a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad

Analysis

max time kernel
117s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe
Size

11KB
MD5

0256ac47f06de13e02b0c72a01849526
SHA1

4f2de36fc09a6e90b86099a364f9c77d77c0921c
SHA256

a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad
SHA512

842c42d9b9c1c59c4df5067f98808ffa730609995d7dc46012ca2fde76b6ebc5d8fa4ac87c1b99436cfff05d1157edf0b40b9c49e9308a6a19ed8f7c3b255ed5
SSDEEP

192:Lsnxb6/P0BeD+Pg8eew30jbQULM76Q7/p/JbOWZ/p28Phr2Vrnqfd:Lsxb6/Pey+P9vpLMuQ7vZZ0rqf

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1608-137-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\chinasougou.ime	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3064	sc.exe
4880	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe
1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2300	1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe	81
PID 1608 wrote to memory of 2300	1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe	81
PID 1608 wrote to memory of 2300	1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe	81
PID 1608 wrote to memory of 3064	1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe	82
PID 1608 wrote to memory of 3064	1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe	82
PID 1608 wrote to memory of 3064	1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe	82
PID 1608 wrote to memory of 4880	1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe	83
PID 1608 wrote to memory of 4880	1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe	83
PID 1608 wrote to memory of 4880	1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe	83
PID 1608 wrote to memory of 4796	1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe	87
PID 1608 wrote to memory of 4796	1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe	87
PID 1608 wrote to memory of 4796	1608	a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe	87
PID 2300 wrote to memory of 3668	2300	net.exe	89
PID 2300 wrote to memory of 3668	2300	net.exe	89
PID 2300 wrote to memory of 3668	2300	net.exe	89
PID 4796 wrote to memory of 3608	4796	net.exe	90
PID 4796 wrote to memory of 3608	4796	net.exe	90
PID 4796 wrote to memory of 3608	4796	net.exe	90

C:\Users\Admin\AppData\Local\Temp\a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe
"C:\Users\Admin\AppData\Local\Temp\a2706192018c4c96adc13a5a64381c47c794217ea0d0263042a015ede37ba7ad.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:3668
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3064
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:4880
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:3608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1608-137-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download