24bdf2ee332c11a238fed6d85b9eaf372776d5d5684efc6ab62d6608bda552ee

General

Target

a32c9f867c7580fe08b550bec2ed0d95.exe
Size

213KB
MD5

a32c9f867c7580fe08b550bec2ed0d95
SHA1

1f3f0f4930641b3c23e966eefffa7d9bc4301b7f
SHA256

24bdf2ee332c11a238fed6d85b9eaf372776d5d5684efc6ab62d6608bda552ee
SHA512

fbdb46d63453a9612d36fa14113c2bea5b684d97db77dc6ce08ff221f10b2066e4de66079e8b52e59546b06bd4794569fbcc4139c5e66e36f4ef8367fc5f7f65
SSDEEP

3072:98My9dK5nNHU2UpYz8egZiy+vZZPtlc8Pr3CEN2JMxWvqojLNwV+cnkuAQyg:4nKJHsIgELPLr3r2J7vqp4wdyg

Score

8^/10

persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DarkstSer\Parameters\ServiceDll = "C:\\Windows\\system32\\System64.dll"	a32c9f867c7580fe08b550bec2ed0d95.exe

Loads dropped DLL 1 IoCs

pid	Process
1136	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3252-1-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3252-0-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3252-2-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3252-4-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3252-6-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2900-12-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System64.dat	a32c9f867c7580fe08b550bec2ed0d95.exe
File created	C:\Windows\SysWOW64\System64.dll	a32c9f867c7580fe08b550bec2ed0d95.exe
File created	C:\Windows\SysWOW64\KMe.bat	a32c9f867c7580fe08b550bec2ed0d95.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 2900	3252	a32c9f867c7580fe08b550bec2ed0d95.exe	89
PID 3252 wrote to memory of 2900	3252	a32c9f867c7580fe08b550bec2ed0d95.exe	89
PID 3252 wrote to memory of 2900	3252	a32c9f867c7580fe08b550bec2ed0d95.exe	89
PID 2900 wrote to memory of 4612	2900	a32c9f867c7580fe08b550bec2ed0d95.exe	91
PID 2900 wrote to memory of 4612	2900	a32c9f867c7580fe08b550bec2ed0d95.exe	91
PID 2900 wrote to memory of 4612	2900	a32c9f867c7580fe08b550bec2ed0d95.exe	91

C:\Users\Admin\AppData\Local\Temp\a32c9f867c7580fe08b550bec2ed0d95.exe
"C:\Users\Admin\AppData\Local\Temp\a32c9f867c7580fe08b550bec2ed0d95.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Users\Admin\AppData\Local\Temp\a32c9f867c7580fe08b550bec2ed0d95.exe
  C:\Users\Admin\AppData\Local\Temp\a32c9f867c7580fe08b550bec2ed0d95.exe -Nod32
  2⤵
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\KMe.bat
    3⤵
    PID:4612

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netservice
1⤵
- Loads dropped DLL
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KMe.bat

Filesize
86B

MD5
cbdcb5bf72fde31d4033b32d08008d2a

SHA1
f102e696b8fbca884e7108ca3ca327abda76909a

SHA256
14cdf8611a119c1c541075cd8d4d8304e6a70f781a0dd708b281160f83ac14bd

SHA512
585d07f3372f451c1ad87f6682d7b4387fecbf7c5b88dbe8fb85eb8118a33ee07c33efea2000006a194ca195303cb64b99d95f2991652b108f0962d929c1b283

Download Submit
C:\Windows\SysWOW64\System64.dat

Filesize
178B

MD5
a44079c79b6a83c185f94f7d9eee47e2

SHA1
c344996b3294e39b9467433e5768cedacb4c1302

SHA256
5ec9152c258b8b16431e0082b1558b41b7af8cc29abe7dbea61d56d0a4526569

SHA512
4d1916a7fe2c4bcea2d05c3007e7cab92537d45c37345529c79ff3c2799fd7e1a22d96bedd59955fe52b9bd31a09affffda270f724f256540fcc4ad64bf4fb77

Download Submit
\??\c:\windows\SysWOW64\system64.dll

Filesize
356KB

MD5
db5860a33597ab0c07dfc1db63ae2f18

SHA1
090ef07a72a2abb760a93cd91843c40830f28bbc

SHA256
fe0111deb680994a2cec676d7a31b70dc1b3f36d54db41046b8f1be5862353b1

SHA512
1d37e5df05f04b88f1c46e08de173bd8d9e67035104d07b15ab8064055c98371ccf962408665a32941e9604df69453de84d0d6a21b72f3ce1fe1c5d6d2ff96a0

Download Submit
memory/1136-24-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1136-26-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1136-35-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1136-34-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1136-33-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1136-32-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1136-21-0x0000000001570000-0x0000000001571000-memory.dmp

Filesize
4KB

Download
memory/1136-22-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1136-23-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1136-31-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1136-25-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1136-30-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1136-27-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1136-28-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1136-29-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2900-12-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3252-6-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3252-1-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3252-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3252-2-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3252-4-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads