df1813471aca94c82713f4bf15290f1aada4e573f6e1f4d61ec3b1791ac85dfe

General

Target

0c4544cf311ddf6f01d0d299a891a58e.exe
Size

32KB
MD5

0c4544cf311ddf6f01d0d299a891a58e
SHA1

dd6a0886193e7053d912c52862a3bfd1d4a0d32f
SHA256

df1813471aca94c82713f4bf15290f1aada4e573f6e1f4d61ec3b1791ac85dfe
SHA512

87f0aa12e29a7b30848f748289d72d2f615e83756d65e26816cb6f500fb92f902cf13800fd46cab23c7feb0d4945404d036caa86d6f6bfc16c510db53c9d1a1e
SSDEEP

768:nPRDqKPeuoLm14j5CrDM16LQOcx44dxfftn5:PRDqKPe9Lm14jQrDMwQOcxpdxf7

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	0c4544cf311ddf6f01d0d299a891a58e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Windows\\system32\\mst32init.exe"	0c4544cf311ddf6f01d0d299a891a58e.exe

Sets file to hidden 1 TTPs 4 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4008	attrib.exe
4316	attrib.exe
4756	attrib.exe
5056	attrib.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00090000000231e1-6.dat	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4144-0-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4144-5-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\netiu1.dll	0c4544cf311ddf6f01d0d299a891a58e.exe
File opened for modification	C:\Windows\SysWOW64\mst32init.exe	0c4544cf311ddf6f01d0d299a891a58e.exe
File opened for modification	C:\Windows\SysWOW64\netiu1.dll	attrib.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\netiu1.dll	attrib.exe
File opened for modification	C:\Windows\netiu1.dll	0c4544cf311ddf6f01d0d299a891a58e.exe
File opened for modification	C:\Windows\	0c4544cf311ddf6f01d0d299a891a58e.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4144	0c4544cf311ddf6f01d0d299a891a58e.exe
4144	0c4544cf311ddf6f01d0d299a891a58e.exe
4144	0c4544cf311ddf6f01d0d299a891a58e.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 4756	4144	0c4544cf311ddf6f01d0d299a891a58e.exe	90
PID 4144 wrote to memory of 4756	4144	0c4544cf311ddf6f01d0d299a891a58e.exe	90
PID 4144 wrote to memory of 4756	4144	0c4544cf311ddf6f01d0d299a891a58e.exe	90
PID 4144 wrote to memory of 5056	4144	0c4544cf311ddf6f01d0d299a891a58e.exe	91
PID 4144 wrote to memory of 5056	4144	0c4544cf311ddf6f01d0d299a891a58e.exe	91
PID 4144 wrote to memory of 5056	4144	0c4544cf311ddf6f01d0d299a891a58e.exe	91
PID 4144 wrote to memory of 4008	4144	0c4544cf311ddf6f01d0d299a891a58e.exe	92
PID 4144 wrote to memory of 4008	4144	0c4544cf311ddf6f01d0d299a891a58e.exe	92
PID 4144 wrote to memory of 4008	4144	0c4544cf311ddf6f01d0d299a891a58e.exe	92
PID 4144 wrote to memory of 4316	4144	0c4544cf311ddf6f01d0d299a891a58e.exe	93
PID 4144 wrote to memory of 4316	4144	0c4544cf311ddf6f01d0d299a891a58e.exe	93
PID 4144 wrote to memory of 4316	4144	0c4544cf311ddf6f01d0d299a891a58e.exe	93

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4756	attrib.exe
5056	attrib.exe
4008	attrib.exe
4316	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0c4544cf311ddf6f01d0d299a891a58e.exe
"C:\Users\Admin\AppData\Local\Temp\0c4544cf311ddf6f01d0d299a891a58e.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\SysWOW64\attrib.exe
  attrib.exe +s +h C:\Windows\netiu1.dll
  2⤵
  - Sets file to hidden
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:4756
- C:\Windows\SysWOW64\attrib.exe
  attrib.exe +s +h C:\Windows\system32\netiu1.dll
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:5056
- C:\Windows\SysWOW64\attrib.exe
  attrib.exe +s +h C:\Windows\
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4008
- C:\Windows\SysWOW64\attrib.exe
  attrib.exe +s +h C:\Windows\system32\mst32init.exe
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\netiu1.dll

Filesize
9KB

MD5
b5f25913f5be4429d499070e127035e0

SHA1
7551200a282d4bf3375eb35faea9c07c8329f201

SHA256
0121df6f8191a9226efcf8ceffecfbf85c13df733f077483c9333b8246854f19

SHA512
27b17abbcceab1d8a639192f060fe9b29e237dcb0b96e2b21449de00ed585a0a548106ccce55e27cf2b53c9f68803ef51d4cc491c4523de2b01c706f3bfbde04

Download Submit
memory/4144-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4144-5-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads