8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f

General

Target

8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
Size

34KB
MD5

3addd22d60cfcbaa1226e6740527f2d7
SHA1

41b37a1d1b6398ed5bb6ffd11b08786a31fa2d87
SHA256

8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f
SHA512

f601de3f430581db210a5285b73a07f906ccb74bc2c8fe6d19650537aab38262ec11d5c89fcb0f27a36118a46243c69e4f36e992029a7371a1cb228d312181db
SSDEEP

768:d7YzkHpKg7e/GAJQdEzpRlbRvB/z8L7mjLiZWM:dpHrTAfpRBRJ/z8L7ALiZW

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1008-132-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1008-137-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
812	rundll32.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ksuser.dll	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
File created	C:\Windows\SysWOW64\midimap.dll	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
File created	C:\Windows\SysWOW64\sysapp1.dll	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
File created	C:\Windows\SysWOW64\msimg32.dll	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2344	sc.exe
3068	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 3604	1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe	82
PID 1008 wrote to memory of 3604	1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe	82
PID 1008 wrote to memory of 3604	1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe	82
PID 1008 wrote to memory of 2344	1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe	83
PID 1008 wrote to memory of 2344	1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe	83
PID 1008 wrote to memory of 2344	1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe	83
PID 1008 wrote to memory of 3068	1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe	85
PID 1008 wrote to memory of 3068	1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe	85
PID 1008 wrote to memory of 3068	1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe	85
PID 1008 wrote to memory of 812	1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe	88
PID 1008 wrote to memory of 812	1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe	88
PID 1008 wrote to memory of 812	1008	8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe	88
PID 3604 wrote to memory of 3436	3604	net.exe	90
PID 3604 wrote to memory of 3436	3604	net.exe	90
PID 3604 wrote to memory of 3436	3604	net.exe	90

C:\Users\Admin\AppData\Local\Temp\8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
"C:\Users\Admin\AppData\Local\Temp\8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:3436
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2344
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:3068
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1670681350.dat, ServerMain c:\users\admin\appdata\local\temp\8367323841b0d0b1cd9db841364e1ed0cd0095846ebda06ecefcb69998a6bb0f.exe
  2⤵
  - Loads dropped DLL
  PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1670681350.dat

Filesize
35KB

MD5
5afc45866037cd9d8d51a076eb35c933

SHA1
5800d4ca69501a584baed23eeb32dcadb71de6bd

SHA256
e6b64cc9ff63d2af0e1ddd1c7d291eb033b6525a04f5f049de9c5b8ffe568c3e

SHA512
e3926e4265a36878636f4787937ad9f6bc6f451b7f9979a912c0d0eb5aa4b8b490b42ee7cec25bc89af83ded119ac49e09d299c4f06f5c926e40f5631a4628f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1670681350.dat

Filesize
35KB

MD5
5afc45866037cd9d8d51a076eb35c933

SHA1
5800d4ca69501a584baed23eeb32dcadb71de6bd

SHA256
e6b64cc9ff63d2af0e1ddd1c7d291eb033b6525a04f5f049de9c5b8ffe568c3e

SHA512
e3926e4265a36878636f4787937ad9f6bc6f451b7f9979a912c0d0eb5aa4b8b490b42ee7cec25bc89af83ded119ac49e09d299c4f06f5c926e40f5631a4628f0

Download Submit
memory/1008-132-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1008-137-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing