17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b

General

Target

17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe
Size

438KB
MD5

5d3f275907267f0afba257ffc970c9a4
SHA1

b6b93431ac8e0e8e01d7f71e37ebeb5bf21e58c2
SHA256

17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b
SHA512

b80b90bc78e92ab36c619d4b946975468c68429acd5d68c5aa1b4f3aa25500beef23578f5dc11bbd20624556646ea93db66ed5ea62a5d830bc59937e3af01b14
SSDEEP

12288:r0NGKiHsOHbg4v5KLYvkVNTDlAWkS0dqX:gNfiHj8YF6NKFdq

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

DbSecuritySpt.exe

pid process

4488 DbSecuritySpt.exe

pid	process
4488	DbSecuritySpt.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4216-132-0x0000000000990000-0x0000000000AD2000-memory.dmp	upx
behavioral2/memory/4216-140-0x0000000000990000-0x0000000000AD2000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

DbSecuritySpt.exe

pid process

4488 DbSecuritySpt.exe

pid	process
4488	DbSecuritySpt.exe

Drops file in Program Files directory 3 IoCs

Processes:

17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe

description	ioc	process
File created	C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe
File created	C:\Program Files\DbSecuritySpt\svch0st.exe	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe
File created	C:\Program Files\DbSecuritySpt\SESDKDummy.dll	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4224 4488 WerFault.exe DbSecuritySpt.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

Taskkill.exeTaskkill.exeTaskkill.exe

pid process

4172 Taskkill.exe
1020 Taskkill.exe
3632 Taskkill.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Taskkill.exeTaskkill.exeTaskkill.exe

description pid process

Token: SeDebugPrivilege 4172 Taskkill.exe
Token: SeDebugPrivilege 1020 Taskkill.exe
Token: SeDebugPrivilege 3632 Taskkill.exe

pid	pid_target	process	target process
4224	4488	WerFault.exe	DbSecuritySpt.exe

pid	process
4172	Taskkill.exe
1020	Taskkill.exe
3632	Taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4172	Taskkill.exe
Token: SeDebugPrivilege	1020	Taskkill.exe
Token: SeDebugPrivilege	3632	Taskkill.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe

description	pid	process	target process
PID 4216 wrote to memory of 4172	4216	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 4216 wrote to memory of 4172	4216	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 4216 wrote to memory of 4172	4216	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 4216 wrote to memory of 1020	4216	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 4216 wrote to memory of 1020	4216	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 4216 wrote to memory of 1020	4216	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 4216 wrote to memory of 3632	4216	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 4216 wrote to memory of 3632	4216	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe
PID 4216 wrote to memory of 3632	4216	17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe	Taskkill.exe

C:\Users\Admin\AppData\Local\Temp\17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe
"C:\Users\Admin\AppData\Local\Temp\17cfc6c5ff6c0cbec617e6153a151ccab8db348fd87fecfea87a283af5c7a89b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\Taskkill.exe
Taskkill /F /IM DbSecuritySpt.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\SysWOW64\Taskkill.exe
Taskkill /F /IM Bill.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\Taskkill.exe
Taskkill /F /IM svch0st.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
"C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 296
2⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4488 -ip 4488
1⤵
PID:1508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
Filesize
264KB

MD5
839efbfca9a2827abe7bfc62382809b9

SHA1
11db11ef31ad2cbbd22acdb34d1f9edf7594dc48

SHA256
c2440ae690737ac9992f3ff4185b00e2fb50f8a974bff6f50f1d84892aaa71d4

SHA512
00e3d249e2a651d42728e759b03ec127be996d45689950b5d1d4e6d203e6b933465a2dc5f904aed0812d0cf04594a13dfd083787a695d6cdb0ff7704e070d180

Download Submit
C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
Filesize
264KB

MD5
839efbfca9a2827abe7bfc62382809b9

SHA1
11db11ef31ad2cbbd22acdb34d1f9edf7594dc48

SHA256
c2440ae690737ac9992f3ff4185b00e2fb50f8a974bff6f50f1d84892aaa71d4

SHA512
00e3d249e2a651d42728e759b03ec127be996d45689950b5d1d4e6d203e6b933465a2dc5f904aed0812d0cf04594a13dfd083787a695d6cdb0ff7704e070d180

Download Submit
C:\Program Files\DbSecuritySpt\SESDKDummy.dll
Filesize
57KB

MD5
66de92b4ef6b9dd67952f8aec842792f

SHA1
fd55893b463361209bccd2e059536bf383371ef0

SHA256
3a95e3ed5fb56b97345e59c7346d8f1057ed09812750b586b5a9d4066fdeee0b

SHA512
8d2311f4d2c30032462b4f18f3266a49b10ef9d99e71c3ea6dc7369be558179ea4358d2dac503682644c7de421efbb8421a6df5621cedceb09eb2193fe306816

Download Submit
C:\Program Files\DbSecuritySpt\SESDKDummy.dll
Filesize
57KB

MD5
66de92b4ef6b9dd67952f8aec842792f

SHA1
fd55893b463361209bccd2e059536bf383371ef0

SHA256
3a95e3ed5fb56b97345e59c7346d8f1057ed09812750b586b5a9d4066fdeee0b

SHA512
8d2311f4d2c30032462b4f18f3266a49b10ef9d99e71c3ea6dc7369be558179ea4358d2dac503682644c7de421efbb8421a6df5621cedceb09eb2193fe306816

Download Submit
memory/1020-134-0x0000000000000000-mapping.dmp

Download
memory/3632-135-0x0000000000000000-mapping.dmp

Download
memory/4172-133-0x0000000000000000-mapping.dmp

Download
memory/4216-132-0x0000000000990000-0x0000000000AD2000-memory.dmp

Filesize
1.3MB

Download
memory/4216-140-0x0000000000990000-0x0000000000AD2000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads