3d27e814116e5659f00c28e1cc0908d3fcf690a629565db910090e7c9f57299e

General

Target

004fd0b808d32e4cd57b86dfd6888cf7.exe
Size

22.4MB
MD5

004fd0b808d32e4cd57b86dfd6888cf7
SHA1

54cc6cd80fe2cd825062d138c923540a40e66a61
SHA256

3d27e814116e5659f00c28e1cc0908d3fcf690a629565db910090e7c9f57299e
SHA512

e7dc153185eedcf36580b2544212a1276ba2d901554fb8ee4daead2db8874303d2ba09cc43ed8a689eaecdbc657dab2f68b5dd2ea8a460a2f7e0558dcb06cd60
SSDEEP

49152:c3+i9PkYByX4+i9PkYByX4+i9PkYByX4+i9PkYByX4+i9PkYByX4+i9PkYByX4+7:f

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2788	knqsuxy.exe

Loads dropped DLL 2 IoCs

pid	Process
1512	004fd0b808d32e4cd57b86dfd6888cf7.exe
1512	004fd0b808d32e4cd57b86dfd6888cf7.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1512-0-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/files/0x0006000000016d3e-13.dat	upx
behavioral1/files/0x0006000000016d3e-35.dat	upx
behavioral1/files/0x0006000000016d3e-38.dat	upx
behavioral1/memory/2788-43-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/files/0x0006000000016d3e-42.dat	upx
behavioral1/memory/1512-37-0x00000000007D0000-0x000000000083D000-memory.dmp	upx
behavioral1/files/0x000100000000002a-49.dat	upx
behavioral1/memory/1512-60-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2788-61-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2788-73-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2560-71-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-74-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-75-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-76-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-77-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-78-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-79-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-80-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-81-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-82-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-83-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1512-84-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cksenqs\cksenqs\uwbdgij\m.ini	004fd0b808d32e4cd57b86dfd6888cf7.exe
File created	C:\Windows\SysWOW64\cksenqs\cksenqs\uwbdgij\knqsuxy.exe	004fd0b808d32e4cd57b86dfd6888cf7.exe
File opened for modification	C:\Windows\SysWOW64\cksenqs\cksenqs\uwbdgij\knqsuxy.exe	004fd0b808d32e4cd57b86dfd6888cf7.exe
File created	C:\Windows\system32\spool\DRIVERS\W32X86\3\ksenqsc\ksenqsc.exe	004fd0b808d32e4cd57b86dfd6888cf7.exe
File created	C:\Windows\SysWOW64\Help\upbiran.ini	004fd0b808d32e4cd57b86dfd6888cf7.exe
File created	C:\Windows\SysWOW64\Help\1.cksenqs	004fd0b808d32e4cd57b86dfd6888cf7.exe
File created	C:\Windows\SysWOW64\Help\2.cksenqs	004fd0b808d32e4cd57b86dfd6888cf7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 2560	2788	knqsuxy.exe	29

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\cksenqs.hlp	004fd0b808d32e4cd57b86dfd6888cf7.exe
File created	C:\Windows\2.ini	004fd0b808d32e4cd57b86dfd6888cf7.exe
File opened for modification	C:\Windows\	004fd0b808d32e4cd57b86dfd6888cf7.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1512	004fd0b808d32e4cd57b86dfd6888cf7.exe
1512	004fd0b808d32e4cd57b86dfd6888cf7.exe
1512	004fd0b808d32e4cd57b86dfd6888cf7.exe
1512	004fd0b808d32e4cd57b86dfd6888cf7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	004fd0b808d32e4cd57b86dfd6888cf7.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2788	1512	004fd0b808d32e4cd57b86dfd6888cf7.exe	28
PID 1512 wrote to memory of 2788	1512	004fd0b808d32e4cd57b86dfd6888cf7.exe	28
PID 1512 wrote to memory of 2788	1512	004fd0b808d32e4cd57b86dfd6888cf7.exe	28
PID 1512 wrote to memory of 2788	1512	004fd0b808d32e4cd57b86dfd6888cf7.exe	28
PID 2788 wrote to memory of 2560	2788	knqsuxy.exe	29
PID 2788 wrote to memory of 2560	2788	knqsuxy.exe	29
PID 2788 wrote to memory of 2560	2788	knqsuxy.exe	29
PID 2788 wrote to memory of 2560	2788	knqsuxy.exe	29
PID 2788 wrote to memory of 2560	2788	knqsuxy.exe	29
PID 2788 wrote to memory of 2560	2788	knqsuxy.exe	29

C:\Users\Admin\AppData\Local\Temp\004fd0b808d32e4cd57b86dfd6888cf7.exe
"C:\Users\Admin\AppData\Local\Temp\004fd0b808d32e4cd57b86dfd6888cf7.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\cksenqs\cksenqs\uwbdgij\knqsuxy.exe
  C:\Windows\system32\cksenqs\cksenqs\uwbdgij\knqsuxy.exe -close
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -NetworkService
    3⤵
    PID:2560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Help\1.cksenqs

Filesize
26B

MD5
b7c74da2fb27ffc52cb527cf3f4b66f4

SHA1
e86790a3f644ad29ca9854c1c6695c644182a0f8

SHA256
6da507403753fddc6ed91bf1ba1c93d55029e605482bdb240657ef019ee9fa07

SHA512
6df915348bba10b2d94a715d12047435746feea78930f08950d8a5b0d185b8d12183d1bba83530c34ac961562e34b9e096db3448317f96acf1b70d37d20957d0

Download Submit
C:\Windows\SysWOW64\Help\2.cksenqs

Filesize
18B

MD5
cd2779d9663fda9864f6203c0c44e40e

SHA1
f2f3bd5a3519dc997f247e4222538810efc0e08c

SHA256
fcd77ae2c98e518ed732bee6d1ca554343cac73f21165d00213c860b5c83b65a

SHA512
e2a0d938beb1e9778e72b51aa7fc4e96236856b95a31a7ca917f72a4486b034fa927fb27e7fd5d27f64cd12b1a029d5f04aaa2f939bdc1416a385b525c87788c

Download Submit
C:\Windows\SysWOW64\Help\upbiran.ini

Filesize
18B

MD5
a54a4d13950ffa17e36be3b182aedca4

SHA1
6c44d6e436a9a31ce9af2662b72f00335f84b67f

SHA256
484707eb89d6c1bd2e231258360eb612f594b4aeaab20a2f0e09ce34cb910bfe

SHA512
fcc4cfea6ad2a7c3c145bbacad652d1be9a544173da445c5b04d11261d2efcd8e25639053d926e0b6de97c64e7389c0e6d1d47c6ca17358d2c4234c948539225

Download Submit
C:\Windows\SysWOW64\cksenqs\cksenqs\uwbdgij\knqsuxy.exe

Filesize
2.1MB

MD5
f36c7ffc2acb090b6a07e02ae3f59768

SHA1
1819d1b84a0a0ce70281155d93e18d4bf9e5b704

SHA256
99fabadbad00e7a60f2cd74edcc9d7a558fe9da506cfa07ddfff1646b750ffca

SHA512
79cbb2fb10762140ba883be00e81e6d6eb9c9fdbba63dcf7dfe83320baa19aa3aab0e4331b802736083b7009eee030dd77fc657f9fb3b8c955c014f26b6e690b

Download Submit
C:\Windows\SysWOW64\cksenqs\cksenqs\uwbdgij\knqsuxy.exe

Filesize
1.1MB

MD5
fd21bc9b9563e9a0a759b4fd690f91af

SHA1
9fb5a0fc0ab719d78d2d9fbb1ad19efaeaa546f7

SHA256
7818b5a5feb64f2cc9438f0dba12c4b14d134f08a9f34bb5b84d0aca77c467f2

SHA512
e1c6c1dd6273a815545a44bc9a4dec50aab6335495be5901989f1211207bdc43c2cb3c146a79671de6f983f21ef4ac455b48a0928ec8852bee5eb95e889a6a0e

Download Submit
C:\Windows\SysWOW64\cksenqs\cksenqs\uwbdgij\m.ini

Filesize
128B

MD5
a3bcf7f8f3c2361f11d98ce1f744f9be

SHA1
fc207306f0989fa192831af130d9d63b21f23a16

SHA256
9e443c57dcb4c3346f6c349c3a1dc46f6523c01270de4cb0cbdace8c6e01c3ef

SHA512
15e725a3ab912df9e9d2fa0aedf7aa4789716e27bb45266007f1e5a37b69cd1774cf0e4b0fd22e520975ef2b9964a7b928bfcf827a053fc9baabc45df1af96b5

Download Submit
\Windows\SysWOW64\cksenqs\cksenqs\uwbdgij\knqsuxy.exe

Filesize
1.5MB

MD5
005cc321e8789aad7305462903458d40

SHA1
1b4a3bec8c658701274c8b87d37b6549c22db535

SHA256
630a88f362c2be27ffb91e8e1af484c9fe0306a32b17a5034c6eb2a34796ad91

SHA512
a8ea0602898354456c9e89b95b85b3c01d17cbb2ebf45c4b408e1501e0256659d59dd1bdddbbfec261787a2a995caccdfea2785833da83af98e9b5e55be443f0

Download Submit
\Windows\SysWOW64\cksenqs\cksenqs\uwbdgij\knqsuxy.exe

Filesize
1.1MB

MD5
f98c454f18958507800f0a268b72e045

SHA1
2f3806178e3edd69518f79a36c2c8bc58cb86769

SHA256
85ab6c9da83b729aa0cb790bbc9bef1eec447aa176332417d9d6c59f520c4fd6

SHA512
8a017ef24488c0a69214f0ef8a74b3ea127470fc3b8b8bc92a997cef4a4e42b0cc8756d797d94a7c55e8e00775db30d4fbf9dd315b0bbdf74fc5de723d952468

Download Submit
memory/1512-75-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-74-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-84-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-44-0x00000000007D0000-0x000000000083D000-memory.dmp

Filesize
436KB

Download
memory/1512-60-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-83-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-63-0x00000000007D0000-0x000000000083D000-memory.dmp

Filesize
436KB

Download
memory/1512-82-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-81-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-80-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-79-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-37-0x00000000007D0000-0x000000000083D000-memory.dmp

Filesize
436KB

Download
memory/1512-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-76-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-77-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-78-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2560-71-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2560-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2788-73-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2788-61-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2788-43-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing