cc30d0840f3109070e558d8c9fc113fc582e8ef91344c74e360ebbe1a62df319

General

Target

7403f55d628688afbfd7e05cd5c27745.exe
Size

108KB
MD5

7403f55d628688afbfd7e05cd5c27745
SHA1

db263c0be17efc4c7b53b9badb96df7cfeb4761c
SHA256

cc30d0840f3109070e558d8c9fc113fc582e8ef91344c74e360ebbe1a62df319
SHA512

212408a2293ee837da24bab9584adbe46c5d00a751143088a0d57c71b31e2c05fc26e0bbf7a8886d67dc2cfca1053689cd85e0c00b2df6c5e570d2e4423b6fa1
SSDEEP

3072:ed1qCcXqjW4yRq4XrCoa/5c268NsQA+inB1qpfYU8:edaOjy8Smo1260Q+iB18fY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2496	7403f55d628688afbfd7e05cd5c27745.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2496-0-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/files/0x0007000000014fa0-14.dat	upx
behavioral1/memory/2496-33-0x0000000000400000-0x0000000000448000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\inf\Https.dll	7403f55d628688afbfd7e05cd5c27745.exe
File opened for modification	C:\Windows\inf\Https.dll	7403f55d628688afbfd7e05cd5c27745.exe
File created	C:\Windows\inf\Https.pnf	7403f55d628688afbfd7e05cd5c27745.exe
File created	C:\Windows\IME\helps.txt	7403f55d628688afbfd7e05cd5c27745.exe
File created	C:\Windows\inf\Wdica.sys	7403f55d628688afbfd7e05cd5c27745.exe
File opened for modification	C:\Windows\inf\Https.hiv	7403f55d628688afbfd7e05cd5c27745.exe
File opened for modification	C:\Windows\inf\Https.sys	7403f55d628688afbfd7e05cd5c27745.exe
File opened for modification	C:\Windows\inf\ws2hlp.PNF	7403f55d628688afbfd7e05cd5c27745.exe
File created	C:\Windows\inf\Wdica.hiv	7403f55d628688afbfd7e05cd5c27745.exe
File created	C:\Windows\inf\Https.hiv	7403f55d628688afbfd7e05cd5c27745.exe
File created	C:\Windows\inf\ws2hlp.PNF	7403f55d628688afbfd7e05cd5c27745.exe
File opened for modification	C:\Windows\inf\Https.pnf	7403f55d628688afbfd7e05cd5c27745.exe
File opened for modification	C:\Windows\inf\Wdica.sys	7403f55d628688afbfd7e05cd5c27745.exe
File opened for modification	C:\Windows\inf\Wdica.hiv	7403f55d628688afbfd7e05cd5c27745.exe
File created	C:\Windows\inf\Https.sys	7403f55d628688afbfd7e05cd5c27745.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2496	7403f55d628688afbfd7e05cd5c27745.exe
2496	7403f55d628688afbfd7e05cd5c27745.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2496	7403f55d628688afbfd7e05cd5c27745.exe
2496	7403f55d628688afbfd7e05cd5c27745.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2496	7403f55d628688afbfd7e05cd5c27745.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	2496	7403f55d628688afbfd7e05cd5c27745.exe
Token: SeTakeOwnershipPrivilege	2496	7403f55d628688afbfd7e05cd5c27745.exe
Token: SeSecurityPrivilege	2496	7403f55d628688afbfd7e05cd5c27745.exe
Token: SeBackupPrivilege	2496	7403f55d628688afbfd7e05cd5c27745.exe
Token: SeRestorePrivilege	2496	7403f55d628688afbfd7e05cd5c27745.exe
Token: SeMachineAccountPrivilege	2496	7403f55d628688afbfd7e05cd5c27745.exe
Token: SeChangeNotifyPrivilege	2496	7403f55d628688afbfd7e05cd5c27745.exe
Token: SeLoadDriverPrivilege	2496	7403f55d628688afbfd7e05cd5c27745.exe
Token: SeDebugPrivilege	2496	7403f55d628688afbfd7e05cd5c27745.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Wdica	7403f55d628688afbfd7e05cd5c27745.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Wdica\ImagePath = "inf\\Wdica.sys"	7403f55d628688afbfd7e05cd5c27745.exe

C:\Users\Admin\AppData\Local\Temp\7403f55d628688afbfd7e05cd5c27745.exe
"C:\Users\Admin\AppData\Local\Temp\7403f55d628688afbfd7e05cd5c27745.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\inf\Https.dll

Filesize
129KB

MD5
725b2bca81693a0f6c6fa53bbd70b43a

SHA1
94bc84e3aec060ad304a95c7ee9f711ac229c4f9

SHA256
70536818eed11a42358234c12b841fadc35b368df32f51766b0abc780a510e4e

SHA512
93d711f0aaa80a22e9ab38d03e1bac50b3f12260daefd5f76e4ce742590d7b18f0c71619137103001ffea95a0f97b7e9fe47f4969b80d56af4cbe05b765d66e5

Download Submit
C:\Windows\inf\Https.sys

Filesize
16KB

MD5
2de012f51bb1405de2a0252b9ee956d1

SHA1
82ce85a4353bad2a76c50f475de51bd4b5aeb226

SHA256
54cba28e4813b9e3ee154d68bb77b9b5c14aa0a74549cdbfbbabeeb86ccf17fb

SHA512
c7fe6206ea3f3632a19f6c788c77d1d2bc304170b9ebabdc9d398f01e145a8af7ab17973afa3be0c390c2a2e3c3d61babbecbdba504a2b51502d5ff372e79a48

Download Submit
\Windows\IME\helps.txt

Filesize
40KB

MD5
84799328d87b3091a3bdd251e1ad31f9

SHA1
64dbbe8210049f4d762de22525a7fe4313bf99d0

SHA256
f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b

SHA512
0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

Download Submit
memory/2496-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2496-33-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing