1ef9f6f47ce297fa50fe714562d32ec98773acddeec5b17b956e6d4b94bbd14f

General

Target

Aridek shit/kdu-mapper.exe
Size

1.4MB
MD5

220da3c39ef91e9eedcc65ff4815276d
SHA1

3a764f42205c7166618f831168c3cfb20b8f37f6
SHA256

ad6402f149f2802a71b02c4f6fc6c695624c869b5fe8d7ed212606174230b1f4
SHA512

d4caa7296d86505dbe36853d3d1d836cb85260bc2c72b368b7a45fb004cef33498b7f1fbe85d5e734a2ed6e6832fa5c9aaef6acb5a67a5f40939d471e6914aaf
SSDEEP

24576:EtA4KdTJeXSRhoVDNM3DuaXTnAD8J2uQkRQFaJPgHVICI369ZCOtQjHQbGr:ZdTcS/G6iaXrAD8J2ZkRQF7VPI36bCOO

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

extd.exeextd.exeextd.exestruct.exelgsvcl.exe

pid process

1108 extd.exe
3580 extd.exe
4320 extd.exe
4428 struct.exe
4408 lgsvcl.exe

pid	process
1108	extd.exe
3580	extd.exe
4320	extd.exe
4428	struct.exe
4408	lgsvcl.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5E1E.tmp\5E1F.tmp\extd.exe	upx
behavioral5/memory/1108-14-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral5/memory/1108-15-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral5/memory/3580-20-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral5/memory/3580-21-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral5/memory/4320-23-0x0000000140000000-0x00000001400D8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

368 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3140 taskkill.exe
1260 taskkill.exe

pid	process
368	timeout.exe

pid	process
3140	taskkill.exe
1260	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

lgsvcl.exetaskkill.exetaskkill.exesvchost.exe

description	pid	process
Token: SeSystemEnvironmentPrivilege	4408	lgsvcl.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeManageVolumePrivilege	3236	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

kdu-mapper.execmd.exestruct.execmd.exe

description	pid	process	target process
PID 2040 wrote to memory of 2796	2040	kdu-mapper.exe	cmd.exe
PID 2040 wrote to memory of 2796	2040	kdu-mapper.exe	cmd.exe
PID 2796 wrote to memory of 1108	2796	cmd.exe	extd.exe
PID 2796 wrote to memory of 1108	2796	cmd.exe	extd.exe
PID 2796 wrote to memory of 3580	2796	cmd.exe	extd.exe
PID 2796 wrote to memory of 3580	2796	cmd.exe	extd.exe
PID 2796 wrote to memory of 4320	2796	cmd.exe	extd.exe
PID 2796 wrote to memory of 4320	2796	cmd.exe	extd.exe
PID 2796 wrote to memory of 4428	2796	cmd.exe	struct.exe
PID 2796 wrote to memory of 4428	2796	cmd.exe	struct.exe
PID 2796 wrote to memory of 4428	2796	cmd.exe	struct.exe
PID 4428 wrote to memory of 3904	4428	struct.exe	cmd.exe
PID 4428 wrote to memory of 3904	4428	struct.exe	cmd.exe
PID 3904 wrote to memory of 4408	3904	cmd.exe	lgsvcl.exe
PID 3904 wrote to memory of 4408	3904	cmd.exe	lgsvcl.exe
PID 3904 wrote to memory of 368	3904	cmd.exe	timeout.exe
PID 3904 wrote to memory of 368	3904	cmd.exe	timeout.exe
PID 3904 wrote to memory of 3140	3904	cmd.exe	taskkill.exe
PID 3904 wrote to memory of 3140	3904	cmd.exe	taskkill.exe
PID 3904 wrote to memory of 1260	3904	cmd.exe	taskkill.exe
PID 3904 wrote to memory of 1260	3904	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Aridek shit\kdu-mapper.exe
"C:\Users\Admin\AppData\Local\Temp\Aridek shit\kdu-mapper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5E1E.tmp\5E1F.tmp\5E20.bat "C:\Users\Admin\AppData\Local\Temp\Aridek shit\kdu-mapper.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\5E1E.tmp\5E1F.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\5E1E.tmp\5E1F.tmp\extd.exe "/getconsoletitle" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:1108
- - C:\Users\Admin\AppData\Local\Temp\5E1E.tmp\5E1F.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\5E1E.tmp\5E1F.tmp\extd.exe "/resizewindow" "C:\Users\Admin\AppData\Local\Temp\Aridek shit\kdu-mapper.exe" "0" "0" "1129" "520" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:3580
- - C:\Users\Admin\AppData\Local\Temp\5E1E.tmp\5E1F.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\5E1E.tmp\5E1F.tmp\extd.exe "/center" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4320
- - C:\Users\Admin\AppData\Roaming\cache\struct.exe
    "struct.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\60EC.tmp\60ED.tmp\60EE.bat C:\Users\Admin\AppData\Roaming\cache\struct.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3904
    - - C:\Users\Admin\AppData\Roaming\cache\lgsvcl.exe
        
        lgsvcl.exe -prv 25 -scv 4 -drvn edrv -map C:\Windows\Fonts\4138.sys
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:368
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im lgsvcl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im cmd.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5E1E.tmp\5E1F.tmp\5E20.bat

Filesize
677B

MD5
6ed8b2a40d5d1a04a060f91932be6d75

SHA1
4d0a2a7472e3f8d47891547b25395d6171e3412e

SHA256
c3d6215783963ddcc92e00a073fe8d135aa655f684beaf73f421b1101e87fa7a

SHA512
ea906c04a652a90f52dfd8cfb0c00b2d6d3cd330c3d8144a7324b068a3374ea18d517ac72fa461319f009bcdf6b064d6d44a8e6fe6da1ecfa195b5493e8f339d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E1E.tmp\5E1F.tmp\extd.exe

Filesize
326KB

MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\60EC.tmp\60ED.tmp\60EE.bat

Filesize
226B

MD5
700b97c8e010a2f912871438d8e0880b

SHA1
0a77422c785977452ba73db0d0ade87171882d7b

SHA256
95db09988c84be22c32dc2b4226a709f6e8a0906ea6ee0bf5ca4e7021b2e25cd

SHA512
75d3b47a15d5ba84d90fc30d7d0c5ad9fe932f0ca805392b28a4c490ddc3fd6badea3aaa4d378ffea07b562445a0e54164d573d83aa949410281025c5b347acc

Download Submit
C:\Users\Admin\AppData\Roaming\cache\lgsvcl.exe

Filesize
282KB

MD5
9b19beb2fb368135e2d2a5e0c5832c19

SHA1
382851327c731266fc9cb365aeefdaf3c942a623

SHA256
c0f6d418b98e7b303ab224c5ac1b59487908ac15125c9e90eccaed2763100739

SHA512
990c529ee72527bbcbd05dbf51979847319fae1b5fbd7785f8d59b367a2af1d37ba584deab89e474c639a34359c538afddc4a099cf4241f53b3e4e311084ed9d

Download Submit
C:\Users\Admin\AppData\Roaming\cache\struct.exe

Filesize
89KB

MD5
dde838c9ddf5c867939d249e7dff2dee

SHA1
208e48bba627f685a55e1a834e9a3e0ea97fad59

SHA256
8d622da94cf5ec0a877d4a51b88902872b167dd8d1132041a4aa308b6a5a93c9

SHA512
b46557ec25cbea4bd22d5269cdec7fec3ddbb4c85050278e9895c3d4d464e8ba231cd16badeec3e8f282110c54e9f689717d8af938f2c31d32222c0bcd055d63

Download Submit
memory/1108-14-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1108-15-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3236-66-0x000002400FA80000-0x000002400FA81000-memory.dmp

Filesize
4KB

Download
memory/3236-34-0x0000024007640000-0x0000024007650000-memory.dmp

Filesize
64KB

Download
memory/3236-50-0x0000024007740000-0x0000024007750000-memory.dmp

Filesize
64KB

Download
memory/3236-68-0x000002400FAB0000-0x000002400FAB1000-memory.dmp

Filesize
4KB

Download
memory/3236-69-0x000002400FAB0000-0x000002400FAB1000-memory.dmp

Filesize
4KB

Download
memory/3236-70-0x000002400FBC0000-0x000002400FBC1000-memory.dmp

Filesize
4KB

Download
memory/3580-21-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3580-20-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4320-23-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads