d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11

General

Target

d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
Size

33KB
MD5

0e3aa2add5449ce1b9e488d119afb665
SHA1

abf19c36bdcac0ed2628fc32ca241026a7774c78
SHA256

d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11
SHA512

ff22a1fa3a6193ef973f00afcbfbdc99072945c16cbdc10af736b39da8b1caed5f1e7cc04368a80ee581ea09c9df6f236a8a45d75b262daa4c18344bb3b30e2c
SSDEEP

768:eeq5YtQ4NB86TQZXh4lxJhwtssxDGja6PEeiLjM:ezmC42Mit3xD0a6s7j

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1456-58-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1680	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1680	rundll32.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yumidimap.dll	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
File created	C:\Windows\SysWOW64\msimg32.dll	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
File created	C:\Windows\SysWOW64\ksuser.dll	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
File created	C:\Windows\SysWOW64\midimap.dll	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
File created	C:\Windows\SysWOW64\sysapp18.dll	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1472	sc.exe
1696	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1524	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	26
PID 1456 wrote to memory of 1524	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	26
PID 1456 wrote to memory of 1524	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	26
PID 1456 wrote to memory of 1524	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	26
PID 1456 wrote to memory of 1696	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	27
PID 1456 wrote to memory of 1696	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	27
PID 1456 wrote to memory of 1696	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	27
PID 1456 wrote to memory of 1696	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	27
PID 1456 wrote to memory of 1472	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	30
PID 1456 wrote to memory of 1472	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	30
PID 1456 wrote to memory of 1472	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	30
PID 1456 wrote to memory of 1472	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	30
PID 1456 wrote to memory of 1680	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	32
PID 1456 wrote to memory of 1680	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	32
PID 1456 wrote to memory of 1680	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	32
PID 1456 wrote to memory of 1680	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	32
PID 1456 wrote to memory of 1680	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	32
PID 1456 wrote to memory of 1680	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	32
PID 1456 wrote to memory of 1680	1456	d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe	32
PID 1524 wrote to memory of 1376	1524	net.exe	33
PID 1524 wrote to memory of 1376	1524	net.exe	33
PID 1524 wrote to memory of 1376	1524	net.exe	33
PID 1524 wrote to memory of 1376	1524	net.exe	33

C:\Users\Admin\AppData\Local\Temp\d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
"C:\Users\Admin\AppData\Local\Temp\d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:1376
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1696
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:1472
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1667839045.dat, ServerMain c:\users\admin\appdata\local\temp\d65d9653d96eb9ba9dd4025425d58b52b2d5bc0ade5eb8bea935ad1fd5d55f11.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1667839045.dat

Filesize
33KB

MD5
03260eb5e3dfc791e039258e25242746

SHA1
29ad115e35dc6b27fd5f2296048d2336b76fe4bd

SHA256
03558ce6644a8e36115724c70edd24713a8bbd79832861e880a0a53333ef32de

SHA512
3e64f0852347bd796c779232cfdd9490516642b2cca818d96a7d4fe58e2e4510f86cc233cb08ad127b9cfd51cf7a5076456e5ed17e583b2827588eb327c1c51a

Download Submit
\Users\Admin\AppData\Local\Temp\1667839045.dat

Filesize
33KB

MD5
03260eb5e3dfc791e039258e25242746

SHA1
29ad115e35dc6b27fd5f2296048d2336b76fe4bd

SHA256
03558ce6644a8e36115724c70edd24713a8bbd79832861e880a0a53333ef32de

SHA512
3e64f0852347bd796c779232cfdd9490516642b2cca818d96a7d4fe58e2e4510f86cc233cb08ad127b9cfd51cf7a5076456e5ed17e583b2827588eb327c1c51a

Download Submit
memory/1456-58-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1680-59-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing