9188a061f6c59b9358fc15da09c8c55178c98401f6b08804e7ad7c0df529a9a3

General

Target

file43.exe
Size

3.4MB
MD5

20bae96a81da0931c762d395e5c0a5ff
SHA1

9f8848cc00cf226e3ae2de6895ebbc0f36887672
SHA256

9188a061f6c59b9358fc15da09c8c55178c98401f6b08804e7ad7c0df529a9a3
SHA512

41bc89c68f5e8d86b9f5f6c72312b9802ea304d816a1d0361a36e1e6a9314b825f9eff7c9d47b6554f487efe7a05614a07ffa80fa06509f23dcca6fb25da4197

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

calcme.exe

pid process

528 calcme.exe

pid	process
528	calcme.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\d05cfc4a000000000000500600000000\calcme.exe	upx
C:\Users\Admin\d05cfc4a000000000000500600000000\calcme.exe	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\d05cfc4a000000000000500600000000 = "C:\\Users\\Admin\\d05cfc4a000000000000500600000000\\calcme.exe"	reg.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1344 systeminfo.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1500 reg.exe

pid	process
1344	systeminfo.exe

pid	process
1500	reg.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2196	wmic.exe
Token: SeSecurityPrivilege	2196	wmic.exe
Token: SeTakeOwnershipPrivilege	2196	wmic.exe
Token: SeLoadDriverPrivilege	2196	wmic.exe
Token: SeSystemProfilePrivilege	2196	wmic.exe
Token: SeSystemtimePrivilege	2196	wmic.exe
Token: SeProfSingleProcessPrivilege	2196	wmic.exe
Token: SeIncBasePriorityPrivilege	2196	wmic.exe
Token: SeCreatePagefilePrivilege	2196	wmic.exe
Token: SeBackupPrivilege	2196	wmic.exe
Token: SeRestorePrivilege	2196	wmic.exe
Token: SeShutdownPrivilege	2196	wmic.exe
Token: SeDebugPrivilege	2196	wmic.exe
Token: SeSystemEnvironmentPrivilege	2196	wmic.exe
Token: SeRemoteShutdownPrivilege	2196	wmic.exe
Token: SeUndockPrivilege	2196	wmic.exe
Token: SeManageVolumePrivilege	2196	wmic.exe
Token: 33	2196	wmic.exe
Token: 34	2196	wmic.exe
Token: 35	2196	wmic.exe
Token: 36	2196	wmic.exe
Token: SeIncreaseQuotaPrivilege	2196	wmic.exe
Token: SeSecurityPrivilege	2196	wmic.exe
Token: SeTakeOwnershipPrivilege	2196	wmic.exe
Token: SeLoadDriverPrivilege	2196	wmic.exe
Token: SeSystemProfilePrivilege	2196	wmic.exe
Token: SeSystemtimePrivilege	2196	wmic.exe
Token: SeProfSingleProcessPrivilege	2196	wmic.exe
Token: SeIncBasePriorityPrivilege	2196	wmic.exe
Token: SeCreatePagefilePrivilege	2196	wmic.exe
Token: SeBackupPrivilege	2196	wmic.exe
Token: SeRestorePrivilege	2196	wmic.exe
Token: SeShutdownPrivilege	2196	wmic.exe
Token: SeDebugPrivilege	2196	wmic.exe
Token: SeSystemEnvironmentPrivilege	2196	wmic.exe
Token: SeRemoteShutdownPrivilege	2196	wmic.exe
Token: SeUndockPrivilege	2196	wmic.exe
Token: SeManageVolumePrivilege	2196	wmic.exe
Token: 33	2196	wmic.exe
Token: 34	2196	wmic.exe
Token: 35	2196	wmic.exe
Token: 36	2196	wmic.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

file43.exe

description	pid	process	target process
PID 636 wrote to memory of 2196	636	file43.exe	wmic.exe
PID 636 wrote to memory of 2196	636	file43.exe	wmic.exe
PID 636 wrote to memory of 2196	636	file43.exe	wmic.exe
PID 636 wrote to memory of 1500	636	file43.exe	reg.exe
PID 636 wrote to memory of 1500	636	file43.exe	reg.exe
PID 636 wrote to memory of 1500	636	file43.exe	reg.exe
PID 636 wrote to memory of 1344	636	file43.exe	systeminfo.exe
PID 636 wrote to memory of 1344	636	file43.exe	systeminfo.exe
PID 636 wrote to memory of 1344	636	file43.exe	systeminfo.exe
PID 636 wrote to memory of 528	636	file43.exe	calcme.exe
PID 636 wrote to memory of 528	636	file43.exe	calcme.exe
PID 636 wrote to memory of 528	636	file43.exe	calcme.exe

C:\Users\Admin\AppData\Local\Temp\file43.exe
"C:\Users\Admin\AppData\Local\Temp\file43.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic volume get DeviceId
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v d05cfc4a000000000000500600000000 /d C:\Users\Admin\d05cfc4a000000000000500600000000\calcme.exe /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1500
- C:\Windows\SysWOW64\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:1344
- C:\Users\Admin\d05cfc4a000000000000500600000000\calcme.exe
  C:\Users\Admin\d05cfc4a000000000000500600000000\calcme.exe
  2⤵
  - Executes dropped EXE
  PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\d05cfc4a000000000000500600000000\calcme.exe

MD5
20bae96a81da0931c762d395e5c0a5ff

SHA1
9f8848cc00cf226e3ae2de6895ebbc0f36887672

SHA256
9188a061f6c59b9358fc15da09c8c55178c98401f6b08804e7ad7c0df529a9a3

SHA512
41bc89c68f5e8d86b9f5f6c72312b9802ea304d816a1d0361a36e1e6a9314b825f9eff7c9d47b6554f487efe7a05614a07ffa80fa06509f23dcca6fb25da4197

Download Submit
C:\Users\Admin\d05cfc4a000000000000500600000000\calcme.exe

MD5
20bae96a81da0931c762d395e5c0a5ff

SHA1
9f8848cc00cf226e3ae2de6895ebbc0f36887672

SHA256
9188a061f6c59b9358fc15da09c8c55178c98401f6b08804e7ad7c0df529a9a3

SHA512
41bc89c68f5e8d86b9f5f6c72312b9802ea304d816a1d0361a36e1e6a9314b825f9eff7c9d47b6554f487efe7a05614a07ffa80fa06509f23dcca6fb25da4197

Download Submit
C:\Users\Admin\d05cfc4a000000000000500600000000\log.txt

MD5
16a920629ab339ecd746b976be3bd837

SHA1
dce3e68a0acee4281e23c5bb3ed738fa010210b5

SHA256
756de5a587ccabbf942f9ae958eaa26b526a94b79bb5b9bffe96f99735410184

SHA512
f31274091e1d32a13a1f58ba7d656224dcfae88b1d4f5adb6afb622c8c57fa6bdd54415d7fb40d59b23543341c3a343441b0e2aec3d69894e5e94faabdc349cb

Download Submit
memory/528-117-0x0000000000000000-mapping.dmp

Download
memory/1344-116-0x0000000000000000-mapping.dmp

Download
memory/1500-115-0x0000000000000000-mapping.dmp

Download
memory/2196-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads