4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475

General

Target

4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe
Size

438KB
MD5

31df806fabf0ddfc8d61c5d761c57d6c
SHA1

7992a38a86b3040f139731491defd3c61e0e0e97
SHA256

4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475
SHA512

55276e47ed366b5beb4dd4c780a8c00befe60bb039181592b467f8f6b2903703fc36937f4c695c6a95a27cd6aa2d1a0ed7b28ad28381079c2efac35469f155e8
SSDEEP

12288:50NGKiHsOHbg4v5KLYvkVNTBp6RW+FHQ7+GCf+R:6NfiHj8YF6N9p6RWyQ7+GCy

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

DbSecuritySpt.exe

pid process

1992 DbSecuritySpt.exe

pid	process
1992	DbSecuritySpt.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/576-54-0x0000000000FC0000-0x0000000001102000-memory.dmp	upx
behavioral1/memory/576-65-0x0000000000FC0000-0x0000000001102000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

DbSecuritySpt.exeWerFault.exe

pid process

1992 DbSecuritySpt.exe
1164 WerFault.exe
1164 WerFault.exe
1164 WerFault.exe

pid	process
1992	DbSecuritySpt.exe
1164	WerFault.exe
1164	WerFault.exe
1164	WerFault.exe

Drops file in Program Files directory 3 IoCs

Processes:

4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe

description	ioc	process
File created	C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe
File created	C:\Program Files\DbSecuritySpt\svch0st.exe	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe
File created	C:\Program Files\DbSecuritySpt\SESDKDummy.dll	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1164 1992 WerFault.exe DbSecuritySpt.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

Taskkill.exeTaskkill.exeTaskkill.exe

pid process

540 Taskkill.exe
892 Taskkill.exe
1360 Taskkill.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Taskkill.exeTaskkill.exeTaskkill.exe

description pid process

Token: SeDebugPrivilege 892 Taskkill.exe
Token: SeDebugPrivilege 1360 Taskkill.exe
Token: SeDebugPrivilege 540 Taskkill.exe

pid	pid_target	process	target process
1164	1992	WerFault.exe	DbSecuritySpt.exe

pid	process
540	Taskkill.exe
892	Taskkill.exe
1360	Taskkill.exe

description	pid	process
Token: SeDebugPrivilege	892	Taskkill.exe
Token: SeDebugPrivilege	1360	Taskkill.exe
Token: SeDebugPrivilege	540	Taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exeDbSecuritySpt.exe

description	pid	process	target process
PID 576 wrote to memory of 892	576	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 576 wrote to memory of 892	576	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 576 wrote to memory of 892	576	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 576 wrote to memory of 892	576	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 576 wrote to memory of 1360	576	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 576 wrote to memory of 1360	576	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 576 wrote to memory of 1360	576	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 576 wrote to memory of 1360	576	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 576 wrote to memory of 540	576	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 576 wrote to memory of 540	576	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 576 wrote to memory of 540	576	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 576 wrote to memory of 540	576	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 1992 wrote to memory of 1164	1992	DbSecuritySpt.exe	WerFault.exe
PID 1992 wrote to memory of 1164	1992	DbSecuritySpt.exe	WerFault.exe
PID 1992 wrote to memory of 1164	1992	DbSecuritySpt.exe	WerFault.exe
PID 1992 wrote to memory of 1164	1992	DbSecuritySpt.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe
"C:\Users\Admin\AppData\Local\Temp\4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\Taskkill.exe
Taskkill /F /IM DbSecuritySpt.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\Taskkill.exe
Taskkill /F /IM Bill.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\SysWOW64\Taskkill.exe
Taskkill /F /IM svch0st.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
"C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 136
2⤵
- Loads dropped DLL
- Program crash
PID:1164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
Filesize
264KB

MD5
e5dd18442f2a0a773b5447dcf2692354

SHA1
dce9abe63045cc09b2b242364335caa518ba4db2

SHA256
9ec4ff1da41f33ad8c91eb4922e6965596042ad2d814c7901cf5bafba503ab2a

SHA512
1614c4ed82242ba0e12843ab46d43fc48fbaab951417c19ac20832aa7bf441bdacdb1d15e32f16622f06db819d8a2823ca56905187c6fdabaebdb56e683535d5

Download Submit
C:\Program Files\DbSecuritySpt\SESDKDummy.dll
Filesize
57KB

MD5
66de92b4ef6b9dd67952f8aec842792f

SHA1
fd55893b463361209bccd2e059536bf383371ef0

SHA256
3a95e3ed5fb56b97345e59c7346d8f1057ed09812750b586b5a9d4066fdeee0b

SHA512
8d2311f4d2c30032462b4f18f3266a49b10ef9d99e71c3ea6dc7369be558179ea4358d2dac503682644c7de421efbb8421a6df5621cedceb09eb2193fe306816

Download Submit
\Program Files\DbSecuritySpt\DbSecuritySpt.exe
Filesize
264KB

MD5
e5dd18442f2a0a773b5447dcf2692354

SHA1
dce9abe63045cc09b2b242364335caa518ba4db2

SHA256
9ec4ff1da41f33ad8c91eb4922e6965596042ad2d814c7901cf5bafba503ab2a

SHA512
1614c4ed82242ba0e12843ab46d43fc48fbaab951417c19ac20832aa7bf441bdacdb1d15e32f16622f06db819d8a2823ca56905187c6fdabaebdb56e683535d5

Download Submit
\Program Files\DbSecuritySpt\DbSecuritySpt.exe
Filesize
264KB

MD5
e5dd18442f2a0a773b5447dcf2692354

SHA1
dce9abe63045cc09b2b242364335caa518ba4db2

SHA256
9ec4ff1da41f33ad8c91eb4922e6965596042ad2d814c7901cf5bafba503ab2a

SHA512
1614c4ed82242ba0e12843ab46d43fc48fbaab951417c19ac20832aa7bf441bdacdb1d15e32f16622f06db819d8a2823ca56905187c6fdabaebdb56e683535d5

Download Submit
\Program Files\DbSecuritySpt\DbSecuritySpt.exe
Filesize
264KB

MD5
e5dd18442f2a0a773b5447dcf2692354

SHA1
dce9abe63045cc09b2b242364335caa518ba4db2

SHA256
9ec4ff1da41f33ad8c91eb4922e6965596042ad2d814c7901cf5bafba503ab2a

SHA512
1614c4ed82242ba0e12843ab46d43fc48fbaab951417c19ac20832aa7bf441bdacdb1d15e32f16622f06db819d8a2823ca56905187c6fdabaebdb56e683535d5

Download Submit
\Program Files\DbSecuritySpt\SESDKDummy.dll
Filesize
57KB

MD5
66de92b4ef6b9dd67952f8aec842792f

SHA1
fd55893b463361209bccd2e059536bf383371ef0

SHA256
3a95e3ed5fb56b97345e59c7346d8f1057ed09812750b586b5a9d4066fdeee0b

SHA512
8d2311f4d2c30032462b4f18f3266a49b10ef9d99e71c3ea6dc7369be558179ea4358d2dac503682644c7de421efbb8421a6df5621cedceb09eb2193fe306816

Download Submit
memory/540-57-0x0000000000000000-mapping.dmp

Download
memory/576-54-0x0000000000FC0000-0x0000000001102000-memory.dmp

Filesize
1.3MB

Download
memory/576-65-0x0000000000FC0000-0x0000000001102000-memory.dmp

Filesize
1.3MB

Download
memory/892-55-0x0000000000000000-mapping.dmp

Download
memory/1164-61-0x0000000000000000-mapping.dmp

Download
memory/1360-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads