2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9

General

Target

2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe
Size

1.1MB
MD5

254a23c9d45ef94289d03ed0cf63fd76
SHA1

ccd8cf4f3cea84126cdb1a81722c3b03571d061e
SHA256

2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9
SHA512

9991b5d469cff35e7153cc9adc4ddb48ad700fa233ac428d9c29a4833c799bcc754115c51d623762ec875cc12ecde5068e9604b010039b18a58e06109d87a78b
SSDEEP

24576:hq33EF4BUNIUZgOkgt28T84xU2++++L+++++++++t++++++++++++4+++++++++a:hqkF4W3ke28TvxU2++++L+++++++++to

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

unsecapp.exe

pid process

1476 unsecapp.exe

pid	process
1476	unsecapp.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1484-54-0x0000000000400000-0x0000000000683000-memory.dmp	upx
behavioral1/memory/1484-56-0x0000000000400000-0x0000000000683000-memory.dmp	upx
behavioral1/memory/1484-60-0x0000000000400000-0x0000000000683000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe

pid	process
1484	2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe
1484	2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft® Windows® Operating System = "wuaumgr.exe"	2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft® Windows® Operating System = "C:\\Windows\\SysWOW64\\unsecapp.exe \"wuaumgr.exe\" /D01 /H"	2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe

Drops file in System32 directory 5 IoCs

Processes:

2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wuaumgr.exe	2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe
File opened for modification	C:\Windows\SysWOW64\wucltuip.dll	2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe
File created	C:\Windows\SysWOW64\unsecapp.exe	2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe
File created	C:\Windows\SysWOW64\wucltuip.dll	2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe
File created	C:\Windows\SysWOW64\wuaumgr.exe	2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe

description	pid	process	target process
PID 1484 wrote to memory of 1476	1484	2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe	unsecapp.exe
PID 1484 wrote to memory of 1476	1484	2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe	unsecapp.exe
PID 1484 wrote to memory of 1476	1484	2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe	unsecapp.exe
PID 1484 wrote to memory of 1476	1484	2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe	unsecapp.exe

C:\Users\Admin\AppData\Local\Temp\2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe
"C:\Users\Admin\AppData\Local\Temp\2134cfdc623adc94846e2c280fb84e912fb2bd3874f6b282d0498fc12c85a9d9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\unsecapp.exe
  "wuaumgr.exe" /D1080 /H
  2⤵
  - Executes dropped EXE
  PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\unsecapp.exe

Filesize
44KB

MD5
3e7b2657393716b9f458417c3d62b474

SHA1
8552367d6f3a7d5359f2e0c84a39d908dfe34fa8

SHA256
122276627810509260d8a3504f3f9e437158a5415fceda25cc07db706a7dd3df

SHA512
cddd5dc3a9fd264979ff5f39bbe065edb47df9126f052e6bdcd65f5f27026cfa950eace81b02da7e173e25dd5736cddf8469d0a4f28e3f62104293ba99d7fe7f

Download Submit
\Windows\SysWOW64\unsecapp.exe

Filesize
44KB

MD5
3e7b2657393716b9f458417c3d62b474

SHA1
8552367d6f3a7d5359f2e0c84a39d908dfe34fa8

SHA256
122276627810509260d8a3504f3f9e437158a5415fceda25cc07db706a7dd3df

SHA512
cddd5dc3a9fd264979ff5f39bbe065edb47df9126f052e6bdcd65f5f27026cfa950eace81b02da7e173e25dd5736cddf8469d0a4f28e3f62104293ba99d7fe7f

Download Submit
\Windows\SysWOW64\unsecapp.exe

Filesize
44KB

MD5
3e7b2657393716b9f458417c3d62b474

SHA1
8552367d6f3a7d5359f2e0c84a39d908dfe34fa8

SHA256
122276627810509260d8a3504f3f9e437158a5415fceda25cc07db706a7dd3df

SHA512
cddd5dc3a9fd264979ff5f39bbe065edb47df9126f052e6bdcd65f5f27026cfa950eace81b02da7e173e25dd5736cddf8469d0a4f28e3f62104293ba99d7fe7f

Download Submit
memory/1476-58-0x0000000000000000-mapping.dmp

Download
memory/1484-54-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download
memory/1484-56-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download
memory/1484-60-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads