1d9767c717cf964882515e81ec920448d03a27c308df99cf7629d3912e2ba693

General

Target

57662dbe607c4d5f2f9e18396dfc28e6.exe
Size

64KB
MD5

57662dbe607c4d5f2f9e18396dfc28e6
SHA1

ff4553a86880844ba234ed2a0532cd155559485a
SHA256

1d9767c717cf964882515e81ec920448d03a27c308df99cf7629d3912e2ba693
SHA512

b195e53711c607c6e29fdc7e056f1a30a20d422b7ddb49dedcf6470038fa9c1083d3794bb8fe35870846497224ce497a54335bf2467ffa9f3f0a8ff89485463c
SSDEEP

768:8mhrL1IN5rjgd5GFHKJhYtMJ6lzqtt/8yGHYKP4ehdfcsQq8bcBnzwOJRb:8m11A1Hrt1Rqz0hESfcsD8bcBzRRb

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2736	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2736	rundll32.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yuksuser.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Windows\SysWOW64\midimap.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Windows\SysWOW64\msimg32.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Windows\SysWOW64\ksuser.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Windows\SysWOW64\sysapp8.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\360\360se3\ksuser.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Program Files\360\360se3\midimap.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Program Files\360\360se3\msimg32.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Program Files\SogouExplorer\ksuser.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Program Files\SogouExplorer\midimap.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Program Files\Internet Explorer\msimg32.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Program Files\Internet Explorer\midimap.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Program Files\SogouExplorer\msimg32.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe
File created	C:\Program Files\Internet Explorer\ksuser.dll	57662dbe607c4d5f2f9e18396dfc28e6.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2284	sc.exe
2780	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3024	57662dbe607c4d5f2f9e18396dfc28e6.exe
3024	57662dbe607c4d5f2f9e18396dfc28e6.exe
3024	57662dbe607c4d5f2f9e18396dfc28e6.exe
3024	57662dbe607c4d5f2f9e18396dfc28e6.exe
3024	57662dbe607c4d5f2f9e18396dfc28e6.exe
3024	57662dbe607c4d5f2f9e18396dfc28e6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3024	57662dbe607c4d5f2f9e18396dfc28e6.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2256	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	28
PID 3024 wrote to memory of 2256	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	28
PID 3024 wrote to memory of 2256	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	28
PID 3024 wrote to memory of 2256	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	28
PID 3024 wrote to memory of 2284	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	29
PID 3024 wrote to memory of 2284	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	29
PID 3024 wrote to memory of 2284	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	29
PID 3024 wrote to memory of 2284	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	29
PID 3024 wrote to memory of 2780	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	31
PID 3024 wrote to memory of 2780	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	31
PID 3024 wrote to memory of 2780	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	31
PID 3024 wrote to memory of 2780	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	31
PID 3024 wrote to memory of 2736	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	34
PID 3024 wrote to memory of 2736	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	34
PID 3024 wrote to memory of 2736	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	34
PID 3024 wrote to memory of 2736	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	34
PID 3024 wrote to memory of 2736	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	34
PID 3024 wrote to memory of 2736	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	34
PID 3024 wrote to memory of 2736	3024	57662dbe607c4d5f2f9e18396dfc28e6.exe	34
PID 2256 wrote to memory of 2180	2256	net.exe	35
PID 2256 wrote to memory of 2180	2256	net.exe	35
PID 2256 wrote to memory of 2180	2256	net.exe	35
PID 2256 wrote to memory of 2180	2256	net.exe	35

C:\Users\Admin\AppData\Local\Temp\57662dbe607c4d5f2f9e18396dfc28e6.exe
"C:\Users\Admin\AppData\Local\Temp\57662dbe607c4d5f2f9e18396dfc28e6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:2180
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2284
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:2780
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1705090548.dat, ServerMain c:\users\admin\appdata\local\temp\57662dbe607c4d5f2f9e18396dfc28e6.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1705090548.dat

Filesize
34KB

MD5
da713bf6a31662930b0e4035bd229f11

SHA1
4f8106dcf81a5703d5ad5700b990a9134168a1a7

SHA256
06d8ddd4bc61981ce0d1cd2d5642f12427c034be0050dc4af75874b066f1b579

SHA512
4b6df3dc00ea1568d20f2433dba2bbd7986b3e72bd09de64b2aafed41db4040820d6530d220d57507b5ffba3354238cab1cfe29684f386566417a3865acd641d

Download Submit

Analysis

Sharing