991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a

General

Target

991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
Size

32KB
MD5

fbd5ca774c80b9407b78bd5c6856fd11
SHA1

b97d484d2abe716fff0ce88526257ebf6ac629f4
SHA256

991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a
SHA512

4cda55906e7ac93f5fdc9e9d1efe26f1639ea79d17222eb92231b5f4c93fdc8fc9cb9c21af9110667c677176bfa70bcd1e16e56ed6b712fcf143454b8efbb033
SSDEEP

768:LIjGFy8mveHt+ozeGlfhJ1GbeP0GIWfqYU:LIGmM+oq0J1GKiWfqYU

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2016-58-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

320 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

320 rundll32.exe

pid	process
320	rundll32.exe

pid	process
320	rundll32.exe

Drops file in System32 directory 11 IoCs

Processes:

991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\msimg32.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\ksuser.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\midimap.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\sysapp43.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1896 sc.exe
1880 sc.exe
Runs net.exe

pid	process
1896	sc.exe
1880	sc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe

pid	process
2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe

pid process

2016 991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exenet.exe

description	pid	process	target process
PID 2016 wrote to memory of 1080	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	net.exe
PID 2016 wrote to memory of 1080	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	net.exe
PID 2016 wrote to memory of 1080	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	net.exe
PID 2016 wrote to memory of 1080	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	net.exe
PID 2016 wrote to memory of 1896	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 2016 wrote to memory of 1896	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 2016 wrote to memory of 1896	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 2016 wrote to memory of 1896	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 2016 wrote to memory of 1880	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 2016 wrote to memory of 1880	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 2016 wrote to memory of 1880	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 2016 wrote to memory of 1880	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 2016 wrote to memory of 320	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	rundll32.exe
PID 2016 wrote to memory of 320	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	rundll32.exe
PID 2016 wrote to memory of 320	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	rundll32.exe
PID 2016 wrote to memory of 320	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	rundll32.exe
PID 2016 wrote to memory of 320	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	rundll32.exe
PID 2016 wrote to memory of 320	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	rundll32.exe
PID 2016 wrote to memory of 320	2016	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	rundll32.exe
PID 1080 wrote to memory of 1692	1080	net.exe	net1.exe
PID 1080 wrote to memory of 1692	1080	net.exe	net1.exe
PID 1080 wrote to memory of 1692	1080	net.exe	net1.exe
PID 1080 wrote to memory of 1692	1080	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
"C:\Users\Admin\AppData\Local\Temp\991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\net.exe
net stop cryptsvc
2⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop cryptsvc
3⤵
PID:1692

C:\Windows\SysWOW64\sc.exe
sc config cryptsvc start= disabled
2⤵
- Launches sc.exe
PID:1896

C:\Windows\SysWOW64\sc.exe
sc delete cryptsvc
2⤵
- Launches sc.exe
PID:1880

C:\Windows\SysWOW64\rundll32.exe
C:\Users\Admin\AppData\Local\Temp\1669198234.dat, ServerMain c:\users\admin\appdata\local\temp\991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
2⤵
- Deletes itself
- Loads dropped DLL
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1669198234.dat

Filesize
32KB

MD5
54d1bbf2b652d706d19b2484da38ec5d

SHA1
dd1c3be12a7e8a7418c22a1b13f86268d3acb4f8

SHA256
5d541146cc5eeeaf89bd22e9e0c273d0ff7fb5c2f512bca6c30030d6eadb3fa5

SHA512
e1a89060f53706d2b4f06ab46a35a49cfd3bac351145b4630dfc7fd9d71637f5e27c76b2de87c30b05372c99c531d5df6f3727686e0a7f6a0883c8268f0ab779

Download Submit
\Users\Admin\AppData\Local\Temp\1669198234.dat

Filesize
32KB

MD5
54d1bbf2b652d706d19b2484da38ec5d

SHA1
dd1c3be12a7e8a7418c22a1b13f86268d3acb4f8

SHA256
5d541146cc5eeeaf89bd22e9e0c273d0ff7fb5c2f512bca6c30030d6eadb3fa5

SHA512
e1a89060f53706d2b4f06ab46a35a49cfd3bac351145b4630dfc7fd9d71637f5e27c76b2de87c30b05372c99c531d5df6f3727686e0a7f6a0883c8268f0ab779

Download Submit
memory/320-57-0x0000000000000000-mapping.dmp

Download
memory/320-60-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1080-54-0x0000000000000000-mapping.dmp

Download
memory/1692-59-0x0000000000000000-mapping.dmp

Download
memory/1880-56-0x0000000000000000-mapping.dmp

Download
memory/1896-55-0x0000000000000000-mapping.dmp

Download
memory/2016-58-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads