fcf273f94cf146e08a8dbcbeb76e5c67f97603b67e0c00f8c989c532632c3d3a

General

Target

13a0191046fdaef1c8c10f165de77173.exe
Size

1.0MB
MD5

13a0191046fdaef1c8c10f165de77173
SHA1

320d1cead00e58e4497c706f09339bf203ee25e7
SHA256

fcf273f94cf146e08a8dbcbeb76e5c67f97603b67e0c00f8c989c532632c3d3a
SHA512

bbfdb64f9371d08348a4a1c4e004a244cabe37023ac684f799c8b94216cfd4b7aa29fa12a08fb7ae838ce0fb5043483c7210663f57a575cdee46cf671a003761
SSDEEP

24576:NSZKh8TmUI69QIzgKdylns+mbAX8EbmjLViNxbL6pH:NS0+TSmcK07NboLVcbuJ

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6A807N6-42DF-4W02-93E5-B156B3FA8AL1}	KB923810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6A807N6-42DF-4W02-93E5-B156B3FA8AL1}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\KB923810.exe"	KB923810.exe

Executes dropped EXE 4 IoCs

pid	Process
1092	WindowsXP-KB923810-x86-ENU.exe
2192	KB923810.exe
2720	update.exe
2604	KB923810.exe

Loads dropped DLL 14 IoCs

pid	Process
1684	13a0191046fdaef1c8c10f165de77173.exe
1684	13a0191046fdaef1c8c10f165de77173.exe
1684	13a0191046fdaef1c8c10f165de77173.exe
1092	WindowsXP-KB923810-x86-ENU.exe
1092	WindowsXP-KB923810-x86-ENU.exe
1092	WindowsXP-KB923810-x86-ENU.exe
1092	WindowsXP-KB923810-x86-ENU.exe
1092	WindowsXP-KB923810-x86-ENU.exe
2720	update.exe
2720	update.exe
2720	update.exe
2720	update.exe
2192	KB923810.exe
2192	KB923810.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1684-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1684-20-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\KB923810 = "C:\\Users\\Admin\\AppData\\Roaming\\KB923810.exe"	KB923810.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupapi.log	update.exe
File opened for modification	\??\c:\windows\KB923810.log	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2720	update.exe
Token: SeRestorePrivilege	2720	update.exe
Token: SeRestorePrivilege	2720	update.exe
Token: SeRestorePrivilege	2720	update.exe
Token: SeRestorePrivilege	2720	update.exe
Token: SeRestorePrivilege	2720	update.exe
Token: SeRestorePrivilege	2720	update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1684	13a0191046fdaef1c8c10f165de77173.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1092	1684	13a0191046fdaef1c8c10f165de77173.exe	31
PID 1684 wrote to memory of 1092	1684	13a0191046fdaef1c8c10f165de77173.exe	31
PID 1684 wrote to memory of 1092	1684	13a0191046fdaef1c8c10f165de77173.exe	31
PID 1684 wrote to memory of 1092	1684	13a0191046fdaef1c8c10f165de77173.exe	31
PID 1684 wrote to memory of 1092	1684	13a0191046fdaef1c8c10f165de77173.exe	31
PID 1684 wrote to memory of 1092	1684	13a0191046fdaef1c8c10f165de77173.exe	31
PID 1684 wrote to memory of 1092	1684	13a0191046fdaef1c8c10f165de77173.exe	31
PID 1684 wrote to memory of 2192	1684	13a0191046fdaef1c8c10f165de77173.exe	30
PID 1684 wrote to memory of 2192	1684	13a0191046fdaef1c8c10f165de77173.exe	30
PID 1684 wrote to memory of 2192	1684	13a0191046fdaef1c8c10f165de77173.exe	30
PID 1684 wrote to memory of 2192	1684	13a0191046fdaef1c8c10f165de77173.exe	30
PID 1092 wrote to memory of 2720	1092	WindowsXP-KB923810-x86-ENU.exe	28
PID 1092 wrote to memory of 2720	1092	WindowsXP-KB923810-x86-ENU.exe	28
PID 1092 wrote to memory of 2720	1092	WindowsXP-KB923810-x86-ENU.exe	28
PID 1092 wrote to memory of 2720	1092	WindowsXP-KB923810-x86-ENU.exe	28
PID 1092 wrote to memory of 2720	1092	WindowsXP-KB923810-x86-ENU.exe	28
PID 1092 wrote to memory of 2720	1092	WindowsXP-KB923810-x86-ENU.exe	28
PID 1092 wrote to memory of 2720	1092	WindowsXP-KB923810-x86-ENU.exe	28
PID 2192 wrote to memory of 2604	2192	KB923810.exe	29
PID 2192 wrote to memory of 2604	2192	KB923810.exe	29
PID 2192 wrote to memory of 2604	2192	KB923810.exe	29
PID 2192 wrote to memory of 2604	2192	KB923810.exe	29

C:\Users\Admin\AppData\Local\Temp\13a0191046fdaef1c8c10f165de77173.exe
"C:\Users\Admin\AppData\Local\Temp\13a0191046fdaef1c8c10f165de77173.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\KB923810.exe
  "C:\Users\Admin\AppData\Local\Temp\KB923810.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\WindowsXP-KB923810-x86-ENU.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsXP-KB923810-x86-ENU.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1092

\??\c:\1af7b7bef1eb0a28226463\update\update.exe
c:\1af7b7bef1eb0a28226463\update\update.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Users\Admin\AppData\Roaming\KB923810.exe
C:\Users\Admin\AppData\Roaming\KB923810.exe
1⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KB923810.exe

Filesize
34KB

MD5
ef2e650567d583edfc3510d667ae4425

SHA1
df8957446460081dbd9ec728a30a303bc328dcfb

SHA256
ab46880ebcf5527781ef7623676ae808b72134ccb62f640bf888cb3b66ebe08c

SHA512
2c6d568e28f02a8b3e3737ba9653956b3e55b48d3e9d2ca463a0479d86b6937d134df46ec4d126d5740744e7245ce4f7ba27890d40b4069f74f1970c747b6a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsXP-KB923810-x86-ENU.exe

Filesize
385KB

MD5
2c83a41da9ae1bebf97a911a4d46df4b

SHA1
df9da59ec6f10592012097031b076b7d054019d5

SHA256
2c87cfef2833ec22c5c3a0d49ab8c270b80a4ff674ae1c80ca147abf08eaabdf

SHA512
ab3b2698eea154b2c75988cde0a35023e75fd6ff6042f3375e9188d3b43f4975a2dbd2652fd030e22b230f82c55b3aab8f35b2556d9ed04b9ee4ce9fd277e7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsXP-KB923810-x86-ENU.exe

Filesize
988KB

MD5
a2d27a703f93c860e842af732ff3d93f

SHA1
46be23c83042463c51e0675b23b4ec7cc2af0055

SHA256
3379a3d1462bb1e9373dedb58e0da94975c2a5619223a6c227f82b761c03e2f8

SHA512
fdd93909683c21e9c15970ea9c04ef5dfd7de71e601d2c4d1ca6107c638eee959f461c95b5424d02b1068c932827682c07108ac2601510ff35a7684dac5aabf2

Download Submit
memory/1684-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1684-21-0x0000000013140000-0x0000000013201000-memory.dmp

Filesize
772KB

Download
memory/1684-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1684-19-0x0000000013140000-0x0000000013201000-memory.dmp

Filesize
772KB

Download
memory/2192-89-0x0000000076090000-0x0000000076130000-memory.dmp

Filesize
640KB

Download
memory/2192-101-0x0000000076090000-0x0000000076130000-memory.dmp

Filesize
640KB

Download
memory/2192-102-0x0000000076BB0000-0x0000000076CC0000-memory.dmp

Filesize
1.1MB

Download
memory/2192-99-0x0000000013140000-0x0000000013200D97-memory.dmp

Filesize
771KB

Download
memory/2192-88-0x0000000076BB0000-0x0000000076CC0000-memory.dmp

Filesize
1.1MB

Download
memory/2192-25-0x0000000013140000-0x0000000013200D97-memory.dmp

Filesize
771KB

Download
memory/2604-100-0x0000000013140000-0x0000000013200D97-memory.dmp

Filesize
771KB

Download
memory/2604-103-0x0000000013140000-0x0000000013200D97-memory.dmp

Filesize
771KB

Download
memory/2604-104-0x0000000076090000-0x0000000076130000-memory.dmp

Filesize
640KB

Download
memory/2604-105-0x0000000076BB0000-0x0000000076CC0000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads