54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0

General

Target

54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe
Size

2.0MB
MD5

a9421faf1985369e29d62098607516e8
SHA1

6558ae4bc75d66329743cf49d93b27edaed24ec5
SHA256

54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0
SHA512

373d67dc48759f425d92505c009f4776741186e96c2cbccbe9cb605a8bec1f853370327e0c1cc3661ab6c8af0a57d8ba7aec130cd6f42b2ce208e0fb3dde2ff8
SSDEEP

49152:G2Acn9CkZ0X2hff/yC3G/9zzvNtstzVeW:cyrpR3fgzjOVeW

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1736	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2676-0-0x0000000000D00000-0x0000000000E38000-memory.dmp	upx
behavioral1/memory/2676-37-0x0000000000D00000-0x0000000000E38000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsShell20806.log	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate221.log	cmmon32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe
Token: SeDebugPrivilege	2400	cmmon32.exe
Token: SeIncBasePriorityPrivilege	2676	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2400	2676	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe	28
PID 2676 wrote to memory of 2400	2676	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe	28
PID 2676 wrote to memory of 2400	2676	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe	28
PID 2676 wrote to memory of 2400	2676	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe	28
PID 2676 wrote to memory of 2400	2676	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe	28
PID 2676 wrote to memory of 2400	2676	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe	28
PID 2676 wrote to memory of 2400	2676	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe	28
PID 2676 wrote to memory of 1736	2676	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe	29
PID 2676 wrote to memory of 1736	2676	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe	29
PID 2676 wrote to memory of 1736	2676	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe	29
PID 2676 wrote to memory of 1736	2676	54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe	29

C:\Users\Admin\AppData\Local\Temp\54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe
"C:\Users\Admin\AppData\Local\Temp\54571320426a0f36f419e5befe7ac5e3b49016d2dbc50ab885d21c28daa58dc0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\545713~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2400-22-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2400-45-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2400-25-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2400-4-0x00000000001E0000-0x00000000002E8000-memory.dmp

Filesize
1.0MB

Download
memory/2400-5-0x00000000001E0000-0x00000000002E8000-memory.dmp

Filesize
1.0MB

Download
memory/2400-7-0x0000000000090000-0x00000000000AB000-memory.dmp

Filesize
108KB

Download
memory/2400-9-0x0000000000090000-0x00000000000AB000-memory.dmp

Filesize
108KB

Download
memory/2400-10-0x0000000000090000-0x00000000000AB000-memory.dmp

Filesize
108KB

Download
memory/2400-11-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2400-26-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2400-3-0x00000000001E0000-0x00000000002E8000-memory.dmp

Filesize
1.0MB

Download
memory/2400-2-0x00000000001E0000-0x00000000002E8000-memory.dmp

Filesize
1.0MB

Download
memory/2400-19-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2400-28-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2400-30-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2400-29-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2400-31-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2400-32-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2400-34-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2400-40-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2400-39-0x0000000010000000-0x00000000100F8000-memory.dmp

Filesize
992KB

Download
memory/2676-37-0x0000000000D00000-0x0000000000E38000-memory.dmp

Filesize
1.2MB

Download
memory/2676-0-0x0000000000D00000-0x0000000000E38000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing