d38d0b927b855a3f17aa0e7b97d11fccf019fdcd139d37dc471ac30ab0203636

General

Target

3bfc23f7394066538cccdefa576b9e66.exe
Size

30KB
MD5

3bfc23f7394066538cccdefa576b9e66
SHA1

750cc2fb45cfb4c306d100af2ece88b239510e44
SHA256

d38d0b927b855a3f17aa0e7b97d11fccf019fdcd139d37dc471ac30ab0203636
SHA512

3c64eeac087053165ac473b25bea0af571c473df5167700702dfec4fd51d1f6ef2ad73b5b23de2a783c77da68e0701bd337e3be0fd49bc92309e969e1858193f
SSDEEP

768:DaXQOqwEuHKU1sxu1hf/Z6+rzVehtYRBfukukuI:eXQpurEkhfRVrzMv2

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\beep.sys	3bfc23f7394066538cccdefa576b9e66.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	3bfc23f7394066538cccdefa576b9e66.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000900000001225f-8.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	MayaBabyMain.exe

Loads dropped DLL 2 IoCs

pid	Process
2476	3bfc23f7394066538cccdefa576b9e66.exe
2688	MayaBabyMain.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2476-4-0x0000000000170000-0x000000000017F000-memory.dmp	upx
behavioral1/files/0x000900000001225f-8.dat	upx
behavioral1/memory/2476-10-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral1/files/0x00060000000186ad-13.dat	upx
behavioral1/memory/2688-19-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral1/memory/2688-29-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral1/memory/2688-21-0x0000000000170000-0x000000000017F000-memory.dmp	upx
behavioral1/memory/2476-31-0x0000000010000000-0x000000001000F000-memory.dmp	upx
behavioral1/memory/2476-30-0x0000000000170000-0x000000000017F000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\me.bat	3bfc23f7394066538cccdefa576b9e66.exe
File opened for modification	C:\Windows\SysWOW64\me.bat	attrib.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MayaBaby\MayaBabySYS.dat	3bfc23f7394066538cccdefa576b9e66.exe
File created	C:\Windows\MayaBaby\gaga.bat	3bfc23f7394066538cccdefa576b9e66.exe
File created	C:\Windows\MayaBaby\MayaBabyDll.dat	MayaBabyMain.exe
File opened for modification	C:\Windows\MayaBaby\MayaBabySYS.dat	MayaBabyMain.exe
File opened for modification	C:\Windows\MayaBaby\MayaBabyDll.dat	MayaBabyMain.exe
File created	C:\Windows\MayaBaby\MayaBabyDll.dat	3bfc23f7394066538cccdefa576b9e66.exe
File created	C:\Windows\MayaBaby\MayaBabySYS.dat	3bfc23f7394066538cccdefa576b9e66.exe
File opened for modification	C:\Windows\MayaBaby\MayaBabyDll.dat	3bfc23f7394066538cccdefa576b9e66.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2688	MayaBabyMain.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe
2476	3bfc23f7394066538cccdefa576b9e66.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	3bfc23f7394066538cccdefa576b9e66.exe
Token: SeDebugPrivilege	2688	MayaBabyMain.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2648	2476	3bfc23f7394066538cccdefa576b9e66.exe	28
PID 2476 wrote to memory of 2648	2476	3bfc23f7394066538cccdefa576b9e66.exe	28
PID 2476 wrote to memory of 2648	2476	3bfc23f7394066538cccdefa576b9e66.exe	28
PID 2476 wrote to memory of 2648	2476	3bfc23f7394066538cccdefa576b9e66.exe	28
PID 2648 wrote to memory of 2336	2648	NET.exe	30
PID 2648 wrote to memory of 2336	2648	NET.exe	30
PID 2648 wrote to memory of 2336	2648	NET.exe	30
PID 2648 wrote to memory of 2336	2648	NET.exe	30
PID 2476 wrote to memory of 2828	2476	3bfc23f7394066538cccdefa576b9e66.exe	31
PID 2476 wrote to memory of 2828	2476	3bfc23f7394066538cccdefa576b9e66.exe	31
PID 2476 wrote to memory of 2828	2476	3bfc23f7394066538cccdefa576b9e66.exe	31
PID 2476 wrote to memory of 2828	2476	3bfc23f7394066538cccdefa576b9e66.exe	31
PID 2828 wrote to memory of 2708	2828	NET.exe	33
PID 2828 wrote to memory of 2708	2828	NET.exe	33
PID 2828 wrote to memory of 2708	2828	NET.exe	33
PID 2828 wrote to memory of 2708	2828	NET.exe	33
PID 2688 wrote to memory of 600	2688	MayaBabyMain.exe	24
PID 2476 wrote to memory of 2724	2476	3bfc23f7394066538cccdefa576b9e66.exe	35
PID 2476 wrote to memory of 2724	2476	3bfc23f7394066538cccdefa576b9e66.exe	35
PID 2476 wrote to memory of 2724	2476	3bfc23f7394066538cccdefa576b9e66.exe	35
PID 2476 wrote to memory of 2724	2476	3bfc23f7394066538cccdefa576b9e66.exe	35
PID 2724 wrote to memory of 2572	2724	cmd.exe	37
PID 2724 wrote to memory of 2572	2724	cmd.exe	37
PID 2724 wrote to memory of 2572	2724	cmd.exe	37
PID 2724 wrote to memory of 2572	2724	cmd.exe	37

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2572	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3bfc23f7394066538cccdefa576b9e66.exe
"C:\Users\Admin\AppData\Local\Temp\3bfc23f7394066538cccdefa576b9e66.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\NET.exe
  NET STOP Beep
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP Beep
    3⤵
    PID:2336
- C:\Windows\SysWOW64\NET.exe
  NET START Beep
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 START Beep
    3⤵
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\me.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h -s -r -a C:\Windows\system32\me.bat
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:600

C:\Windows\MayaBaby\MayaBabyMain.exe
C:\Windows\MayaBaby\MayaBabyMain.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MayaBaby\MayaBabyMain.exe

Filesize
30KB

MD5
3bfc23f7394066538cccdefa576b9e66

SHA1
750cc2fb45cfb4c306d100af2ece88b239510e44

SHA256
d38d0b927b855a3f17aa0e7b97d11fccf019fdcd139d37dc471ac30ab0203636

SHA512
3c64eeac087053165ac473b25bea0af571c473df5167700702dfec4fd51d1f6ef2ad73b5b23de2a783c77da68e0701bd337e3be0fd49bc92309e969e1858193f

Download Submit
C:\Windows\SysWOW64\drivers\beep.sys

Filesize
4KB

MD5
43ac3af6639f40f25f66b003e7695667

SHA1
da7c9eac58f128133acef4218996239c73e2985f

SHA256
ccb13a0ef8a7b23a312bc322dc573c4b2ba42d1e124d7cdd63e737842397cc47

SHA512
6458fd3cf3648a0c351b5b4aaab04926ea4bc0bb2d2f39dad30b77cd530f7b5b2b02c6426405d03db70bb671e456b2a93185268a48efce6b375891ae684d1659

Download Submit
C:\Windows\SysWOW64\me.bat

Filesize
137B

MD5
e8ff956afbfb0470769d3f7da36a8aab

SHA1
e1a8c2a93c8fafb08a5f4d30155b1583041dd8fd

SHA256
29354260b272387f0dc104319001c2aa3b36da3b306ef4c83548576212490d4a

SHA512
5bfd047de1c0b45861f4f992149096f04f91f04ba497d1eae51bba54bbe59ab892d4e2d90a14702065ffc982f0ea71c8d21060f7e5356ada24a36cf183f1274f

Download Submit
\Windows\MayaBaby\MayaBabyDll.dat

Filesize
20KB

MD5
65b660c84478ae1598f1bcd64335d7be

SHA1
9da6738993fa5d44d4d13daf71faa26404ae43b2

SHA256
ef52464920f458f69ba6a70a2aa64f3d4c9f5687a9c208b69bd2fff29220d553

SHA512
38e5f16bd5be531b6a0efa7620535e9c5ee9ed97c114b396c849b8ef231616b913eb9b46ae84bb07d5201e97b455033f95c1aa1cfb923152742c56b2a9dfff8a

Download Submit
memory/600-20-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2476-4-0x0000000000170000-0x000000000017F000-memory.dmp

Filesize
60KB

Download
memory/2476-10-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2476-31-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2476-30-0x0000000000170000-0x000000000017F000-memory.dmp

Filesize
60KB

Download
memory/2688-19-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2688-29-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2688-21-0x0000000000170000-0x000000000017F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing