34f17c9cdba6e3bb9340628e32c2fc2e7f65223530549d32fa1ee1b5dc184a68

General

Target

3334cb43b69c61d33289b4cf8a5e16f6.exe
Size

1.7MB
MD5

3334cb43b69c61d33289b4cf8a5e16f6
SHA1

f70b0becd639338a427f6424a2272178f58dae53
SHA256

34f17c9cdba6e3bb9340628e32c2fc2e7f65223530549d32fa1ee1b5dc184a68
SHA512

e33d7f0325781eb7a6cad0fec7a4655620f21464215bde52fa8f7bd00632d26724940891d66dcf617a1ee43f4b73077d950da400c28df0f895014a384fd0d8ee
SSDEEP

49152:610vJAyGlATIXdM7RQTE7JBKqf+Fj8McTFgIEIv:hJAyGCTIXdMiY7+qGB8DgIEIv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2756	sg.tmp
2780	StopUpdates10.exe

Loads dropped DLL 2 IoCs

pid	Process
776	3334cb43b69c61d33289b4cf8a5e16f6.exe
776	3334cb43b69c61d33289b4cf8a5e16f6.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/776-0-0x0000000000400000-0x0000000000545000-memory.dmp	upx
behavioral1/memory/776-47-0x0000000000400000-0x0000000000545000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeBackupPrivilege	776	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: SeRestorePrivilege	776	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: 33	776	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: SeIncBasePriorityPrivilege	776	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: SeCreateGlobalPrivilege	776	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: 33	776	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: SeIncBasePriorityPrivilege	776	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: 33	776	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: SeIncBasePriorityPrivilege	776	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: SeRestorePrivilege	2756	sg.tmp
Token: 35	2756	sg.tmp
Token: SeSecurityPrivilege	2756	sg.tmp
Token: SeSecurityPrivilege	2756	sg.tmp
Token: 33	776	3334cb43b69c61d33289b4cf8a5e16f6.exe
Token: SeIncBasePriorityPrivilege	776	3334cb43b69c61d33289b4cf8a5e16f6.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 3056	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	28
PID 776 wrote to memory of 3056	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	28
PID 776 wrote to memory of 3056	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	28
PID 776 wrote to memory of 3056	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	28
PID 776 wrote to memory of 2756	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	30
PID 776 wrote to memory of 2756	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	30
PID 776 wrote to memory of 2756	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	30
PID 776 wrote to memory of 2756	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	30
PID 776 wrote to memory of 2780	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	32
PID 776 wrote to memory of 2780	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	32
PID 776 wrote to memory of 2780	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	32
PID 776 wrote to memory of 2780	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	32
PID 776 wrote to memory of 2780	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	32
PID 776 wrote to memory of 2780	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	32
PID 776 wrote to memory of 2780	776	3334cb43b69c61d33289b4cf8a5e16f6.exe	32

C:\Users\Admin\AppData\Local\Temp\3334cb43b69c61d33289b4cf8a5e16f6.exe
"C:\Users\Admin\AppData\Local\Temp\3334cb43b69c61d33289b4cf8a5e16f6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\~4666290344008353324~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\3334cb43b69c61d33289b4cf8a5e16f6.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~6530417400562171735"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\~6530417400562171735\StopUpdates10.exe
  "C:\Users\Admin\AppData\Local\Temp\~6530417400562171735\StopUpdates10.exe"
  2⤵
  - Executes dropped EXE
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~6530417400562171735\Lang\Chinese\StopUpdates10.nat

Filesize
4KB

MD5
a9a9e7ed161ad5de24bd549d6d2fa070

SHA1
b6c07215d4235207dad46d3f36c20355ebdd03f3

SHA256
d0c98431f2ffcaacf45b56afabacb6b8fe205a6465ba90cad55a1128f8ff77a8

SHA512
aa5c814283c1e2550523da866f70c14d5d809193e5566323a276dc8cc4472242e2291470b645ffbef3d32899a94603357f5cc63a2fba6de42d2fadc59f9b4f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6530417400562171735\StopUpdates10.exe

Filesize
1.3MB

MD5
52a04ddb8d7901feec9acb99c875d112

SHA1
ac65f6f786dcfaf9c8773ac713c866fb3458b0c0

SHA256
29540341f5329cc822969d313bc2860f4c9289aa888f94626dd178493c270e00

SHA512
147c9c14ba95625611c32580d23b7dccc784d81915fa45abe0c127a204581df563f9dc1ad7b408341b4769f68eedc00679cc4b35d6d1162a2c241e19a190e9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6530417400562171735\StopUpdates10log.txt

Filesize
280B

MD5
1a6a726d4cb04b82db5b300a35d65b98

SHA1
96e99d238673c74febccd8b2487a2c8e1bb078fd

SHA256
40589c0a1397ebd29fd8dafec3dd6da5b042934869e15d72e3fd49b7b7f93d1f

SHA512
8f837117b6d17567adb0acd9d178dbb077688045f91fca64ad0e7c1b6831a82aa3067e8720485af9196f9a18132371065d7ee7511e6d6dce2ed916cf2668e9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6530417400562171735\StopUpdates10log.txt

Filesize
1KB

MD5
8f36bc05200ec3ae89c457fd693a5ece

SHA1
d5ec18e8a8d029e36ce22454b7cb9b51f8921fa6

SHA256
f274c139be21e4f14cea81cb5835c25daccc74ce704523252454fa19b50dff66

SHA512
478b6a107be20b7add019f9d38d3925683192ee8471cc474af9bd5a7783aa21d6ce6f688499d57fee8cf64d7b15000a816d4ebe96c2e1ac8233feb5143ef2887

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6530417400562171735\stopupdates10-settins.ini

Filesize
347B

MD5
e061962bbfa8741ae3eb81721672e4d3

SHA1
9350f189ddd1cf0df67dcfd0fdd72d0b0d8c7c35

SHA256
c177b29b57aa75c8a6dba7c436f4cfd34c5c4592a8e2b00418cc3e17a904c406

SHA512
9be219809a65143ac175e6263e540d51a19177266f51684765a1cbd0950335a42bb6a001e2da8ea25e90537ef64ad095b002cda3fc87278df1dc10d21f9948a3

Download Submit
\Users\Admin\AppData\Local\Temp\~4666290344008353324~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/776-0-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/776-47-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2780-22-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2780-48-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2780-51-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing