f81be373525b0fac9f00bd0fef534193c46a2834cf0ea6179f2792edfc2a6b2d

General

Target

3df24492f8cae6cc0273e84be76f0bf3.exe
Size

202KB
MD5

3df24492f8cae6cc0273e84be76f0bf3
SHA1

bf823f1f976b0d85a80131f0b3e5d95e7af8faa2
SHA256

f81be373525b0fac9f00bd0fef534193c46a2834cf0ea6179f2792edfc2a6b2d
SHA512

b4f40579c4047c5c7d3a6c42dcda899ea265c40ea3708c92ff26a229d4ffa93503c3920d38ecea12c3e8b604ad3fccd7f2a3bd0d541869878e1c385085753688
SSDEEP

6144:/PoSstLvdU79TYIOy7jxSbdPvBAYOnVXFugjOBoS:XoSsxV28y7j2V+gBoS

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Active Setup\Installed Components	Explorer.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1372-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/1372-67-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	3df24492f8cae6cc0273e84be76f0bf3.exe
Token: SeShutdownPrivilege	512	Explorer.exe
Token: SeCreatePagefilePrivilege	512	Explorer.exe
Token: SeShutdownPrivilege	512	Explorer.exe
Token: SeCreatePagefilePrivilege	512	Explorer.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 512	1372	3df24492f8cae6cc0273e84be76f0bf3.exe	18
PID 1372 wrote to memory of 512	1372	3df24492f8cae6cc0273e84be76f0bf3.exe	18

C:\Users\Admin\AppData\Local\Temp\3df24492f8cae6cc0273e84be76f0bf3.exe
"C:\Users\Admin\AppData\Local\Temp\3df24492f8cae6cc0273e84be76f0bf3.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\Explorer.exe
  "C:\Windows\Explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Suspicious use of AdjustPrivilegeToken
  PID:512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2044

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3528

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4468

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4684

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BHN90SAO\microsoft.windows[1].xml

Filesize
97B

MD5
a49784c6007e88174d13fd2a1d1603c8

SHA1
96351722a846ad8a396b7cd3285ac30a8edf3768

SHA256
bf97a280596c60fa7130725b7426e7cd5ccfb759c909b5ef0b1575df2654ca91

SHA512
b0c5f6550c560e3bee33be9261bee95a006cd63a57d56b3a4b6c3c8f9ca2c6f222bfd2e8933e663f4b644457b48eb638160c8b9a6814b47a3fd4760f74f825ec

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133486185883226437.txt

Filesize
74KB

MD5
3f40d58aecd65a337082df85fadace28

SHA1
ebea42cb95680b5222615005a0df07b47acc764a

SHA256
e7d744912df0891c86693a9e5f0767a71f12616bd35c5e1a857bbabcd694e432

SHA512
b885265e7d98fe1dc92fe32e1e681f39a6f6ba8119a651b3307875095e89b17bc89912b6197ebc1f93dbd9c5dcbea2769d0b39855ba799d5bbf9e0ef24a8638a

Download Submit
memory/512-3-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/1372-127-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1372-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1372-67-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1372-1-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3528-32-0x00000207635F0000-0x0000020763610000-memory.dmp

Filesize
128KB

Download
memory/3528-36-0x00000207639C0000-0x00000207639E0000-memory.dmp

Filesize
128KB

Download
memory/3528-34-0x00000207635B0000-0x00000207635D0000-memory.dmp

Filesize
128KB

Download
memory/4056-94-0x000001BFC21A0000-0x000001BFC21C0000-memory.dmp

Filesize
128KB

Download
memory/4056-92-0x000001BFC1D90000-0x000001BFC1DB0000-memory.dmp

Filesize
128KB

Download
memory/4056-90-0x000001BFC1DD0000-0x000001BFC1DF0000-memory.dmp

Filesize
128KB

Download
memory/4116-16-0x0000022D05B00000-0x0000022D05B20000-memory.dmp

Filesize
128KB

Download
memory/4116-12-0x0000022D054E0000-0x0000022D05500000-memory.dmp

Filesize
128KB

Download
memory/4116-9-0x0000022D05520000-0x0000022D05540000-memory.dmp

Filesize
128KB

Download
memory/4468-53-0x0000029D26B00000-0x0000029D26B20000-memory.dmp

Filesize
128KB

Download
memory/4468-57-0x0000029D26EC0000-0x0000029D26EE0000-memory.dmp

Filesize
128KB

Download
memory/4468-55-0x0000029D267B0000-0x0000029D267D0000-memory.dmp

Filesize
128KB

Download
memory/4684-114-0x0000020D03290000-0x0000020D032B0000-memory.dmp

Filesize
128KB

Download
memory/4684-117-0x0000020D038A0000-0x0000020D038C0000-memory.dmp

Filesize
128KB

Download
memory/4684-112-0x0000020D032D0000-0x0000020D032F0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads