35e3aa85bd1d97eed8a682a6eed57007b040a1b0b67e2e13a97fc3f2d5be37a8

General

Target

0abcac168e9f57bfeaa19d1a0e5dbf9b.exe
Size

440KB
MD5

0abcac168e9f57bfeaa19d1a0e5dbf9b
SHA1

d248545e0f652b13356a7f3671215f1bdbb8b874
SHA256

35e3aa85bd1d97eed8a682a6eed57007b040a1b0b67e2e13a97fc3f2d5be37a8
SHA512

91df5115f6e91e51b30bc2c4d6854f53fb15831e2e0c0badb803c2f0721ec7e92ce99f6d60eca93a136c2f3e802fad2a3435cbd06b3c9141ada752f5c1c230cf
SSDEEP

6144:5ZunObR8sVImcyYC5JvY5XlCdraWDgfjrfhartBI+zlbKvCB2txqWwKQ3GdYuxPZ:WK+mzMNE/Ds3fM20lHmYWwH3zuxPnIc

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2904	loadwg.exe
3008	dxcyswg.exe
2132	GTH60369.exe

Loads dropped DLL 11 IoCs

pid	Process
2524	0abcac168e9f57bfeaa19d1a0e5dbf9b.exe
2524	0abcac168e9f57bfeaa19d1a0e5dbf9b.exe
2904	loadwg.exe
2904	loadwg.exe
3008	dxcyswg.exe
3008	dxcyswg.exe
2132	GTH60369.exe
2132	GTH60369.exe
2132	GTH60369.exe
2132	GTH60369.exe
2132	GTH60369.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000014490-7.dat	upx
behavioral1/files/0x000a000000014490-17.dat	upx
behavioral1/memory/3008-24-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/files/0x00090000000146c2-18.dat	upx
behavioral1/memory/2904-16-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2904-48-0x0000000000400000-0x00000000004AC000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2904-48-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mmsfc1.dll	dxcyswg.exe
File opened for modification	C:\Windows\SysWOW64\mmsfc1.dll	dxcyswg.exe
File created	C:\Windows\SysWOW64\comres.dll	dxcyswg.exe
File created	C:\Windows\SysWOW64\GTH60369.exe	dxcyswg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\fOnTs\comres.dll	dxcyswg.exe
File created	C:\Windows\fOnTs\GTH60369.ttf	dxcyswg.exe
File created	C:\Windows\fOnTs\GTH60369.fon	dxcyswg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3008	dxcyswg.exe
2132	GTH60369.exe
2132	GTH60369.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	loadwg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2132	GTH60369.exe
2132	GTH60369.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2904	2524	0abcac168e9f57bfeaa19d1a0e5dbf9b.exe	28
PID 2524 wrote to memory of 2904	2524	0abcac168e9f57bfeaa19d1a0e5dbf9b.exe	28
PID 2524 wrote to memory of 2904	2524	0abcac168e9f57bfeaa19d1a0e5dbf9b.exe	28
PID 2524 wrote to memory of 2904	2524	0abcac168e9f57bfeaa19d1a0e5dbf9b.exe	28
PID 2904 wrote to memory of 3008	2904	loadwg.exe	29
PID 2904 wrote to memory of 3008	2904	loadwg.exe	29
PID 2904 wrote to memory of 3008	2904	loadwg.exe	29
PID 2904 wrote to memory of 3008	2904	loadwg.exe	29
PID 3008 wrote to memory of 2132	3008	dxcyswg.exe	30
PID 3008 wrote to memory of 2132	3008	dxcyswg.exe	30
PID 3008 wrote to memory of 2132	3008	dxcyswg.exe	30
PID 3008 wrote to memory of 2132	3008	dxcyswg.exe	30

C:\Users\Admin\AppData\Local\Temp\0abcac168e9f57bfeaa19d1a0e5dbf9b.exe
"C:\Users\Admin\AppData\Local\Temp\0abcac168e9f57bfeaa19d1a0e5dbf9b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\dxcyswg.exe
    dxcyswg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\GTH60369.exe
      C:\Windows\system32\GTH60369.exe C:\Windows\fOnTs\comres.dll dns C:\Users\Admin\AppData\Local\Temp\RarSFX0\dxcyswg.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\GTH60369.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\fonts\GTH60369.fon

Filesize
1KB

MD5
8c85422e83d10ab8c86e4a9ec1b95aa9

SHA1
f2d1a343fef3a8425d02ec59a4cbf425089a9dec

SHA256
d99536bf851da3ac049e58f7d974e57442f8575f2035ec3d7258327c1f4958d1

SHA512
9e14ac3a43d99b785322b2859b74250edfdc225d38ef045aef3ddf8aef0ef927ef26c586c0a36d802e70ab8e42e480932e36b2c00d5cc0cb01e78cb789d414ff

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\dxcyswg.exe

Filesize
16KB

MD5
0d728917bfe5d5e43b9683733897e897

SHA1
bcd4babb6fe2dd167d9bd53795dddca2e07830b3

SHA256
91aca432b8b075f56591f9d868fa6164cbf6c85d91efb636757cc17035fc537a

SHA512
afdca009ed96686bcdc69129bc34e54360f9960533f38e618c50a6983bd740f1f946ddb086d360d617ae479cdd2870c0ca33ae163bf979b9628c7851264fd84f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

Filesize
333KB

MD5
5a74f1a22e11a717cff8bd4f6f18913d

SHA1
459db43f79a38a9d67aeb248328039eb6c77ac43

SHA256
0e32d8dbe4d9861956539fa69bc3475bedcf1d02f42807b651d2d699928c1d6a

SHA512
bee37a8e334329e4e4fb27f4b9850924aeb2a363d93c770af0dc61ac3b5794b5bf1fecf2978c1cd4a2a0d29a645b49bab78d219480680241792062493249ddaa

Download Submit
\Windows\Fonts\GTH60369.ttf

Filesize
30KB

MD5
ba91549a6f570fa4de605d534cba1d31

SHA1
a57c238ae5eb3f6fcb1cfb6c88cefeb9f5a5810b

SHA256
8378e5e71a516af9284c9a6b95d492125a82a9f8f22851409e9ee07d7895dec9

SHA512
ae5b919ebb808e36be49824d73980824229d4980cfd3292d5cb9ef1cf2b0061fc3b74d2dae1e2f3133d4c00030819c177e5d6bddb71006abdc09c016f77cbf64

Download Submit
\Windows\Fonts\comres.dll

Filesize
12KB

MD5
500ed35dd00ab4d97149325645fdda56

SHA1
030821994984093e48acebce7faea6fff894bd39

SHA256
2aae8310f3e8560d5f672a690f49b073b037a2c6f43fc8207443f4194711573f

SHA512
666509f6f3f63fae83e777e9bf7050c1f3eaaeffa60d5a06d0d848cb635a2f7424859504fb93f6885554452be12e35efb1ced317335204b0996cf01dc8fdc33b

Download Submit
\Windows\SysWOW64\mmsfc1.dll

Filesize
40KB

MD5
84799328d87b3091a3bdd251e1ad31f9

SHA1
64dbbe8210049f4d762de22525a7fe4313bf99d0

SHA256
f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b

SHA512
0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

Download Submit
memory/2132-42-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2132-46-0x0000000000130000-0x000000000013E000-memory.dmp

Filesize
56KB

Download
memory/2132-51-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2524-14-0x0000000003400000-0x00000000034AC000-memory.dmp

Filesize
688KB

Download
memory/2524-15-0x0000000003400000-0x00000000034AC000-memory.dmp

Filesize
688KB

Download
memory/2524-47-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2904-16-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2904-22-0x0000000002490000-0x00000000024DA000-memory.dmp

Filesize
296KB

Download
memory/2904-48-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3008-24-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing