2f3d1f1035e91545ba272ec5e3e78382348bc52ed1bce1f8be8ed9fc93235e94

General

Target

a3a5d68f1f54d88dd048f048ac6ce206.exe
Size

258KB
MD5

a3a5d68f1f54d88dd048f048ac6ce206
SHA1

14685a5506f910142a13d11eadf4ff9909535ef8
SHA256

2f3d1f1035e91545ba272ec5e3e78382348bc52ed1bce1f8be8ed9fc93235e94
SHA512

c911d184c78c97d7222850f80260935b7e8fe20f5a5855ba2f1fef5565beb0b7b7ebde911bd85267699260e5c6dfaf24137a77ee6fee33d4a83540b747e5b65e
SSDEEP

6144:MH4WH/bcRvjhdtigZbHFDEGZbjh2dOOVTJ6h4TfHFDE:FRvVdtiQNEIjhShrmsfNE

Score

7^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000015c2f-36.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2504	Syspixk32.exe

Executes dropped EXE 1 IoCs

pid	Process
2504	Syspixk32.exe

Loads dropped DLL 1 IoCs

pid	Process
2504	Syspixk32.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "Syspixk32.exe \"%1\" %*"	a3a5d68f1f54d88dd048f048ac6ce206.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015c2f-36.dat	upx
behavioral1/memory/2504-94-0x0000000010000000-0x000000001000C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\StartProfile = "Syspixk32.exe powrprof.dll,LoadCurrentPwrScheme"	a3a5d68f1f54d88dd048f048ac6ce206.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft StartUp = "C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\Microsoft16.exe"	a3a5d68f1f54d88dd048f048ac6ce206.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe	a3a5d68f1f54d88dd048f048ac6ce206.exe
File opened for modification	C:\WINDOWS\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe	a3a5d68f1f54d88dd048f048ac6ce206.exe
File opened for modification	C:\Windows\SysWOW64\pixka.cfg	Syspixk32.exe
File opened for modification	C:\Windows\SysWOW64\pixka.cfg	a3a5d68f1f54d88dd048f048ac6ce206.exe
File created	C:\Windows\SysWOW64\syshook.dll	a3a5d68f1f54d88dd048f048ac6ce206.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Microsoft16.exe	a3a5d68f1f54d88dd048f048ac6ce206.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Microsoft16.exe	a3a5d68f1f54d88dd048f048ac6ce206.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Dxpixk16.dll	Syspixk32.exe
File opened for modification	C:\Windows\Faith.ini	Syspixk32.exe
File opened for modification	C:\Windows\Syspixk32.exe	Syspixk32.exe
File opened for modification	C:\Windows\Dxpixk16.dll	a3a5d68f1f54d88dd048f048ac6ce206.exe
File opened for modification	C:\Windows\kxipLib.sys	a3a5d68f1f54d88dd048f048ac6ce206.exe
File opened for modification	C:\Windows\Faith.ini	a3a5d68f1f54d88dd048f048ac6ce206.exe
File created	C:\Windows\Syspixk32.exe	a3a5d68f1f54d88dd048f048ac6ce206.exe
File opened for modification	C:\Windows\Syspixk32.exe	a3a5d68f1f54d88dd048f048ac6ce206.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "Syspixk32.exe \"%1\" %*"	a3a5d68f1f54d88dd048f048ac6ce206.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2504	Syspixk32.exe
2504	Syspixk32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 2504	1136	a3a5d68f1f54d88dd048f048ac6ce206.exe	28
PID 1136 wrote to memory of 2504	1136	a3a5d68f1f54d88dd048f048ac6ce206.exe	28
PID 1136 wrote to memory of 2504	1136	a3a5d68f1f54d88dd048f048ac6ce206.exe	28
PID 1136 wrote to memory of 2504	1136	a3a5d68f1f54d88dd048f048ac6ce206.exe	28

C:\Users\Admin\AppData\Local\Temp\a3a5d68f1f54d88dd048f048ac6ce206.exe
"C:\Users\Admin\AppData\Local\Temp\a3a5d68f1f54d88dd048f048ac6ce206.exe"
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\Syspixk32.exe
  C:\Windows\Syspixk32.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Microsoft16.exe

Filesize
174KB

MD5
5c76e0e46bbe51369bbbef1f57e76a4b

SHA1
14ac156efe0ae9edf184df6d06e3382a07f094c9

SHA256
2ce8d28e7831b620711241bde870e8fd6630b2c62719d022dfcf0c2662390aa2

SHA512
d5c3d63c865d5d67f2a1a927b285202d0bc8049269dfae9705411f1ebfad5c1fd6c7e5aa2f2d0829fa26202d765b32899a5acab037a207dc0c232aee278a720b

Download Submit
C:\Windows\Dxpixk16.dll

Filesize
168B

MD5
8fa32082bf211256de7e132c7d38f3ae

SHA1
c084763df6524445426e589f03fc6ac8bb3f8f90

SHA256
e71e1eaa3b5c86c429af5d42eaf5b219c0fd2369d3f0c6df95b739d89517fca3

SHA512
05d206af4d3206aab35c099dd48bdc7dfd59d760894005e60c1256129cfd72d6580f0ebc146c4df942a2d0deb592bfb6bd78abef618b2e07a34c736a375c16bf

Download Submit
C:\Windows\Dxpixk16.dll

Filesize
238B

MD5
968d990e40d228fc6dbf0817078e5bcb

SHA1
1296ff92324e71b6c91f1a827ecf164aff7aec15

SHA256
d058242edec69038500a6b8c4d40b4f3eac57b6b72c4d1f16fbdec0e0d2b5fdb

SHA512
540253132e2d3e311c7abfb01b735738aa32dc760c3a9b81c2ed13c07a56e4d160e95007e51686624c3a209983cfe289d61608d9b179298e512cc45f07d3dbf8

Download Submit
C:\Windows\Faith.ini

Filesize
59B

MD5
9ea11a11cfec9774195770c6b476a70e

SHA1
a3f9d1dd8b3254998baba2add52dc4554af5f902

SHA256
7a70ed3b3ac70f65a1b6ee937d986e833596959394f12e16555de504be76d70d

SHA512
284a39bc6d16f822f606e3c70ecdd437853048d009bb7301411774392f0261d996b12aafd32a400b0b4a75c09fb93e28719994df6d7fa2d6dc91e65b720b05f5

Download Submit
C:\Windows\SysWOW64\pixka.cfg

Filesize
326B

MD5
6cce7fd97bb8dbfc3feaaef5459db4dc

SHA1
b637366a18502f9f13d78de41f53e7094f8e49a4

SHA256
f916f06612987b44cdf217f0cdcf02af211e731e91f8bce1508ebd8c3be79c7c

SHA512
ba9019d5a9c6aee04f2b46d6efb79ea10e5b4e704dfd55c4b9cd677e48812184ca7a14229ff89e01a16944d3398d8e896d7d1a0540aa8c52bfcc3731465c5d91

Download Submit
C:\Windows\SysWOW64\syshook.dll

Filesize
13KB

MD5
1184a7318020bdd89657e48ee038aefb

SHA1
a423a691987a2f37ac2a31cbda16c4b70fa678b1

SHA256
abfa4b5456d9e9f55a57fb1fb5b3bdd15210a084aa0325a73d5b49b41a50eef7

SHA512
57f939150929b7f2c074bd8e588e7b0a0a59e6a66f3fb1528d27890d9b7538bb3231a03cd7a47fe818810d9c40d92c1cc6dfa40359eecfa3df0a0adfa66a71b7

Download Submit
memory/2504-94-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads