e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf

General

Target

e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe
Size

11.6MB
MD5

9828527b85941dab905f7e18fb96e09c
SHA1

c958c29fc7a1fed97dd0736404586fd866cfe7bc
SHA256

e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf
SHA512

9a61ba4b29bc7f30441e198bba894c5e9ad72763b7420e3f917dba082ec926526122bfca0b8f8b0292aa0cc6b3b8e1a3ddcb7765a257f1a03cd53828c10fb80d
SSDEEP

196608:f+yOlYxYts8JwqqQ7TP4T6Ar2TDeSiyA5gQfvyM2/pjRqpfqCS9YvtxBKU:YpU5Q7TP4O3TDhx4fP2/X+fql96PBKU

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
4084	netsh.exe
3948	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
1860	run.dat

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4792-0-0x0000000000400000-0x0000000001297000-memory.dmp	upx
behavioral2/memory/4792-9-0x0000000000400000-0x0000000001297000-memory.dmp	upx
behavioral2/files/0x0007000000023208-7.dat	upx
behavioral2/memory/1860-21-0x0000000000610000-0x0000000000EE6000-memory.dmp	upx
behavioral2/memory/1860-641-0x0000000000610000-0x0000000000EE6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46
PID 4792 wrote to memory of 1860	4792	e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe	46

C:\Users\Admin\AppData\Local\Temp\e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe
"C:\Users\Admin\AppData\Local\Temp\e4d2487ee0cc6e27b50e246c5bcb78101824f243f75798ee393c095748d00caf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Temp\run.dat
  .\run.dat
  2⤵
  - Executes dropped EXE
  PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall delete rule name="¸ßÐÔÄÜ·´¹ÒÍø¹Ø·þÎñ(FLAGS)"
    3⤵
    PID:1016
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="¸ßÐÔÄÜ·´¹ÒÍø¹Ø·þÎñ(FLAGS)"
      4⤵
      Modifies Windows Firewall
      PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule name = "¸ßÐÔÄÜ·´¹ÒÍø¹Ø·þÎñ(FLAGS)" dir=in action=allow protocol=TCP localport=any localip=any remoteip=any profile=any program="C:\Users\Admin\AppData\Local\Temp\run.dat"
    3⤵
    PID:2832

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name = "¸ßÐÔÄÜ·´¹ÒÍø¹Ø·þÎñ(FLAGS)" dir=in action=allow protocol=TCP localport=any localip=any remoteip=any profile=any program="C:\Users\Admin\AppData\Local\Temp\run.dat"
1⤵
- Modifies Windows Firewall
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1860-15-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1860-16-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1860-14-0x0000000000EF0000-0x00000000013E4000-memory.dmp

Filesize
5.0MB

Download
memory/1860-21-0x0000000000610000-0x0000000000EE6000-memory.dmp

Filesize
8.8MB

Download
memory/1860-554-0x0000000000EF0000-0x00000000013E4000-memory.dmp

Filesize
5.0MB

Download
memory/1860-641-0x0000000000610000-0x0000000000EE6000-memory.dmp

Filesize
8.8MB

Download
memory/4792-0-0x0000000000400000-0x0000000001297000-memory.dmp

Filesize
14.6MB

Download
memory/4792-1-0x0000000010000000-0x0000000010BC7000-memory.dmp

Filesize
11.8MB

Download
memory/4792-17-0x0000000010000000-0x0000000010BC7000-memory.dmp

Filesize
11.8MB

Download
memory/4792-9-0x0000000000400000-0x0000000001297000-memory.dmp

Filesize
14.6MB

Download
memory/4792-6-0x0000000010000000-0x0000000010BC7000-memory.dmp

Filesize
11.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads