17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b

General

Target

17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe
Size

438KB
MD5

5d3f275907267f0afba257ffc970c9a4
SHA1

b6b93431ac8e0e8e01d7f71e37ebeb5bf21e58c2
SHA256

17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b
SHA512

b80b90bc78e92ab36c619d4b946975468c68429acd5d68c5aa1b4f3aa25500beef23578f5dc11bbd20624556646ea93db66ed5ea62a5d830bc59937e3af01b14
SSDEEP

12288:r0NGKiHsOHbg4v5KLYvkVNTDlAWkS0dqX:gNfiHj8YF6NKFdq

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

DbSecuritySpt.exe

pid process

884 DbSecuritySpt.exe

pid	process
884	DbSecuritySpt.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1048-54-0x0000000000950000-0x0000000000A92000-memory.dmp	upx
behavioral1/memory/1048-65-0x0000000000950000-0x0000000000A92000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

DbSecuritySpt.exeWerFault.exe

pid process

884 DbSecuritySpt.exe
1488 WerFault.exe
1488 WerFault.exe
1488 WerFault.exe

pid	process
884	DbSecuritySpt.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe

Drops file in Program Files directory 3 IoCs

Processes:

17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe

description	ioc	process
File created	C:\Program Files\DbSecuritySpt\svch0st.exe	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe
File created	C:\Program Files\DbSecuritySpt\SESDKDummy.dll	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe
File created	C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1488 884 WerFault.exe DbSecuritySpt.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

Taskkill.exeTaskkill.exeTaskkill.exe

pid process

948 Taskkill.exe
1872 Taskkill.exe
1728 Taskkill.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Taskkill.exeTaskkill.exeTaskkill.exe

description pid process

Token: SeDebugPrivilege 948 Taskkill.exe
Token: SeDebugPrivilege 1872 Taskkill.exe
Token: SeDebugPrivilege 1728 Taskkill.exe

pid	pid_target	process	target process
1488	884	WerFault.exe	DbSecuritySpt.exe

pid	process
948	Taskkill.exe
1872	Taskkill.exe
1728	Taskkill.exe

description	pid	process
Token: SeDebugPrivilege	948	Taskkill.exe
Token: SeDebugPrivilege	1872	Taskkill.exe
Token: SeDebugPrivilege	1728	Taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exeDbSecuritySpt.exe

description	pid	process	target process
PID 1048 wrote to memory of 948	1048	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 1048 wrote to memory of 948	1048	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 1048 wrote to memory of 948	1048	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 1048 wrote to memory of 948	1048	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 1048 wrote to memory of 1872	1048	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 1048 wrote to memory of 1872	1048	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 1048 wrote to memory of 1872	1048	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 1048 wrote to memory of 1872	1048	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 1048 wrote to memory of 1728	1048	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 1048 wrote to memory of 1728	1048	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 1048 wrote to memory of 1728	1048	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 1048 wrote to memory of 1728	1048	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 884 wrote to memory of 1488	884	DbSecuritySpt.exe	WerFault.exe
PID 884 wrote to memory of 1488	884	DbSecuritySpt.exe	WerFault.exe
PID 884 wrote to memory of 1488	884	DbSecuritySpt.exe	WerFault.exe
PID 884 wrote to memory of 1488	884	DbSecuritySpt.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe
"C:\Users\Admin\AppData\Local\Temp\17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\Taskkill.exe
Taskkill /F /IM DbSecuritySpt.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\Taskkill.exe
Taskkill /F /IM Bill.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\SysWOW64\Taskkill.exe
Taskkill /F /IM svch0st.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
"C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 136
2⤵
- Loads dropped DLL
- Program crash
PID:1488

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
Filesize
264KB

MD5
839efbfca9a2827abe7bfc62382809b9

SHA1
11db11ef31ad2cbbd22acdb34d1f9edf7594dc48

SHA256
c2440ae690737ac9992f3ff4185b00e2fb50f8a974bff6f50f1d84892aaa71d4

SHA512
00e3d249e2a651d42728e759b03ec127be996d45689950b5d1d4e6d203e6b933465a2dc5f904aed0812d0cf04594a13dfd083787a695d6cdb0ff7704e070d180

Download Submit
C:\Program Files\DbSecuritySpt\SESDKDummy.dll
Filesize
57KB

MD5
66de92b4ef6b9dd67952f8aec842792f

SHA1
fd55893b463361209bccd2e059536bf383371ef0

SHA256
3a95e3ed5fb56b97345e59c7346d8f1057ed09812750b586b5a9d4066fdeee0b

SHA512
8d2311f4d2c30032462b4f18f3266a49b10ef9d99e71c3ea6dc7369be558179ea4358d2dac503682644c7de421efbb8421a6df5621cedceb09eb2193fe306816

Download Submit
\Program Files\DbSecuritySpt\DbSecuritySpt.exe
Filesize
264KB

MD5
839efbfca9a2827abe7bfc62382809b9

SHA1
11db11ef31ad2cbbd22acdb34d1f9edf7594dc48

SHA256
c2440ae690737ac9992f3ff4185b00e2fb50f8a974bff6f50f1d84892aaa71d4

SHA512
00e3d249e2a651d42728e759b03ec127be996d45689950b5d1d4e6d203e6b933465a2dc5f904aed0812d0cf04594a13dfd083787a695d6cdb0ff7704e070d180

Download Submit
\Program Files\DbSecuritySpt\DbSecuritySpt.exe
Filesize
264KB

MD5
839efbfca9a2827abe7bfc62382809b9

SHA1
11db11ef31ad2cbbd22acdb34d1f9edf7594dc48

SHA256
c2440ae690737ac9992f3ff4185b00e2fb50f8a974bff6f50f1d84892aaa71d4

SHA512
00e3d249e2a651d42728e759b03ec127be996d45689950b5d1d4e6d203e6b933465a2dc5f904aed0812d0cf04594a13dfd083787a695d6cdb0ff7704e070d180

Download Submit
\Program Files\DbSecuritySpt\DbSecuritySpt.exe
Filesize
264KB

MD5
839efbfca9a2827abe7bfc62382809b9

SHA1
11db11ef31ad2cbbd22acdb34d1f9edf7594dc48

SHA256
c2440ae690737ac9992f3ff4185b00e2fb50f8a974bff6f50f1d84892aaa71d4

SHA512
00e3d249e2a651d42728e759b03ec127be996d45689950b5d1d4e6d203e6b933465a2dc5f904aed0812d0cf04594a13dfd083787a695d6cdb0ff7704e070d180

Download Submit
\Program Files\DbSecuritySpt\SESDKDummy.dll
Filesize
57KB

MD5
66de92b4ef6b9dd67952f8aec842792f

SHA1
fd55893b463361209bccd2e059536bf383371ef0

SHA256
3a95e3ed5fb56b97345e59c7346d8f1057ed09812750b586b5a9d4066fdeee0b

SHA512
8d2311f4d2c30032462b4f18f3266a49b10ef9d99e71c3ea6dc7369be558179ea4358d2dac503682644c7de421efbb8421a6df5621cedceb09eb2193fe306816

Download Submit
memory/948-55-0x0000000000000000-mapping.dmp

Download
memory/1048-54-0x0000000000950000-0x0000000000A92000-memory.dmp

Filesize
1.3MB

Download
memory/1048-65-0x0000000000950000-0x0000000000A92000-memory.dmp

Filesize
1.3MB

Download
memory/1488-61-0x0000000000000000-mapping.dmp

Download
memory/1728-57-0x0000000000000000-mapping.dmp

Download
memory/1872-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads