d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18

General

Target

d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe
Size

130KB
MD5

1505d88fcea7435ae8f3a51e8b2c4147
SHA1

b66b6db9b8ad99f124797fe57b2c688db47b5c4f
SHA256

d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18
SHA512

fd721435ee772189903cb363d0368db6174651e6124e227717310fef564cc4c4de61136e21f42d7551aa98b758e8bff21dca43e0041154252d954aba69160a73
SSDEEP

1536:mH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5UROXTmNJo:6KQJcinxphkG5Q6GdpIOkJHhKRyOXKo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
191944	Flaseher.exe

Loads dropped DLL 5 IoCs

pid	Process
191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe
191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe
191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe
191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe
191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\.Flasfh = "C:\\Users\\Admin\\AppData\\Roaming\\..Flash\\Flaseher.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3036 set thread context of 191532	3036	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	31

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3036-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/3036-74-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/3036-83-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/3036-799123-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/191532-799125-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0009000000015686-799150.dat	upx
behavioral1/memory/191532-799171-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/191944-827380-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flaseher.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3036	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe
191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe
191944	Flaseher.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 191532	3036	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	31
PID 3036 wrote to memory of 191532	3036	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	31
PID 3036 wrote to memory of 191532	3036	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	31
PID 3036 wrote to memory of 191532	3036	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	31
PID 3036 wrote to memory of 191532	3036	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	31
PID 3036 wrote to memory of 191532	3036	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	31
PID 3036 wrote to memory of 191532	3036	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	31
PID 3036 wrote to memory of 191532	3036	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	31
PID 191532 wrote to memory of 191948	191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	32
PID 191532 wrote to memory of 191948	191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	32
PID 191532 wrote to memory of 191948	191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	32
PID 191532 wrote to memory of 191948	191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	32
PID 191948 wrote to memory of 192060	191948	cmd.exe	34
PID 191948 wrote to memory of 192060	191948	cmd.exe	34
PID 191948 wrote to memory of 192060	191948	cmd.exe	34
PID 191948 wrote to memory of 192060	191948	cmd.exe	34
PID 191532 wrote to memory of 191944	191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	35
PID 191532 wrote to memory of 191944	191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	35
PID 191532 wrote to memory of 191944	191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	35
PID 191532 wrote to memory of 191944	191532	d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe	35

C:\Users\Admin\AppData\Local\Temp\d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe
"C:\Users\Admin\AppData\Local\Temp\d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe
  "C:\Users\Admin\AppData\Local\Temp\d24f89a7d5de7646dce4130a2de9290743d7202028d0cde005a2b3a4ec5cbf18.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:191532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\URQUH.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:191948
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:192060
- - C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
    "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:191944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\URQUH.bat

Filesize
145B

MD5
da0cbe87b720a79b294147ed6a4b98be

SHA1
ebf0dc9efd7a12cb192e355cda87546acb4ab360

SHA256
7ccfeff356fdccc9145bd1e263aa1c56360ca7b6552ed5a5665c596d02a627ed

SHA512
f55c4a3d24d2f11db5eda3c816d1cd3b8804a171a7bf715b13d60788247fbb352eafaa5bd4e0a8086c1013396be0a48c7bdb904ab0f974fa0c75e81e3d365acc

Download Submit
\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe

Filesize
130KB

MD5
05b2769b2f0774c8407b4b4416637fbd

SHA1
2bdb113fed3b633ea5fdf94e3d7086862ce8dc4a

SHA256
bfec1cef81084c9cc04d366659896d26693b16bbd01a2abe68fd72d05698aeec

SHA512
86328fb5977363b28d69a7d9e1d3982a3ae8d9e45dfec7e6948b154d5f27ce718db3393b0ccd13164e16688b8abfd156bd067b5ba65c89f8587ab8fe6f242a6d

Download Submit
memory/3036-41-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/3036-53-0x0000000000416000-0x0000000000417000-memory.dmp

Filesize
4KB

Download
memory/3036-11-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/3036-51-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/3036-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3036-21-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/3036-74-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3036-83-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3036-9-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/3036-799123-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3036-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/191532-799125-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/191532-799155-0x0000000003310000-0x0000000003333000-memory.dmp

Filesize
140KB

Download
memory/191532-799166-0x0000000003310000-0x0000000003333000-memory.dmp

Filesize
140KB

Download
memory/191532-799167-0x0000000003310000-0x0000000003333000-memory.dmp

Filesize
140KB

Download
memory/191532-799171-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/191532-803167-0x0000000003310000-0x0000000003333000-memory.dmp

Filesize
140KB

Download
memory/191532-812810-0x0000000003310000-0x0000000003333000-memory.dmp

Filesize
140KB

Download
memory/191532-817479-0x0000000003310000-0x0000000003333000-memory.dmp

Filesize
140KB

Download
memory/191532-817480-0x0000000003310000-0x0000000003333000-memory.dmp

Filesize
140KB

Download
memory/191532-799156-0x0000000003310000-0x0000000003333000-memory.dmp

Filesize
140KB

Download
memory/191944-827380-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads