4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475

General

Target

4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe
Size

438KB
MD5

31df806fabf0ddfc8d61c5d761c57d6c
SHA1

7992a38a86b3040f139731491defd3c61e0e0e97
SHA256

4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475
SHA512

55276e47ed366b5beb4dd4c780a8c00befe60bb039181592b467f8f6b2903703fc36937f4c695c6a95a27cd6aa2d1a0ed7b28ad28381079c2efac35469f155e8
SSDEEP

12288:50NGKiHsOHbg4v5KLYvkVNTBp6RW+FHQ7+GCf+R:6NfiHj8YF6N9p6RWyQ7+GCy

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

DbSecuritySpt.exe

pid process

112 DbSecuritySpt.exe

pid	process
112	DbSecuritySpt.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2332-132-0x00000000001A0000-0x00000000002E2000-memory.dmp	upx
behavioral2/memory/2332-140-0x00000000001A0000-0x00000000002E2000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

DbSecuritySpt.exe

pid process

112 DbSecuritySpt.exe

pid	process
112	DbSecuritySpt.exe

Drops file in Program Files directory 3 IoCs

Processes:

4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe

description	ioc	process
File created	C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe
File created	C:\Program Files\DbSecuritySpt\svch0st.exe	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe
File created	C:\Program Files\DbSecuritySpt\SESDKDummy.dll	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4544 112 WerFault.exe DbSecuritySpt.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

Taskkill.exeTaskkill.exeTaskkill.exe

pid process

4728 Taskkill.exe
2724 Taskkill.exe
2508 Taskkill.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Taskkill.exeTaskkill.exeTaskkill.exe

description pid process

Token: SeDebugPrivilege 2508 Taskkill.exe
Token: SeDebugPrivilege 4728 Taskkill.exe
Token: SeDebugPrivilege 2724 Taskkill.exe

pid	pid_target	process	target process
4544	112	WerFault.exe	DbSecuritySpt.exe

pid	process
4728	Taskkill.exe
2724	Taskkill.exe
2508	Taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2508	Taskkill.exe
Token: SeDebugPrivilege	4728	Taskkill.exe
Token: SeDebugPrivilege	2724	Taskkill.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe

description	pid	process	target process
PID 2332 wrote to memory of 2508	2332	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 2332 wrote to memory of 2508	2332	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 2332 wrote to memory of 2508	2332	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 2332 wrote to memory of 4728	2332	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 2332 wrote to memory of 4728	2332	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 2332 wrote to memory of 4728	2332	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 2332 wrote to memory of 2724	2332	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 2332 wrote to memory of 2724	2332	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe
PID 2332 wrote to memory of 2724	2332	4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe	Taskkill.exe

C:\Users\Admin\AppData\Local\Temp\4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe
"C:\Users\Admin\AppData\Local\Temp\4b5f91eaaf8522bf0f6f4fb7b9268292d051d88db06c1addb868dc09210cc475.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\Taskkill.exe
Taskkill /F /IM DbSecuritySpt.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SysWOW64\Taskkill.exe
Taskkill /F /IM Bill.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\Taskkill.exe
Taskkill /F /IM svch0st.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
"C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 296
2⤵
- Program crash
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 112 -ip 112
1⤵
PID:3704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
Filesize
264KB

MD5
e5dd18442f2a0a773b5447dcf2692354

SHA1
dce9abe63045cc09b2b242364335caa518ba4db2

SHA256
9ec4ff1da41f33ad8c91eb4922e6965596042ad2d814c7901cf5bafba503ab2a

SHA512
1614c4ed82242ba0e12843ab46d43fc48fbaab951417c19ac20832aa7bf441bdacdb1d15e32f16622f06db819d8a2823ca56905187c6fdabaebdb56e683535d5

Download Submit
C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
Filesize
264KB

MD5
e5dd18442f2a0a773b5447dcf2692354

SHA1
dce9abe63045cc09b2b242364335caa518ba4db2

SHA256
9ec4ff1da41f33ad8c91eb4922e6965596042ad2d814c7901cf5bafba503ab2a

SHA512
1614c4ed82242ba0e12843ab46d43fc48fbaab951417c19ac20832aa7bf441bdacdb1d15e32f16622f06db819d8a2823ca56905187c6fdabaebdb56e683535d5

Download Submit
C:\Program Files\DbSecuritySpt\SESDKDummy.dll
Filesize
57KB

MD5
66de92b4ef6b9dd67952f8aec842792f

SHA1
fd55893b463361209bccd2e059536bf383371ef0

SHA256
3a95e3ed5fb56b97345e59c7346d8f1057ed09812750b586b5a9d4066fdeee0b

SHA512
8d2311f4d2c30032462b4f18f3266a49b10ef9d99e71c3ea6dc7369be558179ea4358d2dac503682644c7de421efbb8421a6df5621cedceb09eb2193fe306816

Download Submit
C:\Program Files\DbSecuritySpt\SESDKDummy.dll
Filesize
57KB

MD5
66de92b4ef6b9dd67952f8aec842792f

SHA1
fd55893b463361209bccd2e059536bf383371ef0

SHA256
3a95e3ed5fb56b97345e59c7346d8f1057ed09812750b586b5a9d4066fdeee0b

SHA512
8d2311f4d2c30032462b4f18f3266a49b10ef9d99e71c3ea6dc7369be558179ea4358d2dac503682644c7de421efbb8421a6df5621cedceb09eb2193fe306816

Download Submit
memory/2332-132-0x00000000001A0000-0x00000000002E2000-memory.dmp

Filesize
1.3MB

Download
memory/2332-140-0x00000000001A0000-0x00000000002E2000-memory.dmp

Filesize
1.3MB

Download
memory/2508-133-0x0000000000000000-mapping.dmp

Download
memory/2724-135-0x0000000000000000-mapping.dmp

Download
memory/4728-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads