991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a

General

Target

991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
Size

32KB
MD5

fbd5ca774c80b9407b78bd5c6856fd11
SHA1

b97d484d2abe716fff0ce88526257ebf6ac629f4
SHA256

991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a
SHA512

4cda55906e7ac93f5fdc9e9d1efe26f1639ea79d17222eb92231b5f4c93fdc8fc9cb9c21af9110667c677176bfa70bcd1e16e56ed6b712fcf143454b8efbb033
SSDEEP

768:LIjGFy8mveHt+ozeGlfhJ1GbeP0GIWfqYU:LIGmM+oq0J1GKiWfqYU

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4876-132-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/4876-137-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1664 rundll32.exe

pid	process
1664	rundll32.exe

Drops file in System32 directory 11 IoCs

Processes:

991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sysapp43.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\ksuser.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\msimg32.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\midimap.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1128 sc.exe
2704 sc.exe
Runs net.exe

pid	process
1128	sc.exe
2704	sc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe

pid	process
4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe

pid process

4876 991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exenet.exe

description	pid	process	target process
PID 4876 wrote to memory of 1152	4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	net.exe
PID 4876 wrote to memory of 1152	4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	net.exe
PID 4876 wrote to memory of 1152	4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	net.exe
PID 4876 wrote to memory of 1128	4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 4876 wrote to memory of 1128	4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 4876 wrote to memory of 1128	4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 4876 wrote to memory of 2704	4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 4876 wrote to memory of 2704	4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 4876 wrote to memory of 2704	4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	sc.exe
PID 4876 wrote to memory of 1664	4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	rundll32.exe
PID 4876 wrote to memory of 1664	4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	rundll32.exe
PID 4876 wrote to memory of 1664	4876	991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe	rundll32.exe
PID 1152 wrote to memory of 5084	1152	net.exe	net1.exe
PID 1152 wrote to memory of 5084	1152	net.exe	net1.exe
PID 1152 wrote to memory of 5084	1152	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
"C:\Users\Admin\AppData\Local\Temp\991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\net.exe
net stop cryptsvc
2⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop cryptsvc
3⤵
PID:5084

C:\Windows\SysWOW64\sc.exe
sc config cryptsvc start= disabled
2⤵
- Launches sc.exe
PID:1128

C:\Windows\SysWOW64\sc.exe
sc delete cryptsvc
2⤵
- Launches sc.exe
PID:2704

C:\Windows\SysWOW64\rundll32.exe
C:\Users\Admin\AppData\Local\Temp\1669198237.dat, ServerMain c:\users\admin\appdata\local\temp\991f416e2ef9b45df3eb7c5b6a2d2d6e3b08446e97d2285f9e7073d33a511e9a.exe
2⤵
- Loads dropped DLL
PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1669198237.dat

Filesize
32KB

MD5
f50f3029c51728748dfe9b5161effe87

SHA1
8c04381d609fe45c79b6cd9a0131bb58c041e60a

SHA256
f355e21c804f923e00547778a1c81d9748f5ab5b29abc29956f5ecf0ca1c0832

SHA512
f4a0b80400ece5054a300f4bf473c2a5d79db63030857b59765cbe5cffd109c58dbfe7e91b65eaab370fe3d1cb608172b798cf06131cf3df9355006b38c4b26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1669198237.dat

Filesize
32KB

MD5
f50f3029c51728748dfe9b5161effe87

SHA1
8c04381d609fe45c79b6cd9a0131bb58c041e60a

SHA256
f355e21c804f923e00547778a1c81d9748f5ab5b29abc29956f5ecf0ca1c0832

SHA512
f4a0b80400ece5054a300f4bf473c2a5d79db63030857b59765cbe5cffd109c58dbfe7e91b65eaab370fe3d1cb608172b798cf06131cf3df9355006b38c4b26a

Download Submit
memory/1128-134-0x0000000000000000-mapping.dmp

Download
memory/1152-133-0x0000000000000000-mapping.dmp

Download
memory/1664-136-0x0000000000000000-mapping.dmp

Download
memory/2704-135-0x0000000000000000-mapping.dmp

Download
memory/4876-132-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4876-137-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5084-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads