f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a

General

Target

f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
Size

9.2MB
MD5

acde3edb52446cad161f28e6e5af0c6c
SHA1

0083ece19bfeb17bf1c3165749eaef53b48a2ce4
SHA256

f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a
SHA512

8fc48631c7bb51cd4fb27eaaa7db492f8b6070a1ad5d2456379c7b10e4ae45270844e591c0d67947802d5d0beb88e63810ecfc34fb3a4ddda654c5a9e8bf618d
SSDEEP

196608:xqKoYgVKWUGNEoiN/A4s0jmpxSjvEydT5T4M9TD1tl7r:4PkpGNvcj8ydTB99tt

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3588	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe

Executes dropped EXE 1 IoCs

pid	Process
3588	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2772-4-0x0000000002670000-0x000000000267B000-memory.dmp	upx
behavioral2/memory/3588-19-0x0000000000D10000-0x0000000000D1B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\L:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\M:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\N:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\V:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\A:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\G:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\P:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\Q:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\R:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\T:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\Z:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\I:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\O:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\S:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\X:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\Y:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\J:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\K:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\U:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\W:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\B:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
File opened (read-only)	\??\E:	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2772	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
2772	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
2772	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
2772	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
2772	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
3588	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
3588	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
3588	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
3588	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
3588	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 3588	2772	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe	95
PID 2772 wrote to memory of 3588	2772	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe	95
PID 2772 wrote to memory of 3588	2772	f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe	95

C:\Users\Admin\AppData\Local\Temp\f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
"C:\Users\Admin\AppData\Local\Temp\f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772
- C:\ÏÄÈÕÑ×Ñ×[V4.1]\f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
  C:\ÏÄÈÕÑ×Ñ×[V4.1]\f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01abc036969a7bc7861bab25522126dd.txt

Filesize
18B

MD5
d2bb8425a8f78c456f7bd3da053a94fa

SHA1
cd1e2a3b2435106901c54e01660f5da42c735697

SHA256
a70921f156384692efc950a29d47f984e75716ddbf64d80426494c70f6d9c7b7

SHA512
8c0b29607f609f5acd891a2b61ff43a06d6f3aeab6e7a84a57f64a78372c92ed4db88bd07fb52a19f6ade7478a782abcd3a8986fb2c2cb0ccc3f06a2747cb4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.dat

Filesize
102B

MD5
db4390ac035b430a705eccd7200ad0f8

SHA1
c96463a9d60935e671e04ddc3073d87e2fe2063a

SHA256
4e0b81a85f8fecbb498db1207b4a5eba95f08545cddd6d23b005d5d5f3c80498

SHA512
0f0b3bd8460b1873a652e443613edad2685f977fe9ba49e6379e7305639569cae5093132d7f74e8e495276b8c1f569e3c2485c8ea35d4e094b8554eb03827875

Download Submit
C:\ÏÄÈÕÑ×Ñ×[V4.1]\f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a.exe

Filesize
9.2MB

MD5
acde3edb52446cad161f28e6e5af0c6c

SHA1
0083ece19bfeb17bf1c3165749eaef53b48a2ce4

SHA256
f4f4890d941747ff3eeb260ecd70daf395cf44e0fa63f6cfba1674fe155aa38a

SHA512
8fc48631c7bb51cd4fb27eaaa7db492f8b6070a1ad5d2456379c7b10e4ae45270844e591c0d67947802d5d0beb88e63810ecfc34fb3a4ddda654c5a9e8bf618d

Download Submit
memory/2772-6-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/2772-2-0x00000000007B1000-0x00000000007B2000-memory.dmp

Filesize
4KB

Download
memory/2772-5-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/2772-0-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/2772-7-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/2772-8-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/2772-9-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/2772-10-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/2772-11-0x00000000007B1000-0x00000000007B2000-memory.dmp

Filesize
4KB

Download
memory/2772-3-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/2772-1-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/2772-42-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/2772-4-0x0000000002670000-0x000000000267B000-memory.dmp

Filesize
44KB

Download
memory/3588-21-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3588-22-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3588-23-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3588-20-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3588-19-0x0000000000D10000-0x0000000000D1B000-memory.dmp

Filesize
44KB

Download
memory/3588-18-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3588-44-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3588-46-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing