a7ef6032c92f5f1284a6cbba65f53b946fa6cd903b1e8da3f4a554a650e1cad4

General

Target

1f88998d6754982c6ffff3b687264821.exe
Size

515KB
MD5

1f88998d6754982c6ffff3b687264821
SHA1

0e672a2738a8626677b8ce6ea97be7747b357aa5
SHA256

a7ef6032c92f5f1284a6cbba65f53b946fa6cd903b1e8da3f4a554a650e1cad4
SHA512

172764009828c0437b51069f4e7336bd8e3a21bfd2ca75cfc443226a6cf48449bf4b7392c5ad98f3e65ff2f5c5e12fc14c5c63eea5d09f68070892d02c47d7b0
SSDEEP

12288:aio8EuMd7IbGKtT2d6OxyLvqDvRRFLsYq4EJnIHe/U+f:89b2GKtTWRDf+xJhGe/rf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2152	You Server.exe
1720	You Server.exe
2364	dlllhost.exe

Loads dropped DLL 4 IoCs

pid	Process
2152	You Server.exe
2152	You Server.exe
1720	You Server.exe
1720	You Server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winupdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\You Server.exe"	You Server.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\dlllhost.exe	You Server.exe
File opened for modification	C:\WINDOWS\SysWOW64\dlllhost.exe	You Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	You Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	You Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dlllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dlllhost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2152	You Server.exe
1720	You Server.exe
1720	You Server.exe
2364	dlllhost.exe
2364	dlllhost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2152	1736	1f88998d6754982c6ffff3b687264821.exe	18
PID 1736 wrote to memory of 2152	1736	1f88998d6754982c6ffff3b687264821.exe	18
PID 1736 wrote to memory of 2152	1736	1f88998d6754982c6ffff3b687264821.exe	18
PID 1736 wrote to memory of 2152	1736	1f88998d6754982c6ffff3b687264821.exe	18
PID 2152 wrote to memory of 1720	2152	You Server.exe	17
PID 2152 wrote to memory of 1720	2152	You Server.exe	17
PID 2152 wrote to memory of 1720	2152	You Server.exe	17
PID 2152 wrote to memory of 1720	2152	You Server.exe	17
PID 1720 wrote to memory of 2364	1720	You Server.exe	16
PID 1720 wrote to memory of 2364	1720	You Server.exe	16
PID 1720 wrote to memory of 2364	1720	You Server.exe	16
PID 1720 wrote to memory of 2364	1720	You Server.exe	16

C:\Users\Admin\AppData\Local\Temp\1f88998d6754982c6ffff3b687264821.exe
"C:\Users\Admin\AppData\Local\Temp\1f88998d6754982c6ffff3b687264821.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\You Server.exe
  "C:\You Server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2152

C:\WINDOWS\SysWOW64\dlllhost.exe
C:\WINDOWS\system32\dlllhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Users\Admin\AppData\Local\Temp\You Server.exe
"C:\Users\Admin\AppData\Local\Temp\You Server.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\logs.txt

Filesize
27B

MD5
709191d3408d179db0aff8bbbca7e249

SHA1
407ef9fff2bbeb2b85738a39c8bbbaa2dcf9b2fd

SHA256
ed8f9de65ce3dc77975224b9d88a38dc6f211b6d9bd9ac1659260f92232fc109

SHA512
f7b4087507e3fcf834da069cb97db034be549af8d78874166e990a164f7f9a39baa6492906ac56c3c23d0e2a11d8a2634e1c455ac2facded7c8011244f1e1529

Download Submit
C:\You Server.exe

Filesize
316KB

MD5
5d40c9da0c217f48759e5ad64c5c74e8

SHA1
9071ba850ca25353d80e317312629dc681741f63

SHA256
23d1b2235fe779b33d4ac2a10e5cf0821e5e9d93e06b322a878f3400304ddf8b

SHA512
83ce5acf5a8eca215019824ddbfb84016cd1c4af8b7fab80d02aef30607b1f4cba300a73ceb178e9d5c6e5e7d542188566b1b030c85d7ece42729ca66c0dbf94

Download Submit
\Users\Admin\AppData\Local\Temp\You Server.exe

Filesize
105KB

MD5
4d8fd1fe6b4239d4edb671fba773d8a4

SHA1
848a3d6ce32170a99a92fa530e968c0d06571efc

SHA256
c0cf0970c67f27e47b840cdeb0bc30f5d74f0022f67de6148f3ab96ee192863c

SHA512
e84769abc3821019f16effd1f08a736c6fb5adde65c071316a92ce05d5b276d1b6dfb91816d789f050c32aefdc660d82bccf0e1d6c33f5f85aa7031390453234

Download Submit
\Users\Admin\AppData\Local\Temp\You Server.exe

Filesize
130KB

MD5
cfa6b941eaef669c5cf786b35b564830

SHA1
d8f61f2b54be080031a8a2d7cb7585606e7d6b3d

SHA256
05fdcda9dec660e278fe77315876481e314519151732087df057636fe5420c90

SHA512
15fc906eb2ef739d393b7d37927c691480b41b3bae7355381bb570936666f755e73c96ae7eb05d2ca8315e2a1ca8b736339640b909b87de29b2911f33af478e9

Download Submit
memory/1720-20-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1720-40-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1720-36-0x0000000003D00000-0x0000000003D83000-memory.dmp

Filesize
524KB

Download
memory/1736-7-0x0000000010000000-0x000000001005F000-memory.dmp

Filesize
380KB

Download
memory/2364-58-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-81-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-52-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-37-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-64-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-70-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-76-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-46-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-88-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-94-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-99-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-105-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-112-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-118-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2364-123-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads