8dc8690323b9905db8c8b68d47287ca9aa6c1c3793afd882e085da5020d9b7c2

General

Target

3cdd56ad474ebef40f70b209d6bb5415.exe
Size

300KB
MD5

3cdd56ad474ebef40f70b209d6bb5415
SHA1

7f03cfa41b6abe440738a2c824b67b1ec16c7205
SHA256

8dc8690323b9905db8c8b68d47287ca9aa6c1c3793afd882e085da5020d9b7c2
SHA512

b925fe7e3bacac9042636fd6fb5bf57d90aa17847d88caf6a7edc411f759178d225c8d0da0c13a380892cc888ebe46608a4eb21c3925746905c1df4fa466bb2a
SSDEEP

6144:lxcGs0RLkFpzB/Zz92IzuSqVkATxeBVmLotzbE3r9yDQvM:BRLkfzBRR2+akFvmLot/E3g80

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AlYacEventDcomRemote\Parameters\ServiceDll = "C:\\Windows\\system32\\npkcored.dll"	3cdd56ad474ebef40f70b209d6bb5415.exe

Deletes itself 1 IoCs

pid	Process
776	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1748	svchost.exe

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	67.43.173.8
Destination IP	67.43.161.211
Destination IP	202.30.143.11
Destination IP	203.240.193.11
Destination IP	67.43.173.7
Destination IP	67.43.161.221

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1748-38-0x0000000000260000-0x0000000000277000-memory.dmp	vmprotect

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\npkcored.dll	3cdd56ad474ebef40f70b209d6bb5415.exe
File created	C:\Windows\SysWOW64\npkcored.dll	3cdd56ad474ebef40f70b209d6bb5415.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2672	3cdd56ad474ebef40f70b209d6bb5415.exe
2672	3cdd56ad474ebef40f70b209d6bb5415.exe
1748	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2672	3cdd56ad474ebef40f70b209d6bb5415.exe
Token: SeDebugPrivilege	2672	3cdd56ad474ebef40f70b209d6bb5415.exe
Token: SeDebugPrivilege	2672	3cdd56ad474ebef40f70b209d6bb5415.exe
Token: SeDebugPrivilege	2672	3cdd56ad474ebef40f70b209d6bb5415.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 776	2672	3cdd56ad474ebef40f70b209d6bb5415.exe	30
PID 2672 wrote to memory of 776	2672	3cdd56ad474ebef40f70b209d6bb5415.exe	30
PID 2672 wrote to memory of 776	2672	3cdd56ad474ebef40f70b209d6bb5415.exe	30
PID 2672 wrote to memory of 776	2672	3cdd56ad474ebef40f70b209d6bb5415.exe	30

C:\Users\Admin\AppData\Local\Temp\3cdd56ad474ebef40f70b209d6bb5415.exe
"C:\Users\Admin\AppData\Local\Temp\3cdd56ad474ebef40f70b209d6bb5415.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\259471002.bat
  2⤵
  - Deletes itself
  PID:776

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259471002.bat

Filesize
238B

MD5
ef89d83f00c613176358102835068787

SHA1
aaf39582f41a84e093ec428b4fc206a77df81434

SHA256
7bf6562d96b11ad11649efa316022bda5916f20523f8a44ba4cce7e49bd232b9

SHA512
897ac54d7084540920cffdee98a42717f6c95f033fa9ed4eb71f249461e3b2218774d0d82ad9b630f26d09167f6d1d38b94b0c503571b3078318cb74befef696

Download Submit
\Windows\SysWOW64\npkcored.dll

Filesize
212KB

MD5
230be104dc38d7f63793602c5e27ff8f

SHA1
f304dd54c3362524b2f6a997e84160c71ae40e48

SHA256
8aa166be69cdcaba12bd3d70a06af8e3717d06372dd39b9812050f304d4147de

SHA512
2c141dcb2333080abe1077096d183875d7cfde6fa9d55506414e86c11c2ab5f244d9fa4c48dcea8e59586d680f460d19019d3db6e8e6c3efb9109134a9fc72ce

Download Submit
memory/1748-33-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/1748-38-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/1748-65-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/1748-49-0x0000000000C70000-0x0000000000C80000-memory.dmp

Filesize
64KB

Download
memory/1748-51-0x0000000000C70000-0x0000000000C80000-memory.dmp

Filesize
64KB

Download
memory/1748-64-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/1748-28-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/1748-63-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/2672-4-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/2672-35-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/2672-0-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2672-32-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2672-1-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2672-11-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/2672-21-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download
memory/2672-20-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2672-15-0x0000000010000000-0x0000000010068000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads