6a9ec3ae49dfab6ea45e73634dafd30ed07c8e637722821a1aa699b0d3f4ce0b

General

Target

7ab8a9ca2e3b444553a9d68efae8408c.exe
Size

34KB
MD5

7ab8a9ca2e3b444553a9d68efae8408c
SHA1

16d7c7cd93c62fbf1db63debabf301e3f6396a3d
SHA256

6a9ec3ae49dfab6ea45e73634dafd30ed07c8e637722821a1aa699b0d3f4ce0b
SHA512

c9ea4659d1d05c7155f84e35accbd32fde35788d20035d6ccb3426e451439f2167c9640689c31491a3483b4662890c3e085f015c921c0979a41a2cbbfcae0d92
SSDEEP

768:ZVd51InrypdFX6fxp8QVCd1YiiuzAD+/CGqcq45aJIZEinmQwJ7:VaoWNY1YixzgQ6IDF67

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2836	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2836	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2204-9-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ksuser.dll	7ab8a9ca2e3b444553a9d68efae8408c.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	7ab8a9ca2e3b444553a9d68efae8408c.exe
File created	C:\Windows\SysWOW64\YUmidimap.dll	7ab8a9ca2e3b444553a9d68efae8408c.exe
File created	C:\Windows\SysWOW64\midimap.dll	7ab8a9ca2e3b444553a9d68efae8408c.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	7ab8a9ca2e3b444553a9d68efae8408c.exe
File created	C:\Windows\SysWOW64\sysapp1.dll	7ab8a9ca2e3b444553a9d68efae8408c.exe
File created	C:\Windows\SysWOW64\YUksuser.dll	7ab8a9ca2e3b444553a9d68efae8408c.exe
File opened for modification	C:\Windows\SysWOW64\YUksuser.dll	7ab8a9ca2e3b444553a9d68efae8408c.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2272	sc.exe
340	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2204	7ab8a9ca2e3b444553a9d68efae8408c.exe
2204	7ab8a9ca2e3b444553a9d68efae8408c.exe
2204	7ab8a9ca2e3b444553a9d68efae8408c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2204	7ab8a9ca2e3b444553a9d68efae8408c.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2244	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	28
PID 2204 wrote to memory of 2244	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	28
PID 2204 wrote to memory of 2244	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	28
PID 2204 wrote to memory of 2244	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	28
PID 2204 wrote to memory of 340	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	29
PID 2204 wrote to memory of 340	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	29
PID 2204 wrote to memory of 340	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	29
PID 2204 wrote to memory of 340	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	29
PID 2204 wrote to memory of 2272	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	31
PID 2204 wrote to memory of 2272	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	31
PID 2204 wrote to memory of 2272	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	31
PID 2204 wrote to memory of 2272	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	31
PID 2204 wrote to memory of 2836	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	34
PID 2204 wrote to memory of 2836	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	34
PID 2204 wrote to memory of 2836	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	34
PID 2204 wrote to memory of 2836	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	34
PID 2204 wrote to memory of 2836	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	34
PID 2204 wrote to memory of 2836	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	34
PID 2204 wrote to memory of 2836	2204	7ab8a9ca2e3b444553a9d68efae8408c.exe	34
PID 2244 wrote to memory of 3044	2244	net.exe	35
PID 2244 wrote to memory of 3044	2244	net.exe	35
PID 2244 wrote to memory of 3044	2244	net.exe	35
PID 2244 wrote to memory of 3044	2244	net.exe	35

C:\Users\Admin\AppData\Local\Temp\7ab8a9ca2e3b444553a9d68efae8408c.exe
"C:\Users\Admin\AppData\Local\Temp\7ab8a9ca2e3b444553a9d68efae8408c.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:3044
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:340
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:2272
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1706372933.dat, ServerMain c:\users\admin\appdata\local\temp\7ab8a9ca2e3b444553a9d68efae8408c.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sysapp1.dll

Filesize
34KB

MD5
25a38720b926fc93ae66e482fd8a5f8c

SHA1
d5e4e7c599da6c27b0c462f29e12e13f69072dfe

SHA256
d3cc3e5f05d12134209921a97ea3303e67ceb2605584c5191f98f2206c7405ac

SHA512
1c7fd3d1888ceed799c828d7894a595eaee8592cce2b657e145bb65f827ae14ffd11118a8d7d3662f76ef07040b8ee7a95f3a712602afed05591e7b9fc89794c

Download Submit
memory/2204-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2204-9-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing