068f8c3ba7184982e734bb4a307565ae14e201c0f13ceecb1aed38c3870f3525

General

Target

da0b40601a3a98f251b12bf830993d70N.exe
Size

558KB
MD5

da0b40601a3a98f251b12bf830993d70
SHA1

6916fba0a692fc01b829be8e50461be47847e964
SHA256

068f8c3ba7184982e734bb4a307565ae14e201c0f13ceecb1aed38c3870f3525
SHA512

7d931e55906d05b5ab334cf2814bff9e4c93d66aac98f477d62b737116d30162b35084303107f4fb97e68015526e3e162ffbd0d0ef0f4f1022babb7b3b51209e
SSDEEP

12288:21+vKnoA0cdoIl9jmDBJ4Uh2DEq/51r575O65n9Vp:e+vg0HU9EP4UheEq/B79B

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	da0b40601a3a98f251b12bf830993d70N.exe

Loads dropped DLL 2 IoCs

pid	Process
2072	da0b40601a3a98f251b12bf830993d70N.exe
2072	da0b40601a3a98f251b12bf830993d70N.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2072-0-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/files/0x000900000001227c-8.dat	upx
behavioral1/memory/2072-18-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/memory/2072-23-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/memory/2072-26-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/memory/2072-30-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/memory/2072-33-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/memory/2072-36-0x0000000000400000-0x0000000000551000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	da0b40601a3a98f251b12bf830993d70N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2072	da0b40601a3a98f251b12bf830993d70N.exe
2072	da0b40601a3a98f251b12bf830993d70N.exe
2072	da0b40601a3a98f251b12bf830993d70N.exe
2072	da0b40601a3a98f251b12bf830993d70N.exe
2072	da0b40601a3a98f251b12bf830993d70N.exe
2072	da0b40601a3a98f251b12bf830993d70N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2072	da0b40601a3a98f251b12bf830993d70N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2072	da0b40601a3a98f251b12bf830993d70N.exe
2072	da0b40601a3a98f251b12bf830993d70N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2648	2072	da0b40601a3a98f251b12bf830993d70N.exe	30
PID 2072 wrote to memory of 2648	2072	da0b40601a3a98f251b12bf830993d70N.exe	30
PID 2072 wrote to memory of 2648	2072	da0b40601a3a98f251b12bf830993d70N.exe	30
PID 2072 wrote to memory of 2648	2072	da0b40601a3a98f251b12bf830993d70N.exe	30

C:\Users\Admin\AppData\Local\Temp\da0b40601a3a98f251b12bf830993d70N.exe
"C:\Users\Admin\AppData\Local\Temp\da0b40601a3a98f251b12bf830993d70N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
2004bcee923b0e0222f4cab87c2c2a3d

SHA1
0a3c122b7cfe403403d913ecc1b328480b1bfc2a

SHA256
f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77

SHA512
cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
722B

MD5
61eb8ff55960517ddb44f17cd57bddb8

SHA1
623d3caa0bbbd3846f04032e92db47a40b607a76

SHA256
db7ec7c5cb01f465a1290cedd50f1a236ee983bd11c9f9c4ab8d314488e62603

SHA512
e17ad9341724d0cd6a6337081e4acc8ea75984ffa2def01c5e9343912924a08f0236612f178baa464c95025a1659b1cda91e0b23ee5cdac11cce53e8a519f1ad

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
558KB

MD5
157f86c0bf0fe25e696f2efc4fb0ce52

SHA1
d03bdc70b31a2777708935f326a58845bc183b59

SHA256
8c5dead6dcca243ab92e21a313cf37c4d80cf4c4093b5f91f23706d788d8fd1d

SHA512
6932ebe3d2266475280c694b52f90a099b7257b74ef174b3b1094c52c5a77f36469075fecae80df22eb5d7d9f3a39deb1d52948f3b3513ac071504be3c257f6f

Download Submit
memory/2072-21-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2072-14-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2072-18-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2072-0-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2072-22-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2072-23-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2072-26-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2072-30-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2072-15-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2072-33-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2072-36-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads