afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7

General

Target

x.exe
Size

356KB
MD5

9b45ab810d3fc0ddc2274c744de9e407
SHA1

68f088f772bca3126de301f91587272699cb591d
SHA256

afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7
SHA512

1079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

x.exex.exe

pid process

268 x.exe
1424 x.exe

pid	process
268	x.exe
1424	x.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\ProgramData\winc\x.exe	upx
C:\ProgramData\winc\x.exe	upx
C:\ProgramData\winc\x.exe	upx
C:\ProgramData\winc\x.exe	upx

Loads dropped DLL 1 IoCs

Processes:

x.exe

pid process

1096 x.exe

pid	process
1096	x.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

x.exex.exex.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	x.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xx = "C:\\ProgramData\\winc\\x.exe"	x.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	x.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xx = "C:\\ProgramData\\winc\\x.exe"	x.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	x.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xx = "C:\\ProgramData\\winc\\x.exe"	x.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

x.exe

pid process

268 x.exe

pid	process
268	x.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

x.exex.exex.exe

description	pid	process
Token: SeShutdownPrivilege	1096	x.exe
Token: SeDebugPrivilege	1096	x.exe
Token: SeTcbPrivilege	1096	x.exe
Token: SeShutdownPrivilege	268	x.exe
Token: SeDebugPrivilege	268	x.exe
Token: SeTcbPrivilege	268	x.exe
Token: SeShutdownPrivilege	1424	x.exe
Token: SeDebugPrivilege	1424	x.exe
Token: SeTcbPrivilege	1424	x.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

x.exe

pid process

268 x.exe

pid	process
268	x.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

x.exex.exe

description	pid	process	target process
PID 1096 wrote to memory of 268	1096	x.exe	x.exe
PID 1096 wrote to memory of 268	1096	x.exe	x.exe
PID 1096 wrote to memory of 268	1096	x.exe	x.exe
PID 1096 wrote to memory of 268	1096	x.exe	x.exe
PID 268 wrote to memory of 1424	268	x.exe	x.exe
PID 268 wrote to memory of 1424	268	x.exe	x.exe
PID 268 wrote to memory of 1424	268	x.exe	x.exe
PID 268 wrote to memory of 1424	268	x.exe	x.exe

C:\Users\Admin\AppData\Local\Temp\x.exe
"C:\Users\Admin\AppData\Local\Temp\x.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\ProgramData\winc\x.exe
"C:\ProgramData\winc\x.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:268

C:\ProgramData\winc\x.exe
"C:\ProgramData\winc\x.exe" 268
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winc\x.exe
MD5
9b45ab810d3fc0ddc2274c744de9e407

SHA1
68f088f772bca3126de301f91587272699cb591d

SHA256
afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7

SHA512
1079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862

Download Submit
C:\ProgramData\winc\x.exe
MD5
9b45ab810d3fc0ddc2274c744de9e407

SHA1
68f088f772bca3126de301f91587272699cb591d

SHA256
afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7

SHA512
1079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862

Download Submit
C:\ProgramData\winc\x.exe
MD5
9b45ab810d3fc0ddc2274c744de9e407

SHA1
68f088f772bca3126de301f91587272699cb591d

SHA256
afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7

SHA512
1079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862

Download Submit
\ProgramData\winc\x.exe
MD5
9b45ab810d3fc0ddc2274c744de9e407

SHA1
68f088f772bca3126de301f91587272699cb591d

SHA256
afb047616bd38a5e465bfeaff788843797806e4e9e72150906cac2004de7c9b7

SHA512
1079896ccbbc03064aced341238f260442710c6b0dca6d024dfd95337fb8d8faf49feda9905bdb96f3451b9343f23422ad02a0143f369c1a7bdb5c04a7b82862

Download Submit
memory/268-57-0x0000000000000000-mapping.dmp

Download
memory/1096-55-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1424-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads