119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e

General

Target

119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
Size

32KB
MD5

63776dafa3250b64a0241ed9a33da118
SHA1

4a0f87501527a95d3a6b2540a8a995e0b45f95b4
SHA256

119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e
SHA512

ce04e957702096ee2148e73e9155683fcd14c1ac2ecd81c7cad3ec3f8438ef23e122bc295fb4f6e521753f3c0e59c97c3d6c7619dfb99652cb3acbf20b0198b4
SSDEEP

768:fUrXYQ0wASIzPAhso1+MsoNfE+TZljAQFiHBM:fe2VSIzI6adE+TZlEL

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4584-136-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
3260	rundll32.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yuksuser.dll	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
File created	C:\Windows\SysWOW64\ksuser.dll	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
File created	C:\Windows\SysWOW64\msimg32.dll	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
File created	C:\Windows\SysWOW64\midimap.dll	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
File created	C:\Windows\SysWOW64\sysapp30.dll	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2960	sc.exe
5056	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 4244	4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe	82
PID 4584 wrote to memory of 4244	4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe	82
PID 4584 wrote to memory of 4244	4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe	82
PID 4584 wrote to memory of 2960	4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe	83
PID 4584 wrote to memory of 2960	4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe	83
PID 4584 wrote to memory of 2960	4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe	83
PID 4584 wrote to memory of 5056	4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe	87
PID 4584 wrote to memory of 5056	4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe	87
PID 4584 wrote to memory of 5056	4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe	87
PID 4584 wrote to memory of 3260	4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe	86
PID 4584 wrote to memory of 3260	4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe	86
PID 4584 wrote to memory of 3260	4584	119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe	86
PID 4244 wrote to memory of 1936	4244	net.exe	89
PID 4244 wrote to memory of 1936	4244	net.exe	89
PID 4244 wrote to memory of 1936	4244	net.exe	89

C:\Users\Admin\AppData\Local\Temp\119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
"C:\Users\Admin\AppData\Local\Temp\119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:1936
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2960
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1667038873.dat, ServerMain c:\users\admin\appdata\local\temp\119aaba1331c6d89b48ee6c66382b81051c166a75be105ef22777e06045bef6e.exe
  2⤵
  - Loads dropped DLL
  PID:3260
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1667038873.dat

Filesize
32KB

MD5
012d7d04e579ed9e99556a7061196551

SHA1
dab93eba8a866c35438fa4373cc32e04bc25c2ae

SHA256
9c102fb7e1fc47589d44eb81f558d1cdb397c72912b77a7d6e59dad46bab0fb7

SHA512
53df793d41e0dee39338e86b9698f2b7871487eb7b618e834a4ca68aaa550fd60ed458d3308e65e29337154b6295f035ce01df7a7c27eda27d4b2fcf37d613b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1667038873.dat

Filesize
32KB

MD5
012d7d04e579ed9e99556a7061196551

SHA1
dab93eba8a866c35438fa4373cc32e04bc25c2ae

SHA256
9c102fb7e1fc47589d44eb81f558d1cdb397c72912b77a7d6e59dad46bab0fb7

SHA512
53df793d41e0dee39338e86b9698f2b7871487eb7b618e834a4ca68aaa550fd60ed458d3308e65e29337154b6295f035ce01df7a7c27eda27d4b2fcf37d613b5

Download Submit
memory/4584-136-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing