392e0fb3d1a2f9fa9f0f495c7433508c103d1149061a8f18e2d3c05ab3fdd76d

General

Target

1e8617c474f50fca963bb2927e57515b.exe
Size

155KB
MD5

1e8617c474f50fca963bb2927e57515b
SHA1

c1056691820a1d343798d2a2b15a27ac8e7cd6eb
SHA256

392e0fb3d1a2f9fa9f0f495c7433508c103d1149061a8f18e2d3c05ab3fdd76d
SHA512

4f76236a5bf9bf33ab1d6c07d708a89f9d9ee330f817f838bc0619009bba4c851ae6f5c691ba9f0f205e5b46a5fa36241097f6099075c1d58e0cc81b6367b75c
SSDEEP

3072:H+bnHkQocN6sXuUowZIilfPZ8hFeDy4u47hvQJWVnwRSRvzdtDULTf:Ski1/ZbfwF1ChoJo3RxpU

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	cmd.exe
2688	cmd.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2652-0-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/files/0x0031000000015c8d-7.dat	upx
behavioral1/memory/2652-13-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2756-8-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2688-6-0x0000000000160000-0x00000000001CA000-memory.dmp	upx
behavioral1/files/0x0031000000015c8d-5.dat	upx
behavioral1/files/0x0031000000015c8d-4.dat	upx
behavioral1/files/0x0031000000015c8d-3.dat	upx
behavioral1/memory/2756-15-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\server.exe	1e8617c474f50fca963bb2927e57515b.exe
File opened for modification	C:\Windows\SysWOW64\server.exe	1e8617c474f50fca963bb2927e57515b.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\appget.ini	1e8617c474f50fca963bb2927e57515b.exe
File created	C:\WINDOWS\appgets.ini	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2676	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2688	2652	1e8617c474f50fca963bb2927e57515b.exe	16
PID 2652 wrote to memory of 2688	2652	1e8617c474f50fca963bb2927e57515b.exe	16
PID 2652 wrote to memory of 2688	2652	1e8617c474f50fca963bb2927e57515b.exe	16
PID 2652 wrote to memory of 2688	2652	1e8617c474f50fca963bb2927e57515b.exe	16
PID 2688 wrote to memory of 2756	2688	cmd.exe	24
PID 2688 wrote to memory of 2756	2688	cmd.exe	24
PID 2688 wrote to memory of 2756	2688	cmd.exe	24
PID 2688 wrote to memory of 2756	2688	cmd.exe	24

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\WINDOWS\system32\server.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688
- C:\WINDOWS\SysWOW64\server.exe
  C:\WINDOWS\system32\server.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2756

C:\Users\Admin\AppData\Local\Temp\1e8617c474f50fca963bb2927e57515b.exe
"C:\Users\Admin\AppData\Local\Temp\1e8617c474f50fca963bb2927e57515b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\server.exe

Filesize
119KB

MD5
817989e967b2fa2c858c7e7881f07ff5

SHA1
3744dae5e859fc2f5deee06ba466d329b09f7d69

SHA256
7b75355584c4641f87d2fd6c3d7d7af13619f5bd468debd86d79053051438564

SHA512
c6f462b2f225f7b94d3fabfb8263ce65c8c13af59c931fac4e36b9b329d0ac130f6dbf408b1b0bedd3bc75dcf93addd3d533cf1aed0a4d232971a781c5ebe239

Download Submit
C:\Windows\SysWOW64\server.exe

Filesize
1KB

MD5
cfe9bad16d63c0b1e80fd7faee4dcc31

SHA1
fdb5dcfb3ef58f00b336141af96d9d8dd0258235

SHA256
a04dd2e65985a73ff2717d7682a0846f552fd18706dde3e4f62802d0f8aecd1e

SHA512
bf418fb65a24787b92c3e38445756b88aa1e26d109892606d9f68360889bd1ce85bf49968fa0f3dc3e84c6d7ae21998fd1a9c168c9d4c3059daa2388643ee409

Download Submit
\Windows\SysWOW64\server.exe

Filesize
70KB

MD5
92c323bec665932c6201909c4a579c4c

SHA1
70f68557e5772ec9ff0a76038a0ece58765c3405

SHA256
cc2a1cf003cc998bf9f330eb8906b124216b9d64be22b88aa726131ef0939582

SHA512
ffc7d103888e66aa26eb3d5e49964b3328b0c1193b456c72e49a3bb1915039cc712e2f777f4cac0da92645d690aed8d2cb6f29c455abde8d3c1b7e1c9342e627

Download Submit
memory/2652-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2652-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2652-13-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2652-11-0x0000000002E90000-0x0000000002E92000-memory.dmp

Filesize
8KB

Download
memory/2676-12-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2676-14-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2676-16-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2688-6-0x0000000000160000-0x00000000001CA000-memory.dmp

Filesize
424KB

Download
memory/2688-9-0x0000000000160000-0x00000000001CA000-memory.dmp

Filesize
424KB

Download
memory/2756-8-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2756-10-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2756-15-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing