321995270bde4cb275d4c77eeb58b32c795a64f4058abdf0c8eb6e9b8f0fb830

General

Target

175f151b96deec42081aa4d331883fcc.exe
Size

274KB
MD5

175f151b96deec42081aa4d331883fcc
SHA1

58c03b86490b08e0655607baeef33bfd8dd0b04b
SHA256

321995270bde4cb275d4c77eeb58b32c795a64f4058abdf0c8eb6e9b8f0fb830
SHA512

f54cf032014a05ef87846c041a0a2d22e6c6062389487a8b2e93dde7f92e1b97d7bfdfa8693af77c6849045973d7be51c1aece9f082db9861903868841dfb215
SSDEEP

6144:R2M6MQT99b7GFNCtLNk4umds8i6j/qKQsZWiOqlAAegAhzDmyR2j7:RO399b7GFNCtRXup8hjCKqiRg3mDP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2620	svchost.exe
2568	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2940	175f151b96deec42081aa4d331883fcc.exe
2940	175f151b96deec42081aa4d331883fcc.exe
2620	svchost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2940-15-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2940-14-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2940-13-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2940-12-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2940-10-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2940-25-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2568-43-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2568-47-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2568-51-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2568-55-0x0000000000400000-0x0000000000467000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google = "C:\\Users\\Admin\\Documents\\Windows\\AppLoc\\svchost.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2928 set thread context of 2940	2928	175f151b96deec42081aa4d331883fcc.exe	14
PID 2620 set thread context of 2568	2620	svchost.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2940	2928	175f151b96deec42081aa4d331883fcc.exe	14
PID 2928 wrote to memory of 2940	2928	175f151b96deec42081aa4d331883fcc.exe	14
PID 2928 wrote to memory of 2940	2928	175f151b96deec42081aa4d331883fcc.exe	14
PID 2928 wrote to memory of 2940	2928	175f151b96deec42081aa4d331883fcc.exe	14
PID 2928 wrote to memory of 2940	2928	175f151b96deec42081aa4d331883fcc.exe	14
PID 2928 wrote to memory of 2940	2928	175f151b96deec42081aa4d331883fcc.exe	14
PID 2928 wrote to memory of 2940	2928	175f151b96deec42081aa4d331883fcc.exe	14
PID 2928 wrote to memory of 2940	2928	175f151b96deec42081aa4d331883fcc.exe	14
PID 2940 wrote to memory of 2620	2940	175f151b96deec42081aa4d331883fcc.exe	30
PID 2940 wrote to memory of 2620	2940	175f151b96deec42081aa4d331883fcc.exe	30
PID 2940 wrote to memory of 2620	2940	175f151b96deec42081aa4d331883fcc.exe	30
PID 2940 wrote to memory of 2620	2940	175f151b96deec42081aa4d331883fcc.exe	30
PID 2620 wrote to memory of 2568	2620	svchost.exe	29
PID 2620 wrote to memory of 2568	2620	svchost.exe	29
PID 2620 wrote to memory of 2568	2620	svchost.exe	29
PID 2620 wrote to memory of 2568	2620	svchost.exe	29
PID 2620 wrote to memory of 2568	2620	svchost.exe	29
PID 2620 wrote to memory of 2568	2620	svchost.exe	29
PID 2620 wrote to memory of 2568	2620	svchost.exe	29
PID 2620 wrote to memory of 2568	2620	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\175f151b96deec42081aa4d331883fcc.exe
"C:\Users\Admin\AppData\Local\Temp\175f151b96deec42081aa4d331883fcc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\Documents\Windows\AppLoc\svchost.exe
  "C:\Users\Admin\Documents\Windows\AppLoc\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2620

C:\Users\Admin\AppData\Local\Temp\175f151b96deec42081aa4d331883fcc.exe
"C:\Users\Admin\AppData\Local\Temp\175f151b96deec42081aa4d331883fcc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\Documents\Windows\AppLoc\svchost.exe
"C:\Users\Admin\Documents\Windows\AppLoc\svchost.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2568-56-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2568-55-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2568-51-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2568-47-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2568-43-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2620-28-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2620-39-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2928-1-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2928-11-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2928-0-0x0000000077E10000-0x0000000077E11000-memory.dmp

Filesize
4KB

Download
memory/2940-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2940-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2940-4-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2940-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2940-6-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2940-10-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2940-12-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2940-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2940-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2940-8-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads