236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac

General

Target

236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe
Size

975KB
MD5

5847b9ede173b9906cd97d16d8f439ae
SHA1

252e1ef6da885fdd3b730ac7d37d3f062aed9b69
SHA256

236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac
SHA512

49caf512a6b6c07a0f949dc45eb8b803658ce5f98c0b0382468dd1fe5372a19d69eeff0bf7a488f4f91f8334342b1f5f45a342394c4450ed24d619b34c7615c1
SSDEEP

6144:aZ7l+qrvVra1h+9tbZ8WyAJe/V0TUJp9497AXJRpte6ECZkgwTSkne8CpiKk:cro1s9tWmetKw9qsHptemz7kne8CY

Score

8^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ichcqji = "C:\\Windows\\SysWOW64\\wkscli3.exe"	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe

Executes dropped EXE 1 IoCs

Processes:

wkscli3.exe

pid process

1940 wkscli3.exe

pid	process
1940	wkscli3.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1444-56-0x0000000000500000-0x00000000005B9000-memory.dmp	upx
behavioral1/memory/1444-59-0x0000000000500000-0x00000000005B9000-memory.dmp	upx
behavioral1/memory/1444-60-0x0000000000500000-0x00000000005B9000-memory.dmp	upx
behavioral1/memory/1444-61-0x0000000000260000-0x00000000002B3000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

772 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe

pid process

1444 236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
772	cmd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe

Drops file in System32 directory 2 IoCs

Processes:

236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wkscli3.exe	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe
File opened for modification	C:\Windows\SysWOW64\wkscli3.exe	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exewkscli3.exe

pid	process
1444	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe
1444	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe
1940	wkscli3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exewkscli3.exe

description	pid	process
Token: SeDebugPrivilege	1444	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe
Token: SeDebugPrivilege	1940	wkscli3.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe

description	pid	process	target process
PID 1444 wrote to memory of 1940	1444	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe	wkscli3.exe
PID 1444 wrote to memory of 1940	1444	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe	wkscli3.exe
PID 1444 wrote to memory of 1940	1444	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe	wkscli3.exe
PID 1444 wrote to memory of 1940	1444	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe	wkscli3.exe
PID 1444 wrote to memory of 772	1444	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe	cmd.exe
PID 1444 wrote to memory of 772	1444	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe	cmd.exe
PID 1444 wrote to memory of 772	1444	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe	cmd.exe
PID 1444 wrote to memory of 772	1444	236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe
"C:\Users\Admin\AppData\Local\Temp\236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe"
1⤵
- Adds policy Run key to start application
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\wkscli3.exe
C:\Windows\SysWOW64\wkscli3.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\cmd.exe
/c C:\Users\Admin\AppData\Local\Temp\~unins1189.bat "C:\Users\Admin\AppData\Local\Temp\236eb4b6c7cc5e270e4540f23c78a255b502f78c5f19fed1c476963935e816ac.exe"
2⤵
- Deletes itself
PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~unins1189.bat

Filesize
49B

MD5
9e0a2f5ab30517809b95a1ff1dd98c53

SHA1
5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce

SHA256
97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32

SHA512
e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42

Download Submit
C:\Windows\SysWOW64\wkscli3.exe

Filesize
226KB

MD5
28cbb63122918ee66b0f29fcff378490

SHA1
e8fda0f306cd9055e4c69a699688282dafc863be

SHA256
4f7d07a9d951ea1640b8ae4e7e86a941017169a2a390bf084e6deb498cf3ded9

SHA512
4b9fb369b9a5e9ae7ea1f38c995e8ee8eb1ba2c45b01e69ba902e0a02c8d0ce8fc1e024f8ea141bdd45a61b24184f0d614b1bbd7f485e43a18d8020b1b252b90

Download Submit
C:\Windows\SysWOW64\wkscli3.exe

Filesize
226KB

MD5
28cbb63122918ee66b0f29fcff378490

SHA1
e8fda0f306cd9055e4c69a699688282dafc863be

SHA256
4f7d07a9d951ea1640b8ae4e7e86a941017169a2a390bf084e6deb498cf3ded9

SHA512
4b9fb369b9a5e9ae7ea1f38c995e8ee8eb1ba2c45b01e69ba902e0a02c8d0ce8fc1e024f8ea141bdd45a61b24184f0d614b1bbd7f485e43a18d8020b1b252b90

Download Submit
\Windows\SysWOW64\wkscli3.exe

Filesize
226KB

MD5
28cbb63122918ee66b0f29fcff378490

SHA1
e8fda0f306cd9055e4c69a699688282dafc863be

SHA256
4f7d07a9d951ea1640b8ae4e7e86a941017169a2a390bf084e6deb498cf3ded9

SHA512
4b9fb369b9a5e9ae7ea1f38c995e8ee8eb1ba2c45b01e69ba902e0a02c8d0ce8fc1e024f8ea141bdd45a61b24184f0d614b1bbd7f485e43a18d8020b1b252b90

Download Submit
memory/772-69-0x0000000000000000-mapping.dmp

Download
memory/1444-62-0x0000000000566000-0x00000000005B8000-memory.dmp

Filesize
328KB

Download
memory/1444-72-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1444-63-0x0000000000501000-0x0000000000566000-memory.dmp

Filesize
404KB

Download
memory/1444-54-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1444-76-0x0000000000566000-0x00000000005B8000-memory.dmp

Filesize
328KB

Download
memory/1444-60-0x0000000000500000-0x00000000005B9000-memory.dmp

Filesize
740KB

Download
memory/1444-59-0x0000000000500000-0x00000000005B9000-memory.dmp

Filesize
740KB

Download
memory/1444-56-0x0000000000500000-0x00000000005B9000-memory.dmp

Filesize
740KB

Download
memory/1444-55-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1444-74-0x0000000000501000-0x0000000000566000-memory.dmp

Filesize
404KB

Download
memory/1444-61-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1444-73-0x0000000000566000-0x00000000005B8000-memory.dmp

Filesize
328KB

Download
memory/1940-71-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-75-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads