2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898

General

Target

2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe
Size

4.7MB
MD5

612a0c79384cc3700330cc3923421c01
SHA1

cda933214d642a7b43ff1d7ab02951c07052c0ff
SHA256

2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898
SHA512

6e4821f6523e02387cdf337ceb3abbd402377e8593adffb8183d8c825cbce7a3e98e1fc3c7dc6658241d138df9c53b6efc4197cd5afec23023f6dcb50e047429
SSDEEP

49152:kzPXPwh11sXIAyT9tN93ns5SkP2lS1mdM03aT1Pa5///mPpGoIF:kvPs1sByTM5SQrWM03o1a5LoQ

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2480-0-0x0000000000990000-0x0000000000A27000-memory.dmp	upx
behavioral1/memory/2480-29-0x0000000000990000-0x0000000000A27000-memory.dmp	upx
behavioral1/memory/2480-38-0x0000000000990000-0x0000000000A27000-memory.dmp	upx
behavioral1/memory/2480-40-0x0000000000990000-0x0000000000A27000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsShell87440.log	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate320.log	icardagt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	2036	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe
Token: SeDebugPrivilege	2796	icardagt.exe
Token: SeIncBasePriorityPrivilege	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe
Token: SeDebugPrivilege	2796	icardagt.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2036	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	28
PID 2480 wrote to memory of 2036	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	28
PID 2480 wrote to memory of 2036	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	28
PID 2480 wrote to memory of 2036	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	28
PID 2480 wrote to memory of 2036	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	28
PID 2480 wrote to memory of 2036	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	28
PID 2480 wrote to memory of 2036	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	28
PID 2480 wrote to memory of 2036	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	28
PID 2480 wrote to memory of 2036	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	28
PID 2480 wrote to memory of 2036	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	28
PID 2036 wrote to memory of 2700	2036	wusa.exe	29
PID 2036 wrote to memory of 2700	2036	wusa.exe	29
PID 2036 wrote to memory of 2700	2036	wusa.exe	29
PID 2036 wrote to memory of 2700	2036	wusa.exe	29
PID 2480 wrote to memory of 2796	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	30
PID 2480 wrote to memory of 2796	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	30
PID 2480 wrote to memory of 2796	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	30
PID 2480 wrote to memory of 2796	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	30
PID 2480 wrote to memory of 2796	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	30
PID 2480 wrote to memory of 2796	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	30
PID 2480 wrote to memory of 2796	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	30
PID 2480 wrote to memory of 2844	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	31
PID 2480 wrote to memory of 2844	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	31
PID 2480 wrote to memory of 2844	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	31
PID 2480 wrote to memory of 2844	2480	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	31

C:\Users\Admin\AppData\Local\Temp\2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe
"C:\Users\Admin\AppData\Local\Temp\2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\wusa.exe
  "C:\Windows\SysWOW64\wusa.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 168
    3⤵
    - Program crash
    PID:2700
- C:\Windows\SysWOW64\icardagt.exe
  "C:\Windows\SysWOW64\icardagt.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2DFD42~1.EXE > nul
  2⤵
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-2-0x0000000000090000-0x00000000000F7000-memory.dmp

Filesize
412KB

Download
memory/2036-4-0x0000000000090000-0x00000000000F7000-memory.dmp

Filesize
412KB

Download
memory/2036-6-0x0000000000090000-0x00000000000F7000-memory.dmp

Filesize
412KB

Download
memory/2036-7-0x0000000000090000-0x00000000000F7000-memory.dmp

Filesize
412KB

Download
memory/2480-29-0x0000000000990000-0x0000000000A27000-memory.dmp

Filesize
604KB

Download
memory/2480-40-0x0000000000990000-0x0000000000A27000-memory.dmp

Filesize
604KB

Download
memory/2480-0-0x0000000000990000-0x0000000000A27000-memory.dmp

Filesize
604KB

Download
memory/2480-38-0x0000000000990000-0x0000000000A27000-memory.dmp

Filesize
604KB

Download
memory/2796-14-0x00000000002D0000-0x00000000002EB000-memory.dmp

Filesize
108KB

Download
memory/2796-60-0x00000000034B0000-0x00000000035A9000-memory.dmp

Filesize
996KB

Download
memory/2796-17-0x00000000002D0000-0x00000000002EB000-memory.dmp

Filesize
108KB

Download
memory/2796-16-0x00000000002D0000-0x00000000002EB000-memory.dmp

Filesize
108KB

Download
memory/2796-12-0x00000000001F0000-0x0000000000257000-memory.dmp

Filesize
412KB

Download
memory/2796-46-0x00000000034B0000-0x00000000035A9000-memory.dmp

Filesize
996KB

Download
memory/2796-55-0x00000000034B0000-0x00000000035A9000-memory.dmp

Filesize
996KB

Download
memory/2796-54-0x00000000034B0000-0x00000000035A9000-memory.dmp

Filesize
996KB

Download
memory/2796-57-0x00000000034B0000-0x00000000035A9000-memory.dmp

Filesize
996KB

Download
memory/2796-18-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2796-62-0x00000000034B0000-0x00000000035A9000-memory.dmp

Filesize
996KB

Download
memory/2796-63-0x00000000034B0000-0x00000000035A9000-memory.dmp

Filesize
996KB

Download
memory/2796-64-0x00000000034B0000-0x00000000035A9000-memory.dmp

Filesize
996KB

Download
memory/2796-65-0x00000000034B0000-0x00000000035A9000-memory.dmp

Filesize
996KB

Download
memory/2796-67-0x00000000034B0000-0x00000000035A9000-memory.dmp

Filesize
996KB

Download
memory/2796-68-0x00000000034B0000-0x00000000035A9000-memory.dmp

Filesize
996KB

Download
memory/2796-69-0x00000000034B0000-0x00000000035A9000-memory.dmp

Filesize
996KB

Download

Analysis

Sharing