0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa

General

Target

0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
Size

17.0MB
MD5

96bf35f133c4c351e259d425d9596124
SHA1

58684797094fac1b895a4b61640b26b3d2996ac4
SHA256

0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa
SHA512

48267b65bfc3daea9a34108a548d18d09b9096d574a35ccf3e4c864077451471e86bfb4d4139c263186964c9e8b1b5e951fe96d533d7b09353a737f0c5075a05
SSDEEP

6144:NLb1zp2t2koczX3GIf4O4kLsyuVKHwNsFq4hsbboPNv4Mz3wLgOIAfMdPCds2eU0:oBfZ4LAwekIZvOIw0CdgoOwM

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1812 created 1200	1812	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	21

Deletes itself 1 IoCs

pid	Process
2716	powershell.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2660-20-0x0000000140000000-0x00000001402FC000-memory.dmp	autoit_exe
behavioral1/memory/2660-8-0x0000000140000000-0x00000001402FC000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1812 set thread context of 2660	1812	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	30

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2660-3-0x0000000140000000-0x00000001402FC000-memory.dmp	upx
behavioral1/memory/2660-5-0x0000000140000000-0x00000001402FC000-memory.dmp	upx
behavioral1/memory/2660-20-0x0000000140000000-0x00000001402FC000-memory.dmp	upx
behavioral1/files/0x000700000001752f-14.dat	upx
behavioral1/memory/2660-8-0x0000000140000000-0x00000001402FC000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2716	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2660	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
2660	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
2660	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2660	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
2660	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
2660	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2660	1812	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	30
PID 1812 wrote to memory of 2660	1812	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	30
PID 1812 wrote to memory of 2660	1812	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	30
PID 1812 wrote to memory of 2660	1812	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	30
PID 1812 wrote to memory of 2660	1812	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	30
PID 1812 wrote to memory of 2660	1812	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	30
PID 1812 wrote to memory of 2660	1812	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	30
PID 1812 wrote to memory of 2660	1812	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	30
PID 1812 wrote to memory of 2716	1812	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	31
PID 1812 wrote to memory of 2716	1812	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	31
PID 1812 wrote to memory of 2716	1812	0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
  "C:\Users\Admin\AppData\Local\Temp\0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
    3⤵
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- C:\Users\Admin\AppData\Local\Temp\0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe
  "C:\Users\Admin\AppData\Local\Temp\0e9e692fec30be3c4c6d61d3ac926adae05a1ba55cd9374a3080d07bcd35dbaa.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dllfileinstalll.exe

Filesize
543KB

MD5
4ab7a19af297d2ab155c3ed20365beda

SHA1
5a59e8990af6071e48fa4e7453a10386f9c02d56

SHA256
9eb2d8a45f7df1032c99f5e6e3b1d8ddc745bddc07c5a9fc2d8c042ccc8f9317

SHA512
166e1b74ed195b9a0dd062daa49525edce4bc84658190b041064fe271e7bee644d79f74be6120a3d57ede13ec99f3fe2008b1119362d2527c255611fda320872

Download Submit
memory/1812-0-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

Filesize
4KB

Download
memory/1812-1-0x000000013FDD0000-0x0000000140EE0000-memory.dmp

Filesize
17.1MB

Download
memory/1812-2-0x000000001BFA0000-0x000000001C132000-memory.dmp

Filesize
1.6MB

Download
memory/2660-3-0x0000000140000000-0x00000001402FC000-memory.dmp

Filesize
3.0MB

Download
memory/2660-5-0x0000000140000000-0x00000001402FC000-memory.dmp

Filesize
3.0MB

Download
memory/2660-20-0x0000000140000000-0x00000001402FC000-memory.dmp

Filesize
3.0MB

Download
memory/2660-8-0x0000000140000000-0x00000001402FC000-memory.dmp

Filesize
3.0MB

Download
memory/2660-27-0x0000000140000000-0x00000001402FC000-memory.dmp

Filesize
3.0MB

Download
memory/2716-26-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2716-25-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing