1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466

General

Target

1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe
Size

520KB
MD5

86b63605c5d269cdbd674cfb24a13ff0
SHA1

c27d8d3891e3c38916edcc91e4e3f811cf9cba16
SHA256

1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466
SHA512

36660846b7a5fe1c8e55cfa41ef21eaf92a01c9552b71fde11af1fe1ea128301509836d79fc8551af5d2b4644e63cd474c84d2fef9be323d6f969373519f39d1
SSDEEP

12288:m2r3Qj1TGZnUgQXhXofKrS4WygNOxZfpz1WcKQ:mK3QZTaUgQXhofqxWyLhzl

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
32	2448	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4320	1QmCS311.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2448-136-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2448-137-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2448-138-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2448-140-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2448-141-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2448-147-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2448-146-0x0000000000400000-0x00000000004DD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1QmCS311 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe"	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	1QmCS311.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wiseman = "c:\\1QmCS311.exe"	1QmCS311.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyKB = "\"C:\\Windows\\SysWOW64\\cmd.exe\""	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
708	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 708 set thread context of 2448	708	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe	83

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	cmd.exe
Token: 33	2448	cmd.exe
Token: SeIncBasePriorityPrivilege	2448	cmd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4320	1QmCS311.exe
2448	cmd.exe
2448	cmd.exe
4320	1QmCS311.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 2448	708	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe	83
PID 708 wrote to memory of 2448	708	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe	83
PID 708 wrote to memory of 2448	708	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe	83
PID 708 wrote to memory of 2448	708	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe	83
PID 708 wrote to memory of 2448	708	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe	83
PID 708 wrote to memory of 2448	708	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe	83
PID 708 wrote to memory of 2448	708	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe	83
PID 708 wrote to memory of 2448	708	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe	83
PID 708 wrote to memory of 4320	708	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe	84
PID 708 wrote to memory of 4320	708	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe	84
PID 708 wrote to memory of 4320	708	1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe	84

C:\Users\Admin\AppData\Local\Temp\1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe
"C:\Users\Admin\AppData\Local\Temp\1d2e9f9ec953154d2a45eac35bf99c3e5139458b8ee04c516828a74492dc6466.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\System32\cmd.exe
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2448
- \??\c:\1QmCS311.exe
  c:\1QmCS311.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:4320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1QmCS311.exe

Filesize
378KB

MD5
8f242369cf14f2b26ced131d7dd67144

SHA1
d4f2f0f3047300ff5f36af6119ad5e109258fcd0

SHA256
03505198d487e04a8ec82c627d34e4d9145f211140c4c8793b4461621e6bf6ce

SHA512
4516b3fa2f68e64baf166bc7731ba3bb0ca53d36d71ff8fa78b1f211d7c14fc4442af50bd637d0c3f11913583c9c66996101d6e8738592a053e82a78bbd771f5

Download Submit
\??\c:\1QmCS311.exe

Filesize
378KB

MD5
8f242369cf14f2b26ced131d7dd67144

SHA1
d4f2f0f3047300ff5f36af6119ad5e109258fcd0

SHA256
03505198d487e04a8ec82c627d34e4d9145f211140c4c8793b4461621e6bf6ce

SHA512
4516b3fa2f68e64baf166bc7731ba3bb0ca53d36d71ff8fa78b1f211d7c14fc4442af50bd637d0c3f11913583c9c66996101d6e8738592a053e82a78bbd771f5

Download Submit
memory/708-133-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/708-134-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/708-145-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/708-132-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2448-136-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2448-140-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2448-141-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2448-138-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2448-137-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2448-147-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2448-146-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2448-148-0x000000000048D000-0x00000000004DC000-memory.dmp

Filesize
316KB

Download
memory/2448-149-0x0000000000401000-0x000000000048D000-memory.dmp

Filesize
560KB

Download
memory/2448-150-0x000000000048D000-0x00000000004DC000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing