75c88f741c31b5e99fe90c40972542fec2048c50cfc0df2e7cad01499ed714be

General

Target

ad74dfb3410189f2e82193c25ca63ab9.exe
Size

32KB
MD5

ad74dfb3410189f2e82193c25ca63ab9
SHA1

21114580a75e91118deae99094de18e802224677
SHA256

75c88f741c31b5e99fe90c40972542fec2048c50cfc0df2e7cad01499ed714be
SHA512

3c20ff1f6e05c9544582a89356b2974b2333e6562b710454914aca0e30c764c1a911883fa68803d151a0572ddb84c9c20957aa8d4e0c335bceee9a668156d8b9
SSDEEP

384:DqxwqnceJueQ6bvMqewXhg3AhJbORm52iKOLnE18p3OuTeqRKpZmVmmVEdraq2bS:uxwVeJiZ0hPhJbu7qLFVOiTRKpZIDU0

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2580	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2580	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/332-0-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/332-11-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ksuser.dll	ad74dfb3410189f2e82193c25ca63ab9.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	ad74dfb3410189f2e82193c25ca63ab9.exe
File created	C:\Windows\SysWOW64\msimg32.dll	ad74dfb3410189f2e82193c25ca63ab9.exe
File opened for modification	C:\Windows\SysWOW64\yuksuser.dll	ad74dfb3410189f2e82193c25ca63ab9.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	ad74dfb3410189f2e82193c25ca63ab9.exe
File created	C:\Windows\SysWOW64\yumidimap.dll	ad74dfb3410189f2e82193c25ca63ab9.exe
File created	C:\Windows\SysWOW64\midimap.dll	ad74dfb3410189f2e82193c25ca63ab9.exe
File created	C:\Windows\SysWOW64\yumsimg32.dll	ad74dfb3410189f2e82193c25ca63ab9.exe
File created	C:\Windows\SysWOW64\dllcache\msimg32.dll	ad74dfb3410189f2e82193c25ca63ab9.exe
File created	C:\Windows\SysWOW64\sysapp5.dll	ad74dfb3410189f2e82193c25ca63ab9.exe
File created	C:\Windows\SysWOW64\yuksuser.dll	ad74dfb3410189f2e82193c25ca63ab9.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2056	sc.exe
2768	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
332	ad74dfb3410189f2e82193c25ca63ab9.exe
332	ad74dfb3410189f2e82193c25ca63ab9.exe
332	ad74dfb3410189f2e82193c25ca63ab9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
332	ad74dfb3410189f2e82193c25ca63ab9.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 2828	332	ad74dfb3410189f2e82193c25ca63ab9.exe	28
PID 332 wrote to memory of 2828	332	ad74dfb3410189f2e82193c25ca63ab9.exe	28
PID 332 wrote to memory of 2828	332	ad74dfb3410189f2e82193c25ca63ab9.exe	28
PID 332 wrote to memory of 2828	332	ad74dfb3410189f2e82193c25ca63ab9.exe	28
PID 332 wrote to memory of 2056	332	ad74dfb3410189f2e82193c25ca63ab9.exe	30
PID 332 wrote to memory of 2056	332	ad74dfb3410189f2e82193c25ca63ab9.exe	30
PID 332 wrote to memory of 2056	332	ad74dfb3410189f2e82193c25ca63ab9.exe	30
PID 332 wrote to memory of 2056	332	ad74dfb3410189f2e82193c25ca63ab9.exe	30
PID 332 wrote to memory of 2768	332	ad74dfb3410189f2e82193c25ca63ab9.exe	31
PID 332 wrote to memory of 2768	332	ad74dfb3410189f2e82193c25ca63ab9.exe	31
PID 332 wrote to memory of 2768	332	ad74dfb3410189f2e82193c25ca63ab9.exe	31
PID 332 wrote to memory of 2768	332	ad74dfb3410189f2e82193c25ca63ab9.exe	31
PID 332 wrote to memory of 2580	332	ad74dfb3410189f2e82193c25ca63ab9.exe	33
PID 332 wrote to memory of 2580	332	ad74dfb3410189f2e82193c25ca63ab9.exe	33
PID 332 wrote to memory of 2580	332	ad74dfb3410189f2e82193c25ca63ab9.exe	33
PID 332 wrote to memory of 2580	332	ad74dfb3410189f2e82193c25ca63ab9.exe	33
PID 332 wrote to memory of 2580	332	ad74dfb3410189f2e82193c25ca63ab9.exe	33
PID 332 wrote to memory of 2580	332	ad74dfb3410189f2e82193c25ca63ab9.exe	33
PID 332 wrote to memory of 2580	332	ad74dfb3410189f2e82193c25ca63ab9.exe	33
PID 2828 wrote to memory of 2716	2828	net.exe	35
PID 2828 wrote to memory of 2716	2828	net.exe	35
PID 2828 wrote to memory of 2716	2828	net.exe	35
PID 2828 wrote to memory of 2716	2828	net.exe	35

C:\Users\Admin\AppData\Local\Temp\ad74dfb3410189f2e82193c25ca63ab9.exe
"C:\Users\Admin\AppData\Local\Temp\ad74dfb3410189f2e82193c25ca63ab9.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:2716
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2056
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:2768
- C:\Windows\SysWOW64\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\1709173721.dat, ServerMain c:\users\admin\appdata\local\temp\ad74dfb3410189f2e82193c25ca63ab9.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1709173721.dat

Filesize
32KB

MD5
280d1dcda064c5f221e4d7d6def2762c

SHA1
5fc150cda048ac254f1280301130577544414f73

SHA256
4ad51810e813e023937e06071c6aa530a6f7fae8d6868050c22ba957c803e508

SHA512
426b27cb0269f3e99aa1cc36be32619d2c0fa6498d371c745830d65306c29ef64e64faadee5a1e39d2bf7c914d84b191a8276043bc626e04ea4222734f144154

Download Submit
memory/332-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/332-11-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing