38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4

General

Target

38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe
Size

204KB
MD5

53663861f614b55669af1510d1b81cc5
SHA1

9910402032380721245cef733064d982763db8f0
SHA256

38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4
SHA512

330bd4079ef39575de79eb6a88a9957c622383ea2aebd80de9f2eb92b3be6f4c60f82693ea0a3908d5e80e1c08016967f723652406bf6195824bfbd03544e203
SSDEEP

6144:Dz1xOecgEnOxUwWz1w4mcH+dZvF4lBFusBQ:31seJzWz1l+LI

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/868-0-0x0000000000EE0000-0x0000000000F77000-memory.dmp	upx
behavioral1/memory/868-27-0x0000000000EE0000-0x0000000000F77000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowMicrosoftNET42.log	xpsrchvw.exe
File opened for modification	C:\Windows\WindowsShell07463.log	xpsrchvw.exe
File opened for modification	C:\Windows\WindowsShell50276.log	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate558.log	xpsrchvw.exe
File opened for modification	C:\Windows\WindowTerminalVaild136.log	xpsrchvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1028	3056	WerFault.exe	33

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2816	xpsrchvw.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe
Token: SeDebugPrivilege	2816	xpsrchvw.exe
Token: SeIncBasePriorityPrivilege	868	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe
Token: SeDebugPrivilege	2816	xpsrchvw.exe
Token: SeDebugPrivilege	2816	xpsrchvw.exe
Token: SeDebugPrivilege	2816	xpsrchvw.exe
Token: SeDebugPrivilege	2816	xpsrchvw.exe
Token: SeDebugPrivilege	2816	xpsrchvw.exe
Token: SeDebugPrivilege	2816	xpsrchvw.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 2816	868	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe	28
PID 868 wrote to memory of 2816	868	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe	28
PID 868 wrote to memory of 2816	868	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe	28
PID 868 wrote to memory of 2816	868	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe	28
PID 868 wrote to memory of 2816	868	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe	28
PID 868 wrote to memory of 2816	868	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe	28
PID 868 wrote to memory of 2816	868	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe	28
PID 868 wrote to memory of 2860	868	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe	29
PID 868 wrote to memory of 2860	868	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe	29
PID 868 wrote to memory of 2860	868	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe	29
PID 868 wrote to memory of 2860	868	38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe	29
PID 2816 wrote to memory of 3056	2816	xpsrchvw.exe	33
PID 2816 wrote to memory of 3056	2816	xpsrchvw.exe	33
PID 2816 wrote to memory of 3056	2816	xpsrchvw.exe	33
PID 2816 wrote to memory of 3056	2816	xpsrchvw.exe	33
PID 2816 wrote to memory of 3056	2816	xpsrchvw.exe	33
PID 2816 wrote to memory of 3056	2816	xpsrchvw.exe	33
PID 2816 wrote to memory of 3056	2816	xpsrchvw.exe	33
PID 3056 wrote to memory of 1028	3056	write.exe	34
PID 3056 wrote to memory of 1028	3056	write.exe	34
PID 3056 wrote to memory of 1028	3056	write.exe	34
PID 3056 wrote to memory of 1028	3056	write.exe	34

C:\Users\Admin\AppData\Local\Temp\38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe
"C:\Users\Admin\AppData\Local\Temp\38fae381d6a3880e39c5b6336553d55c6532be7f3b0d7ac0d2194e33a3c6c0f4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\xpsrchvw.exe
  "C:\Windows\SysWOW64\xpsrchvw.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\write.exe
    "C:\Windows\SysWOW64\write.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 120
      4⤵
      Program crash
      PID:1028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\38FAE3~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WindowSystemNewUpdate558.log

Filesize
6KB

MD5
e781943887858b0224fff86d4d535eb9

SHA1
51af53acc731ea9ada8045d81e3882e60997954c

SHA256
63e03a935b34aaa5f6923de3846c104bc59550631775eea43cea274a89619592

SHA512
1611aa08478da65d6fc64e2ac54a9ba5bdab3963085b3815bb92b0e926450d322f90f5ae2c69bd625999bdda8856ac08f926e527e1fd85dbb8c01c36a6c635f8

Download Submit
memory/868-27-0x0000000000EE0000-0x0000000000F77000-memory.dmp

Filesize
604KB

Download
memory/868-0-0x0000000000EE0000-0x0000000000F77000-memory.dmp

Filesize
604KB

Download
memory/2816-71-0x0000000003DE0000-0x00000000042B9000-memory.dmp

Filesize
4.8MB

Download
memory/2816-190-0x000000000AF00000-0x000000000B283000-memory.dmp

Filesize
3.5MB

Download
memory/2816-176-0x000000000AF00000-0x000000000B283000-memory.dmp

Filesize
3.5MB

Download
memory/2816-9-0x0000000000200000-0x000000000021B000-memory.dmp

Filesize
108KB

Download
memory/2816-10-0x0000000000200000-0x000000000021B000-memory.dmp

Filesize
108KB

Download
memory/2816-11-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2816-4-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2816-36-0x0000000003080000-0x0000000003179000-memory.dmp

Filesize
996KB

Download
memory/2816-45-0x0000000003080000-0x0000000003179000-memory.dmp

Filesize
996KB

Download
memory/2816-44-0x0000000003080000-0x0000000003179000-memory.dmp

Filesize
996KB

Download
memory/2816-47-0x0000000003080000-0x0000000003179000-memory.dmp

Filesize
996KB

Download
memory/2816-50-0x0000000000790000-0x00000000007C8000-memory.dmp

Filesize
224KB

Download
memory/2816-59-0x0000000002B40000-0x0000000002BA6000-memory.dmp

Filesize
408KB

Download
memory/2816-3-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2816-7-0x0000000000200000-0x000000000021B000-memory.dmp

Filesize
108KB

Download
memory/2816-143-0x0000000008650000-0x00000000089F9000-memory.dmp

Filesize
3.7MB

Download
memory/2816-5-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2816-142-0x0000000003080000-0x0000000003179000-memory.dmp

Filesize
996KB

Download
memory/2816-123-0x0000000003080000-0x0000000003179000-memory.dmp

Filesize
996KB

Download
memory/2816-127-0x0000000003080000-0x0000000003179000-memory.dmp

Filesize
996KB

Download
memory/2816-128-0x0000000003080000-0x0000000003179000-memory.dmp

Filesize
996KB

Download
memory/2816-129-0x0000000003080000-0x0000000003179000-memory.dmp

Filesize
996KB

Download
memory/2816-130-0x0000000003080000-0x0000000003179000-memory.dmp

Filesize
996KB

Download
memory/2816-131-0x0000000003080000-0x0000000003179000-memory.dmp

Filesize
996KB

Download
memory/2816-2-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2816-134-0x0000000003080000-0x0000000003179000-memory.dmp

Filesize
996KB

Download
memory/2816-135-0x0000000003080000-0x0000000003179000-memory.dmp

Filesize
996KB

Download
memory/3056-111-0x0000000000190000-0x000000000079C000-memory.dmp

Filesize
6.0MB

Download
memory/3056-106-0x0000000000190000-0x000000000079C000-memory.dmp

Filesize
6.0MB

Download
memory/3056-104-0x0000000000190000-0x000000000079C000-memory.dmp

Filesize
6.0MB

Download
memory/3056-105-0x0000000000190000-0x000000000079C000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing