90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310

General

Target

90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
Size

32KB
MD5

4a6d4ba2ca711b77cc45840752cdc553
SHA1

dccb19fddfa83ae14883bffefd599f8e2c3da0c3
SHA256

90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310
SHA512

8f789946e41770dda1818cefef869ff6be6b14c532c4cb3ef1c1a9b583d7845747c16e0e585013b6eec239faa762eb1452bb5a7a92abfdfb1bcd832d2813a9f4
SSDEEP

384:W6DcOHBUDOgHoVfbuhiaPOIyVeRPoNTd0o+vzrkvNO1jhiRacn/xuUua7yO6O6TN:zfmDyOiaWJQto5KvbmV5uUXt6QBZM

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1348-54-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1348-59-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
792	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
792	rundll32.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysapp33.dll	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
File created	C:\Windows\SysWOW64\ksuser.dll	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
File created	C:\Windows\SysWOW64\msimg32.dll	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
File created	C:\Windows\SysWOW64\midimap.dll	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
676	sc.exe
1216	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1120	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	28
PID 1348 wrote to memory of 1120	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	28
PID 1348 wrote to memory of 1120	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	28
PID 1348 wrote to memory of 1120	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	28
PID 1348 wrote to memory of 676	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	29
PID 1348 wrote to memory of 676	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	29
PID 1348 wrote to memory of 676	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	29
PID 1348 wrote to memory of 676	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	29
PID 1348 wrote to memory of 1216	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	31
PID 1348 wrote to memory of 1216	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	31
PID 1348 wrote to memory of 1216	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	31
PID 1348 wrote to memory of 1216	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	31
PID 1348 wrote to memory of 792	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	34
PID 1348 wrote to memory of 792	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	34
PID 1348 wrote to memory of 792	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	34
PID 1348 wrote to memory of 792	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	34
PID 1348 wrote to memory of 792	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	34
PID 1348 wrote to memory of 792	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	34
PID 1348 wrote to memory of 792	1348	90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe	34
PID 1120 wrote to memory of 892	1120	net.exe	35
PID 1120 wrote to memory of 892	1120	net.exe	35
PID 1120 wrote to memory of 892	1120	net.exe	35
PID 1120 wrote to memory of 892	1120	net.exe	35

C:\Users\Admin\AppData\Local\Temp\90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
"C:\Users\Admin\AppData\Local\Temp\90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:892
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:676
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:1216
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1670416077.dat, ServerMain c:\users\admin\appdata\local\temp\90876aef2f989d57419ae8100fadf0c5b226ce8e3ce28ee0ba24ba12de048310.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1670416077.dat

Filesize
33KB

MD5
51081a872d0893eaba8859632d44990d

SHA1
e117f915472e8da0dfedb928d84d865ddf51e9de

SHA256
eb969d0230aeb8e961e9a997abe717cfa0dba0f767d5b7aa41c722360deec5f8

SHA512
dd1dcfebc0b9d6d2ea3232b963968011a836fbb290e3ffd5f69b4e873ed45ba74b8f47fa019271ed855da9705deef728806563b1ed82ec9a6710f11349d422bb

Download Submit
\Users\Admin\AppData\Local\Temp\1670416077.dat

Filesize
33KB

MD5
51081a872d0893eaba8859632d44990d

SHA1
e117f915472e8da0dfedb928d84d865ddf51e9de

SHA256
eb969d0230aeb8e961e9a997abe717cfa0dba0f767d5b7aa41c722360deec5f8

SHA512
dd1dcfebc0b9d6d2ea3232b963968011a836fbb290e3ffd5f69b4e873ed45ba74b8f47fa019271ed855da9705deef728806563b1ed82ec9a6710f11349d422bb

Download Submit
memory/676-56-0x0000000000000000-mapping.dmp

Download
memory/792-58-0x0000000000000000-mapping.dmp

Download
memory/792-60-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/892-63-0x0000000000000000-mapping.dmp

Download
memory/1120-55-0x0000000000000000-mapping.dmp

Download
memory/1216-57-0x0000000000000000-mapping.dmp

Download
memory/1348-54-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1348-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing