c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79

General

Target

c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
Size

93KB
MD5

62d6c96147935de11d6ea7f9f634aa08
SHA1

4693f347b6aaa77681dccbba8510c46f425f7d99
SHA256

c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79
SHA512

e1a75e21245ca496f8c074685f3921cdf9cabf2bb3e1148b742fb3e4d0a1ff90a0be477128d6393580ba17c8c4de58400f00bccac310ad88498c7eb59e5b6305
SSDEEP

1536:0iNWjGAmLRvz1ZJPJZgU8ap5iLy6jRMQx3je+k1FElPUowCEjkA2KT:0kIlmLR71ZJPJZdtMya2c3jcnE62KT

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1956-58-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/1956-60-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/1956-61-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/1956-66-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/1956-67-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/1956-69-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1956	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxiaqmb = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\sxiaqmb.dll\",sxiaqmb"	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sxiaqmb\Startup = "sxiaqmb"	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sxiaqmb	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sxiaqmb\Impersonate = "1"	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sxiaqmb\Asynchronous = "1"	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sxiaqmb\MaxWait = "1"	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sxiaqmb\vllsslaw = f0355250c1d7484182af	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sxiaqmb\DllName = "C:\\Users\\Admin\\AppData\\Local\\sxiaqmb.dll"	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1080 set thread context of 1956	1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1956	1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe	28
PID 1080 wrote to memory of 1956	1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe	28
PID 1080 wrote to memory of 1956	1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe	28
PID 1080 wrote to memory of 1956	1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe	28
PID 1080 wrote to memory of 1956	1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe	28
PID 1080 wrote to memory of 1956	1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe	28
PID 1080 wrote to memory of 1956	1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe	28
PID 1080 wrote to memory of 1956	1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe	28
PID 1080 wrote to memory of 1956	1080	c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe	28

C:\Users\Admin\AppData\Local\Temp\c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
"C:\Users\Admin\AppData\Local\Temp\c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe
  "C:\Users\Admin\AppData\Local\Temp\c02759f3ee85380908fb9f51f3463bf3c68ce76401bb9abd5b869438a679db79.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies WinLogon
  PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\sxiaqmb.dll

Filesize
30KB

MD5
a7eb007bc98471d3137401f945b1a7db

SHA1
44609a4d80d077a0a0c14bc1558a07bfa68c36c0

SHA256
6ec8075c5820f82bfe3ab9d45180cb8e738d0a8e1a27ed39f7e27efb0133f45f

SHA512
174cf812ca905bb19a50b894be88ee571264a5524feddd08237f3f55e77705381ac5e31344129253d4c182f770c5bef530b48d0203365e0e8120c1624337b1e8

Download Submit
memory/1080-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1080-62-0x00000000003F0000-0x00000000003F4000-memory.dmp

Filesize
16KB

Download
memory/1956-55-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download
memory/1956-57-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1956-58-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1956-60-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1956-61-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1956-66-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1956-67-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1956-69-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads