eb1048c44e92bd6b5da62643bb93eafb7b9012025c2ecd40fbf4cc42dbfeecf6

General

Target

b14368a184a60a4acb5a06a6b8d8e7c0N.exe
Size

1.3MB
MD5

b14368a184a60a4acb5a06a6b8d8e7c0
SHA1

b01723f549c9958f897daa63787a053ebe063b14
SHA256

eb1048c44e92bd6b5da62643bb93eafb7b9012025c2ecd40fbf4cc42dbfeecf6
SHA512

8b90b3579272767fbace23c7ecdcc7b88dada7a31055b6f482eb63eec50bf8bd251ae289f44c10eb04329ea6672743663f520d33283af4401f732119ed62cf5d
SSDEEP

24576:IArW/8hh0FQAq7c8nA7YMv3+DpBNPRI9ovlG4XozaEhptdF/fCGzeYVxXNVD8pVp:Ie0mfW3YNPRRlG4saIprdNy

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	b14368a184a60a4acb5a06a6b8d8e7c0N.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2348-0-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral1/files/0x000a000000012283-9.dat	upx
behavioral1/memory/2348-14-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral1/memory/2348-17-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral1/memory/2348-20-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral1/memory/2348-24-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral1/memory/2348-27-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral1/memory/2348-30-0x0000000000400000-0x0000000000554000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	b14368a184a60a4acb5a06a6b8d8e7c0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2348	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
2348	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
2348	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
2348	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
2348	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
2348	b14368a184a60a4acb5a06a6b8d8e7c0N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2348	b14368a184a60a4acb5a06a6b8d8e7c0N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2348	b14368a184a60a4acb5a06a6b8d8e7c0N.exe
2348	b14368a184a60a4acb5a06a6b8d8e7c0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 532	2348	b14368a184a60a4acb5a06a6b8d8e7c0N.exe	31
PID 2348 wrote to memory of 532	2348	b14368a184a60a4acb5a06a6b8d8e7c0N.exe	31
PID 2348 wrote to memory of 532	2348	b14368a184a60a4acb5a06a6b8d8e7c0N.exe	31
PID 2348 wrote to memory of 532	2348	b14368a184a60a4acb5a06a6b8d8e7c0N.exe	31

C:\Users\Admin\AppData\Local\Temp\b14368a184a60a4acb5a06a6b8d8e7c0N.exe
"C:\Users\Admin\AppData\Local\Temp\b14368a184a60a4acb5a06a6b8d8e7c0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
2004bcee923b0e0222f4cab87c2c2a3d

SHA1
0a3c122b7cfe403403d913ecc1b328480b1bfc2a

SHA256
f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77

SHA512
cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
722B

MD5
258f52fe7dffb7222da14128df4a38b6

SHA1
93c4cbf0965da3836144bf5948ff2e1af330466c

SHA256
e717005d8a48f4d5c56d00f2b7fb8d29b6bde1dd5553d2946a8c8706c4e7ce35

SHA512
2424efd78020d39db71f06b998b76f71def8c215b9f290c1721a3cf9acf7f463e12a6080f407117d60cc2cbd39b372d8b85c1c4e32c17711b02ba0dddd5f77c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.3MB

MD5
1fc003652efe4e7ae286bd875c0fcf2d

SHA1
2c8d04405c3653f7c5ff518b3aa72db836c52e13

SHA256
4d58637f1d7c061482dc4a67ea141ea7b314e3a9e310de854d765997cef1aa98

SHA512
0377132b08e092e9a9e89ca9b2db8685ffb6c74dc8b8b3ef81b51463e5796c5b42804e0389feae62d7178cc5baa8d7d6c62a3634554df8791d4a133cc7b9c4da

Download Submit
memory/2348-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2348-14-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2348-17-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2348-20-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2348-24-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2348-27-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2348-30-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads