17c6946ddf2f544fbc929482982011ec2d563379d0f0276afa56285ac954065e

General

Target

17c6946ddf2f544fbc929482982011ec2d563379d0f0276afa56285ac954065e.exe
Size

317KB
MD5

9968ae67d9561aa03a55814cf0451e48
SHA1

b2773a4fd589173afc3b4d4442f0e33bf035f51e
SHA256

17c6946ddf2f544fbc929482982011ec2d563379d0f0276afa56285ac954065e
SHA512

c5b00ff5bad07c4e3ea595886a1fcd82633f57a028321ff0a6c4862a7c4b2da37cd8bc1e45cf4e84ce07e980f06697fbe78a0890691a5d468e92710ef4e5e290
SSDEEP

6144:dXTv1tm1gq6PBNELGsrIHXuAzW6dkrTwSE0oAR2/y4l9jxSi2ohp5rn4d1x:dDve1NuNEyBXja6dkrcnqyz9jp/rn+

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2088	lGnKlCc08400.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1060-132-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/1060-134-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/1060-135-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/2088-142-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/1060-143-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/2088-144-0x0000000000400000-0x00000000004B4000-memory.dmp	upx

Program crash 14 IoCs

pid	pid_target	Process	procid_target
1484	1060	WerFault.exe	81
3448	2088	WerFault.exe	82
216	1060	WerFault.exe	81
4332	2088	WerFault.exe	82
3156	2088	WerFault.exe	82
1064	1060	WerFault.exe	81
3668	2088	WerFault.exe	82
3020	1060	WerFault.exe	81
2884	1060	WerFault.exe	81
5060	2088	WerFault.exe	82
1176	1060	WerFault.exe	81
4420	2088	WerFault.exe	82
4380	1060	WerFault.exe	81
4704	2088	WerFault.exe	82

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	17c6946ddf2f544fbc929482982011ec2d563379d0f0276afa56285ac954065e.exe
Token: SeDebugPrivilege	2088	lGnKlCc08400.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2088	1060	17c6946ddf2f544fbc929482982011ec2d563379d0f0276afa56285ac954065e.exe	82
PID 1060 wrote to memory of 2088	1060	17c6946ddf2f544fbc929482982011ec2d563379d0f0276afa56285ac954065e.exe	82
PID 1060 wrote to memory of 2088	1060	17c6946ddf2f544fbc929482982011ec2d563379d0f0276afa56285ac954065e.exe	82

C:\Users\Admin\AppData\Local\Temp\17c6946ddf2f544fbc929482982011ec2d563379d0f0276afa56285ac954065e.exe
"C:\Users\Admin\AppData\Local\Temp\17c6946ddf2f544fbc929482982011ec2d563379d0f0276afa56285ac954065e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060
- C:\ProgramData\lGnKlCc08400\lGnKlCc08400.exe
  "C:\ProgramData\lGnKlCc08400\lGnKlCc08400.exe" "C:\Users\Admin\AppData\Local\Temp\17c6946ddf2f544fbc929482982011ec2d563379d0f0276afa56285ac954065e.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 764
    3⤵
    - Program crash
    PID:3448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 772
    3⤵
    - Program crash
    PID:4332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 732
    3⤵
    - Program crash
    PID:3156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 772
    3⤵
    - Program crash
    PID:3668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 928
    3⤵
    - Program crash
    PID:5060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 964
    3⤵
    - Program crash
    PID:4420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1196
    3⤵
    - Program crash
    PID:4704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 628
  2⤵
  - Program crash
  PID:1484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 788
  2⤵
  - Program crash
  PID:216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 796
  2⤵
  - Program crash
  PID:1064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 788
  2⤵
  - Program crash
  PID:3020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 844
  2⤵
  - Program crash
  PID:2884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1000
  2⤵
  - Program crash
  PID:1176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1036
  2⤵
  - Program crash
  PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1060 -ip 1060
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2088 -ip 2088
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1060 -ip 1060
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2088 -ip 2088
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2088 -ip 2088
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1060 -ip 1060
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2088 -ip 2088
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1060 -ip 1060
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1060 -ip 1060
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2088 -ip 2088
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1060 -ip 1060
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1060 -ip 1060
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2088 -ip 2088
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2088 -ip 2088
1⤵
PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lGnKlCc08400\lGnKlCc08400.exe

Filesize
317KB

MD5
b5a181c8d51a196f85a15dbb3d2f0675

SHA1
f1061836ff469fd298aef46d5ea48d256a2518d4

SHA256
de14609a6643ebeeb214270cd6222217ef635a2aa0b03b411152f517c1922fdb

SHA512
7b2693e96f048270a911e2a8e0287d458bec3a287298201f29ee68ed2657a45d7e105228f126171df5acf43f44b5a1251218a9a867263c3fb468900d960fb664

Download Submit
C:\ProgramData\lGnKlCc08400\lGnKlCc08400.exe

Filesize
317KB

MD5
b5a181c8d51a196f85a15dbb3d2f0675

SHA1
f1061836ff469fd298aef46d5ea48d256a2518d4

SHA256
de14609a6643ebeeb214270cd6222217ef635a2aa0b03b411152f517c1922fdb

SHA512
7b2693e96f048270a911e2a8e0287d458bec3a287298201f29ee68ed2657a45d7e105228f126171df5acf43f44b5a1251218a9a867263c3fb468900d960fb664

Download Submit
memory/1060-132-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1060-134-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1060-135-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1060-143-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2088-142-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2088-144-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing