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1712-4-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1712-1-0x00000000007B1000-0x00000000007B2000-memory.dmp

Filesize
4KB

Download
memory/1712-15-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1712-25-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/1712-2-0x0000000002690000-0x000000000269B000-memory.dmp

Filesize
44KB

Download
memory/1712-19-0x00000000007B1000-0x00000000007B2000-memory.dmp

Filesize
4KB

Download
memory/2268-14-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2268-21-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2268-20-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2268-18-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2268-23-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2268-17-0x0000000002540000-0x000000000254B000-memory.dmp

Filesize
44KB

Download
memory/2268-16-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2268-35-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download
memory/2268-40-0x0000000000400000-0x00000000007C6000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing