be7c5123e3ff8e2ce88ae804463ec411d115a5f0079b1093621c77017cf20f0d

General

Target

8f252ac1ca471d8994dcb3907942daf0N.exe
Size

1.3MB
MD5

8f252ac1ca471d8994dcb3907942daf0
SHA1

5011a0d9d4bb9be68c9a686ce7a30d5cfc4b3950
SHA256

be7c5123e3ff8e2ce88ae804463ec411d115a5f0079b1093621c77017cf20f0d
SHA512

33301760faccbfd8f6b5bdc90612ddae099344893fb67ba661dc1e794d05576a8ebfc9c0b62a45e18da4d7eb4ffb217cd1aa315ce7efb6f0254712b8c0f618f7
SSDEEP

24576:IArW/8hh0FQAq7c8nA7YMv3+DpBNPRI9ovlG4XozaEhptdF/fCGzeYVxXNVD8pVo:Ie0mfW3YNPRRlG4saIprdNn

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	8f252ac1ca471d8994dcb3907942daf0N.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3052-0-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral1/files/0x000e000000012014-10.dat	upx
behavioral1/memory/3052-14-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral1/memory/3052-17-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral1/memory/3052-20-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral1/memory/3052-24-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral1/memory/3052-27-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral1/memory/3052-30-0x0000000000400000-0x0000000000554000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	8f252ac1ca471d8994dcb3907942daf0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3052	8f252ac1ca471d8994dcb3907942daf0N.exe
3052	8f252ac1ca471d8994dcb3907942daf0N.exe
3052	8f252ac1ca471d8994dcb3907942daf0N.exe
3052	8f252ac1ca471d8994dcb3907942daf0N.exe
3052	8f252ac1ca471d8994dcb3907942daf0N.exe
3052	8f252ac1ca471d8994dcb3907942daf0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3052	8f252ac1ca471d8994dcb3907942daf0N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3052	8f252ac1ca471d8994dcb3907942daf0N.exe
3052	8f252ac1ca471d8994dcb3907942daf0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2660	3052	8f252ac1ca471d8994dcb3907942daf0N.exe	30
PID 3052 wrote to memory of 2660	3052	8f252ac1ca471d8994dcb3907942daf0N.exe	30
PID 3052 wrote to memory of 2660	3052	8f252ac1ca471d8994dcb3907942daf0N.exe	30
PID 3052 wrote to memory of 2660	3052	8f252ac1ca471d8994dcb3907942daf0N.exe	30

C:\Users\Admin\AppData\Local\Temp\8f252ac1ca471d8994dcb3907942daf0N.exe
"C:\Users\Admin\AppData\Local\Temp\8f252ac1ca471d8994dcb3907942daf0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
2004bcee923b0e0222f4cab87c2c2a3d

SHA1
0a3c122b7cfe403403d913ecc1b328480b1bfc2a

SHA256
f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77

SHA512
cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
722B

MD5
0ed45d15b95f3ae09874c89a135e89db

SHA1
5dbe95e4015300719af4e09f94696a870185fd9c

SHA256
61fb445f3fd4252b5b4bf639dca955dc05af34eab736d095a406aa1d0477139d

SHA512
d339050708e8ff9f13c6f51d086e02a64ec95524b986a97b77ef3a0a1be9515975260d2ebe5d48fe8a1722a01e8021466e6fccd2ef2a8da62a39c1686a80c019

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.3MB

MD5
78254a7023769d8a56f803039dc277de

SHA1
63652d5d0a0137dec4556b54e856ac261e2524a0

SHA256
dd560a3d4153459e9c9aa3efc50e2d8d2ff05d6d896b0236f6f1821c68633d6b

SHA512
1749c13b149114947ca5de02ed7da4b2b7a1c4fa5b9f646a80ca5746a42512c4d110572882f02f092f6e2872b566c901e6536d2b8c526012873336c4f1320e54

Download Submit
memory/3052-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3052-14-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3052-17-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3052-20-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3052-24-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3052-27-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3052-30-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads