8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0

General

Target

8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe
Size

148KB
MD5

5d91bce4a4998c8c4785e83d20fa6a00
SHA1

e81dfd146025a75c6b7e649489584a6f63f31d59
SHA256

8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0
SHA512

1619bfd5f2debef445a984921c5feab04811c9583c179e3745967d25e92efbd8a805127de016935016b97f98036c9e4b90c0f6d5597ab9728241f8a0b93cd7ed
SSDEEP

3072:E1/Bg7rshe/f0ljjLomq93mP6HvgIxcIxgIxcIxgIx36trJe/vrDDxw++kY:EZOsg/f6jImq92PQvgqcqgqcqgq36tlh

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe

Executes dropped EXE 4 IoCs

Processes:

wID32.exewID32.exewID32.exewID32.exe

pid process

3464 wID32.exe
4544 wID32.exe
3660 wID32.exe
3436 wID32.exe

pid	process
3464	wID32.exe
4544	wID32.exe
3660	wID32.exe
3436	wID32.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3892-132-0x0000000000400000-0x0000000000426000-memory.dmp	upx
C:\Windows\SysWOW64\wID32.exe	upx
C:\Windows\SysWOW64\wID32.exe	upx
behavioral2/memory/3892-136-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3464-140-0x0000000000400000-0x0000000000426000-memory.dmp	upx
C:\Windows\SysWOW64\wID32.exe	upx
behavioral2/memory/4544-143-0x0000000000400000-0x0000000000426000-memory.dmp	upx
C:\Windows\SysWOW64\wID32.exe	upx
C:\Windows\SysWOW64\wID32.exe	upx
behavioral2/memory/3660-146-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3436-147-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wID32.exewID32.exe8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exewID32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	wID32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS ID SYSTEM = "\\wID32.exe"	wID32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS ID SYSTEM = "\\wID32.exe"	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS ID SYSTEM = "\\wID32.exe"	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS ID SYSTEM = "\\wID32.exe"	wID32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	wID32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS ID SYSTEM = "\\wID32.exe"	wID32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	wID32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	wID32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WINDOWS ID SYSTEM = "\\wID32.exe"	wID32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS ID SYSTEM = "\\wID32.exe"	wID32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS ID SYSTEM = "\\wID32.exe"	wID32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	wID32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	wID32.exe

Drops file in System32 directory 5 IoCs

Processes:

8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exewID32.exewID32.exewID32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wID32.exe	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe
File opened for modification	C:\Windows\SysWOW64\wID32.exe	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe
File created	C:\Windows\SysWOW64\wID32.exe	wID32.exe
File created	C:\Windows\SysWOW64\wID32.exe	wID32.exe
File created	C:\Windows\SysWOW64\wID32.exe	wID32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exewID32.exewID32.exewID32.exe

pid	process
3892	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe
3892	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe
3464	wID32.exe
3464	wID32.exe
4544	wID32.exe
4544	wID32.exe
3660	wID32.exe
3660	wID32.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exewID32.exewID32.exewID32.exewID32.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3892	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe
Token: SeDebugPrivilege	3892	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe
Token: SeIncBasePriorityPrivilege	3464	wID32.exe
Token: SeDebugPrivilege	3464	wID32.exe
Token: SeIncBasePriorityPrivilege	4544	wID32.exe
Token: SeDebugPrivilege	4544	wID32.exe
Token: SeIncBasePriorityPrivilege	3660	wID32.exe
Token: SeDebugPrivilege	3660	wID32.exe
Token: SeIncBasePriorityPrivilege	3436	wID32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exewID32.exewID32.exewID32.exe

description	pid	process	target process
PID 3892 wrote to memory of 3464	3892	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe	wID32.exe
PID 3892 wrote to memory of 3464	3892	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe	wID32.exe
PID 3892 wrote to memory of 3464	3892	8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe	wID32.exe
PID 3464 wrote to memory of 4544	3464	wID32.exe	wID32.exe
PID 3464 wrote to memory of 4544	3464	wID32.exe	wID32.exe
PID 3464 wrote to memory of 4544	3464	wID32.exe	wID32.exe
PID 4544 wrote to memory of 3660	4544	wID32.exe	wID32.exe
PID 4544 wrote to memory of 3660	4544	wID32.exe	wID32.exe
PID 4544 wrote to memory of 3660	4544	wID32.exe	wID32.exe
PID 3660 wrote to memory of 3436	3660	wID32.exe	wID32.exe
PID 3660 wrote to memory of 3436	3660	wID32.exe	wID32.exe
PID 3660 wrote to memory of 3436	3660	wID32.exe	wID32.exe

C:\Users\Admin\AppData\Local\Temp\8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe
"C:\Users\Admin\AppData\Local\Temp\8dc4383e650e56f2db1d4303ebb9a9bd01efe95185192311477aa323c7f261e0.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\wID32.exe
C:\Windows\system32\wID32.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\wID32.exe
C:\Windows\system32\wID32.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\wID32.exe
C:\Windows\system32\wID32.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\wID32.exe
C:\Windows\system32\wID32.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wID32.exe

Filesize
148KB

MD5
145903b723a84b47726c537d61d2c9cd

SHA1
1f058e17eefbd79a3dfaeef618fe2dc92b8d1b67

SHA256
ae15c22aaa48975d99186ab900e215a670de2885e5c76201c0b253b029145daf

SHA512
02ed492cd456334b2298774a0f6450706b9b3409ce732a3507a36a7edc786e314517bc991fadd67948db94374c58adbccd59d3b46592faa934c2f504253bfab9

Download Submit
C:\Windows\SysWOW64\wID32.exe

Filesize
148KB

MD5
145903b723a84b47726c537d61d2c9cd

SHA1
1f058e17eefbd79a3dfaeef618fe2dc92b8d1b67

SHA256
ae15c22aaa48975d99186ab900e215a670de2885e5c76201c0b253b029145daf

SHA512
02ed492cd456334b2298774a0f6450706b9b3409ce732a3507a36a7edc786e314517bc991fadd67948db94374c58adbccd59d3b46592faa934c2f504253bfab9

Download Submit
C:\Windows\SysWOW64\wID32.exe

Filesize
148KB

MD5
145903b723a84b47726c537d61d2c9cd

SHA1
1f058e17eefbd79a3dfaeef618fe2dc92b8d1b67

SHA256
ae15c22aaa48975d99186ab900e215a670de2885e5c76201c0b253b029145daf

SHA512
02ed492cd456334b2298774a0f6450706b9b3409ce732a3507a36a7edc786e314517bc991fadd67948db94374c58adbccd59d3b46592faa934c2f504253bfab9

Download Submit
C:\Windows\SysWOW64\wID32.exe

Filesize
148KB

MD5
145903b723a84b47726c537d61d2c9cd

SHA1
1f058e17eefbd79a3dfaeef618fe2dc92b8d1b67

SHA256
ae15c22aaa48975d99186ab900e215a670de2885e5c76201c0b253b029145daf

SHA512
02ed492cd456334b2298774a0f6450706b9b3409ce732a3507a36a7edc786e314517bc991fadd67948db94374c58adbccd59d3b46592faa934c2f504253bfab9

Download Submit
C:\Windows\SysWOW64\wID32.exe

Filesize
148KB

MD5
145903b723a84b47726c537d61d2c9cd

SHA1
1f058e17eefbd79a3dfaeef618fe2dc92b8d1b67

SHA256
ae15c22aaa48975d99186ab900e215a670de2885e5c76201c0b253b029145daf

SHA512
02ed492cd456334b2298774a0f6450706b9b3409ce732a3507a36a7edc786e314517bc991fadd67948db94374c58adbccd59d3b46592faa934c2f504253bfab9

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
8b95555b732a949f315fe1be07d569c8

SHA1
f3519d211de90a10fd37070e826eca3b75c1c036

SHA256
404da7d6b58057f2b78973eaa33fb37abbb37a81e745bf3244e2c0c4e810d97b

SHA512
4db935212019596e787918059327bd3e0d8c2364fbc835f08ae5b389147fbffe78bd9c418cd00539f83c9d38137e74c815808ef11d7abd088f8d0eb346af154e

Download Submit
memory/3436-144-0x0000000000000000-mapping.dmp

Download
memory/3436-147-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3464-140-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3464-133-0x0000000000000000-mapping.dmp

Download
memory/3660-141-0x0000000000000000-mapping.dmp

Download
memory/3660-146-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3892-136-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3892-132-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4544-138-0x0000000000000000-mapping.dmp

Download
memory/4544-143-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads