a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f

General

Target

a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe
Size

20KB
MD5

25e6e867b08bc91d8ca831f6c23f3652
SHA1

8ce8a45b06ab5d13ff7ad77fed6c9f2b7e06b1ef
SHA256

a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f
SHA512

45f7d23ac43541b543fe909378b2e8d4099c4e4fe97c7edb1ec24099ba3f79c5174f08007446979f1ef70d664368e0e31427e6b76e724c243fb78182280ec606
SSDEEP

96:xo7+1EsyLMa7ZiJzmnsIgeuLrGsqUTPf9nNhHDsxTmmLMugN:M0EnMaMNRrGsqUxNhHDYTmsMugN

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1776-58-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1776-62-0x0000000000400000-0x0000000000407000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Rundll32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	Rundll32.exe
File created	C:\Windows\taskmanager.bat	a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe
File opened for modification	C:\Windows\taskmanager.bat	a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1732	Rundll32.exe
Token: SeRestorePrivilege	1732	Rundll32.exe
Token: SeRestorePrivilege	1732	Rundll32.exe
Token: SeRestorePrivilege	1732	Rundll32.exe
Token: SeRestorePrivilege	1732	Rundll32.exe
Token: SeRestorePrivilege	1732	Rundll32.exe
Token: SeRestorePrivilege	1732	Rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1776	a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1732	1776	a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe	28
PID 1776 wrote to memory of 1732	1776	a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe	28
PID 1776 wrote to memory of 1732	1776	a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe	28
PID 1776 wrote to memory of 1732	1776	a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe	28
PID 1776 wrote to memory of 1732	1776	a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe	28
PID 1776 wrote to memory of 1732	1776	a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe	28
PID 1776 wrote to memory of 1732	1776	a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe	28
PID 1732 wrote to memory of 1536	1732	Rundll32.exe	29
PID 1732 wrote to memory of 1536	1732	Rundll32.exe	29
PID 1732 wrote to memory of 1536	1732	Rundll32.exe	29
PID 1732 wrote to memory of 1536	1732	Rundll32.exe	29
PID 1536 wrote to memory of 1468	1536	runonce.exe	30
PID 1536 wrote to memory of 1468	1536	runonce.exe	30
PID 1536 wrote to memory of 1468	1536	runonce.exe	30
PID 1536 wrote to memory of 1468	1536	runonce.exe	30

C:\Users\Admin\AppData\Local\Temp\a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe
"C:\Users\Admin\AppData\Local\Temp\a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\gskh83jejh4.inf
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\SysWOW64\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gskh83jejh4.inf

Filesize
361B

MD5
618642199b4ebd8d873330dad867dde6

SHA1
2c5c409ef3f7f39850779d998338a2b29cb919f3

SHA256
7bfed1c63032c382904af6a219b4660fbb562b3d3a36797c824aedc034f8a108

SHA512
eda5a9ef387caf84949b490e7a2d2fd602e412141e2d81d2fe13fd4b4925dea662c65a3d6bc548de2f42d117986a6ee174ecca1c57555fb32dfb5bb9bce1e53a

Download Submit
memory/1732-57-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1776-58-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1776-62-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing