67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02

General

Target

67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
Size

429KB
MD5

f1d4311e6528ef499580e40d4e09b6b7
SHA1

18c09beef46c9a7899dc0611c8f112cdc0f0ed77
SHA256

67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02
SHA512

8de4ab7fc288204ae7a4952bd1354adbf48362d2b98057c3dca7c1e569c5e8c5c096ac83d20906a93a66051f8a41ea570f0c769bfe0c4c9e8710b1d604d36ba0
SSDEEP

6144:1PcOHwCEhJmEgzZIdQc7+IZv/bbAkObgB91xMBsR/32bk3SaCzf9QXprjPZ8ka/P:uTaZZcvZb0kObgBPSi2bwSaCraJakIp

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2436	~~3485763163251653624.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1188-0-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2592-1-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2592-3-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/1188-10-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_Classes\Local Settings	~~3485763163251653624.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	~~3485763163251653624.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	~~3485763163251653624.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	~~3485763163251653624.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	~~3485763163251653624.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	~~3485763163251653624.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	~~3485763163251653624.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	~~3485763163251653624.tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	~~3485763163251653624.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	~~3485763163251653624.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	~~3485763163251653624.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	~~3485763163251653624.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	~~3485763163251653624.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	~~3485763163251653624.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	~~3485763163251653624.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	~~3485763163251653624.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	~~3485763163251653624.tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	~~3485763163251653624.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	~~3485763163251653624.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	~~3485763163251653624.tmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2436	~~3485763163251653624.tmp.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
Token: SeRestorePrivilege	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
Token: 33	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
Token: SeIncBasePriorityPrivilege	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
Token: 33	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
Token: SeIncBasePriorityPrivilege	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
Token: SeBackupPrivilege	2592	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
Token: SeRestorePrivilege	2592	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
Token: 33	2592	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
Token: SeIncBasePriorityPrivilege	2592	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
Token: 33	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
Token: SeIncBasePriorityPrivilege	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2436	~~3485763163251653624.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2592	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe	28
PID 1188 wrote to memory of 2592	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe	28
PID 1188 wrote to memory of 2592	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe	28
PID 1188 wrote to memory of 2592	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe	28
PID 1188 wrote to memory of 2436	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe	29
PID 1188 wrote to memory of 2436	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe	29
PID 1188 wrote to memory of 2436	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe	29
PID 1188 wrote to memory of 2436	1188	67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe	29

C:\Users\Admin\AppData\Local\Temp\67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
"C:\Users\Admin\AppData\Local\Temp\67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe
  PECMD**pecmd-cmd* PUTF "C:\Users\Admin\AppData\Local\Temp\~~3485763163251653624.tmp.exe",,"C:\Users\Admin\AppData\Local\Temp\67feb0ce2b00313fb5917e5e11602dbf109134d85281245cb47a47fe6269ae02.exe""#102|SCRIPT"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\~~3485763163251653624.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\~~3485763163251653624.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~~3485763163251653624.tmp.exe

Filesize
389KB

MD5
a81fc02190c5fda5c4e5b96707d621cd

SHA1
5c0d00466704c85d3ef33d94d554cec3513a04a2

SHA256
80e07214f2da04cdf4794791999fff6b527e40261d1147f4a3c8116834dd6dd2

SHA512
edeac43939e7282ce7e4ea241c96b7d38b9e7dccd09308d9be177760d74ac791282927f0f1f5fef8ea14c8f9f0042577c247a8b893467b5dc06c87a2b7577b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~3485763163251653624.tmp.exe

Filesize
389KB

MD5
a81fc02190c5fda5c4e5b96707d621cd

SHA1
5c0d00466704c85d3ef33d94d554cec3513a04a2

SHA256
80e07214f2da04cdf4794791999fff6b527e40261d1147f4a3c8116834dd6dd2

SHA512
edeac43939e7282ce7e4ea241c96b7d38b9e7dccd09308d9be177760d74ac791282927f0f1f5fef8ea14c8f9f0042577c247a8b893467b5dc06c87a2b7577b46

Download Submit
\Users\Admin\AppData\Local\Temp\~~3485763163251653624.tmp.exe

Filesize
389KB

MD5
a81fc02190c5fda5c4e5b96707d621cd

SHA1
5c0d00466704c85d3ef33d94d554cec3513a04a2

SHA256
80e07214f2da04cdf4794791999fff6b527e40261d1147f4a3c8116834dd6dd2

SHA512
edeac43939e7282ce7e4ea241c96b7d38b9e7dccd09308d9be177760d74ac791282927f0f1f5fef8ea14c8f9f0042577c247a8b893467b5dc06c87a2b7577b46

Download Submit
\Users\Admin\AppData\Local\Temp\~~3485763163251653624.tmp.exe

Filesize
389KB

MD5
a81fc02190c5fda5c4e5b96707d621cd

SHA1
5c0d00466704c85d3ef33d94d554cec3513a04a2

SHA256
80e07214f2da04cdf4794791999fff6b527e40261d1147f4a3c8116834dd6dd2

SHA512
edeac43939e7282ce7e4ea241c96b7d38b9e7dccd09308d9be177760d74ac791282927f0f1f5fef8ea14c8f9f0042577c247a8b893467b5dc06c87a2b7577b46

Download Submit
memory/1188-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1188-10-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1188-11-0x0000000002290000-0x0000000002378000-memory.dmp

Filesize
928KB

Download
memory/2436-8-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/2436-9-0x00000000045C0000-0x00000000045C2000-memory.dmp

Filesize
8KB

Download
memory/2436-13-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/2592-1-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2592-3-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing