9a887bbced1bee87fced0151f30a95c4b1377760a179493e1717eaae55d725e8

General

Target

053c66e85ef10e8739c81f88bcc31f46.exe
Size

279KB
MD5

053c66e85ef10e8739c81f88bcc31f46
SHA1

9dd9dadc44f0baa3d79bea12a70a752c01c73acc
SHA256

9a887bbced1bee87fced0151f30a95c4b1377760a179493e1717eaae55d725e8
SHA512

f5661bab3194a6ea5407154a5d798dbbaef5d58ed3098d2f6f7ff43c45560c19581e098c5cb63a43516d1dd9801163937c71f0b127e5c4d8e9a0e25536831038
SSDEEP

6144:u7O70l65RAHqjeEnoz5OEKS64y5eUSqX5kdpfkQr7ZBfE9M:u7ARGgdoz5LDsOddkUBc9M

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	053c66e85ef10e8739c81f88bcc31f46.exe

Disables taskbar notifications via registry modification
evasion

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2284-1-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2284-3-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2284-5-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2284-11-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1560-21-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1560-23-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2284-125-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2944-130-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2284-206-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3A2.exe = "C:\\Program Files (x86)\\LP\\8F29\\3A2.exe"	053c66e85ef10e8739c81f88bcc31f46.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\8F29\3A2.exe	053c66e85ef10e8739c81f88bcc31f46.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2284	053c66e85ef10e8739c81f88bcc31f46.exe
2284	053c66e85ef10e8739c81f88bcc31f46.exe
2284	053c66e85ef10e8739c81f88bcc31f46.exe
2284	053c66e85ef10e8739c81f88bcc31f46.exe
2284	053c66e85ef10e8739c81f88bcc31f46.exe
2284	053c66e85ef10e8739c81f88bcc31f46.exe
2284	053c66e85ef10e8739c81f88bcc31f46.exe
2284	053c66e85ef10e8739c81f88bcc31f46.exe
2284	053c66e85ef10e8739c81f88bcc31f46.exe
2284	053c66e85ef10e8739c81f88bcc31f46.exe
2284	053c66e85ef10e8739c81f88bcc31f46.exe
2284	053c66e85ef10e8739c81f88bcc31f46.exe
2284	053c66e85ef10e8739c81f88bcc31f46.exe
2284	053c66e85ef10e8739c81f88bcc31f46.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2668	msiexec.exe
Token: SeTakeOwnershipPrivilege	2668	msiexec.exe
Token: SeSecurityPrivilege	2668	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	053c66e85ef10e8739c81f88bcc31f46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	053c66e85ef10e8739c81f88bcc31f46.exe

C:\Users\Admin\AppData\Local\Temp\053c66e85ef10e8739c81f88bcc31f46.exe
"C:\Users\Admin\AppData\Local\Temp\053c66e85ef10e8739c81f88bcc31f46.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2284
- C:\Users\Admin\AppData\Local\Temp\053c66e85ef10e8739c81f88bcc31f46.exe
  C:\Users\Admin\AppData\Local\Temp\053c66e85ef10e8739c81f88bcc31f46.exe startC:\Users\Admin\AppData\Roaming\97D8B\63E8F.exe%C:\Users\Admin\AppData\Roaming\97D8B
  2⤵
  PID:1560
- C:\Program Files (x86)\LP\8F29\474.tmp
  "C:\Program Files (x86)\LP\8F29\474.tmp"
  2⤵
  PID:1608
- C:\Users\Admin\AppData\Local\Temp\053c66e85ef10e8739c81f88bcc31f46.exe
  C:\Users\Admin\AppData\Local\Temp\053c66e85ef10e8739c81f88bcc31f46.exe startC:\Program Files (x86)\8BFC7\lvvm.exe%C:\Program Files (x86)\8BFC7
  2⤵
  PID:2944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\8F29\474.tmp

Filesize
58KB

MD5
753445cd5a533ed278a99fbfaed7e38e

SHA1
54fba6acd1d323746ea5259c8dbfcb7d938cbe04

SHA256
cbf92c08f874dc5fe459d8c3e597d282208fcdbc8509dce99a732a496d94f07b

SHA512
8885916165312ad30d16912b73e7a69d2ff3005e0b9a772163612b1b8766c6e5055ec063332be940fc626aacb0e1a42bdb2191ec6f5cef479dd40f6b9621b900

Download Submit
C:\Program Files (x86)\LP\8F29\474.tmp

Filesize
99KB

MD5
cb853d0e676be7b23903aa89175d8d69

SHA1
2066462d42c45133df60c5e5f9e8956373d191b0

SHA256
7291b34528651c542a4e09036bb828f27c9f75c134d2be3aed3e1c5a0db5fe20

SHA512
bf96f4c8511929ef380562004211a72821330465538db6da3367cbce387092384265e0bfd4ab54e62b742d68d668ff1457f43381d7a770fd3027f3bab1f36038

Download Submit
C:\Users\Admin\AppData\Roaming\97D8B\BFC7.7D8

Filesize
1KB

MD5
e6cfcbea2c7ff2e5c97aed4aed57f7dc

SHA1
5a1814ba21d62b4013bb047c9e545390613afeb7

SHA256
803175cc505278eb96c2167c971eba5d8cb4bf5b62eefe1f26d0a7289415df88

SHA512
4f0b883341d5bdc83647395c3b710de6b7d709a7ed247d36f5d8163382cf065222906682570a6ad9b86f97573f9d28c2b2fd5bd9a279ac2f4ce261e08317f360

Download Submit
C:\Users\Admin\AppData\Roaming\97D8B\BFC7.7D8

Filesize
600B

MD5
833a5a07c4cdebb628c1b2815b3bab94

SHA1
a6b4faa0be2979174315daebab9f27ccc08dd26e

SHA256
7a64bf7f1f37761f604e963cc6db464cf550f1dbf5ac70364b798c5336acb56b

SHA512
bb1406a29fff7c1207fd0791ac0145c828b87c10f4ffe95a219763a390e865453c8804ee71d1159dee36855732605ea9ebc7acfb3c310bcb7972a2f24ff656be

Download Submit
C:\Users\Admin\AppData\Roaming\97D8B\BFC7.7D8

Filesize
897B

MD5
0c5bd3da5b2a0f2f73beadc8a545400d

SHA1
ce7effae7c511bf1f425ee84c0eb51d13a5e221f

SHA256
0fa8229b45bcd1a9ad7c6e2b136891b90e3d2a5fe6a45daa04dcc2b3cd74ac2e

SHA512
f21c2100a645c784fd7f2ab4e8b01dd866fd78133ab7c6690acadea298532fa38ca6a4c6cc310f3832895d6b87f6013fc3c45b608399246d39260b2c464523bc

Download Submit
\Program Files (x86)\LP\8F29\474.tmp

Filesize
83KB

MD5
f4ecd85cd2e28ae7b4c401e9ad94a98a

SHA1
c32bd47698db3b3f9b0e86becc857d6e43d4eee3

SHA256
7a86af02a370bc00d1cefad0040cc532d4fca661a9460d3c745e905af69a4f7e

SHA512
aa97446a65bfdae9c8c38394bb3dd01d233bb508d75f57d62d5924bb72ab04f37ebe051d9507e2984fcf881d9ec163b77e2a16b1df15dc4ae89471e0e52594ed

Download Submit
\Program Files (x86)\LP\8F29\474.tmp

Filesize
84KB

MD5
5170a55658e61a0773592f81c2da17ab

SHA1
66f6d8fe451139fe3f587c3fd97f1d95c5cfaec3

SHA256
9405a72b4b1776d1d52e74ac431a7fd86e6217bfe640c62c949a631091dfd4a4

SHA512
89957aa7b496d0a48e81578a82f48e2b828af7f9f80ae5acfa886c42034a7ede1de7121462aeb04cea108a1af2a6c90a0ddb81557c5a7dec62e9f8919c377ba1

Download Submit
memory/1560-22-0x0000000001F50000-0x0000000002050000-memory.dmp

Filesize
1024KB

Download
memory/1560-21-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1560-23-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1608-126-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1608-127-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/1608-189-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2164-190-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/2164-12-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/2284-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2284-125-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2284-5-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2284-3-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2284-7-0x0000000001E00000-0x0000000001F00000-memory.dmp

Filesize
1024KB

Download
memory/2284-11-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2284-2-0x0000000001E00000-0x0000000001F00000-memory.dmp

Filesize
1024KB

Download
memory/2284-206-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2944-130-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2944-131-0x0000000001D30000-0x0000000001E30000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads