d5921c53db3576bb6959b28aa641f5163c39de4d16dd53332268ba0a0e5e9f63

General

Target

5x/1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
Size

3.3MB
MD5

858f22ea594a6a30a5b42dc6380d1e84
SHA1

ad9f83e2698bd5a380afd300225002d7875e08d2
SHA256

1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0
SHA512

33769894a2e63b0391f97bfcdf7d4df3207ac732434f1a4ee843eb3180cb7a788333d3fc5e0c445a98ed975287bb135dd5aa75ec0154da8876f13da749238182
SSDEEP

98304:4ExH12lFKTMMV7l80gN47cxmhZGUIWnGDHlg/Nzir:LxH125fpixZgWnilSk

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\autochk.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\autochk.sys	Explorer.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1312-0-0x0000000000200000-0x000000000085C000-memory.dmp	upx
behavioral1/memory/1312-1-0x0000000000200000-0x000000000085C000-memory.dmp	upx
behavioral1/files/0x000c0000000136fc-44.dat	upx
behavioral1/memory/2748-46-0x000007FEF5AF0000-0x000007FEF5F55000-memory.dmp	upx
behavioral1/memory/2748-47-0x000007FEF5AF0000-0x000007FEF5F55000-memory.dmp	upx
behavioral1/memory/1212-53-0x000007FEF5AF0000-0x000007FEF5F55000-memory.dmp	upx
behavioral1/memory/1212-52-0x000007FEF5AF0000-0x000007FEF5F55000-memory.dmp	upx
behavioral1/memory/1312-67-0x0000000000200000-0x000000000085C000-memory.dmp	upx
behavioral1/memory/1212-69-0x000007FEF5AF0000-0x000007FEF5F55000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
2524	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\imseo21.ime	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
2748	rundll32.exe
1212	Explorer.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PROPSYS.dll	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
File created	C:\Windows\Help\DirectX.msc	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
File opened for modification	C:\Windows\Help\DirectX.msc	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
File opened for modification	C:\Windows\Help\	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe

Executes dropped EXE 1 IoCs

pid	Process
1212	Explorer.EXE

Loads dropped DLL 1 IoCs

pid	Process
2748	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2748	rundll32.exe
1212	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	rundll32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2720	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	28
PID 1312 wrote to memory of 2720	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	28
PID 1312 wrote to memory of 2720	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	28
PID 1312 wrote to memory of 2720	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	28
PID 1312 wrote to memory of 2956	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	30
PID 1312 wrote to memory of 2956	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	30
PID 1312 wrote to memory of 2956	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	30
PID 1312 wrote to memory of 2956	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	30
PID 1312 wrote to memory of 2748	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	32
PID 1312 wrote to memory of 2748	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	32
PID 1312 wrote to memory of 2748	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	32
PID 1312 wrote to memory of 2748	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	32
PID 2748 wrote to memory of 1212	2748	rundll32.exe	21
PID 1312 wrote to memory of 2524	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	33
PID 1312 wrote to memory of 2524	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	33
PID 1312 wrote to memory of 2524	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	33
PID 1312 wrote to memory of 2524	1312	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Drivers directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1212
- C:\Users\Admin\AppData\Local\Temp\5x\1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
  "C:\Users\Admin\AppData\Local\Temp\5x\1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\system32\Cacls.exe
    C:\Windows\system32\Cacls.exe "C:\Windows\PROPSYS.dll" /E /G everyone:F
    3⤵
    PID:2720
- - C:\Windows\system32\Cacls.exe
    C:\Windows\system32\Cacls.exe "C:\Windows\system32\imseo21.ime" /E /G everyone:F
    3⤵
    PID:2956
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe "C:\Windows\system32\imseo21.ime",ProxyDll
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\5x\\51FADBE.bat
    3⤵
    - Deletes itself
    PID:2524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5x\51FADBE.bat

Filesize
331B

MD5
05ffc4a6f9508a5711a9ffac7a687128

SHA1
83d0c3acfc8acd3a867cc3e87aeaf88d0920545c

SHA256
7071cbeb156f30559dab5af6db326c7311ce932bebcac8a38a63210b94a31d98

SHA512
173a33e62651bee5b7e9fe25a33a35553c84daf012cb160d8bac6e81a6bee7dbb75325d73025bf1c8d691bc208e96c2a2fc62295ee139e72122fbd07d387f4d1

Download Submit
C:\Windows\PROPSYS.dll

Filesize
1.2MB

MD5
bac0953ec8677e394194b0d09dc16984

SHA1
87e88e96e64f37a0165e3f813048a5046cae622d

SHA256
12b6c29c990dfcc4b899464f271f691e503dc4060b0c90cee48478e6b6f6cff2

SHA512
4829a8ae94fad492873e52e58a8a36d715fb642f620f18f36604765d4fd42cd7505110c063f6145d43d30bd367c5988419d10f00d70e94352958d9192adc7eba

Download Submit
C:\Windows\system32\imseo21.ime

Filesize
1.6MB

MD5
6d0c009eaa7925a99c1e1ab448e4fb23

SHA1
83fc0adf38ee9803fa545fc2e9989df81b22cc3f

SHA256
68357137268cf5bd92362e315f8a3fac91982bbcff167ef64a1c099441973bf8

SHA512
dc6fae8d7b9cd2b7cba1219b11541e6cb0f0656bf1e95fc76ffa968845a8a78499e4ca78a1d8786763f1c7bccf5d9babb72e9d03c4e1373dadaa39ad526a5d51

Download Submit
memory/1212-50-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1212-69-0x000007FEF5AF0000-0x000007FEF5F55000-memory.dmp

Filesize
4.4MB

Download
memory/1212-52-0x000007FEF5AF0000-0x000007FEF5F55000-memory.dmp

Filesize
4.4MB

Download
memory/1212-53-0x000007FEF5AF0000-0x000007FEF5F55000-memory.dmp

Filesize
4.4MB

Download
memory/1312-3-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/1312-0-0x0000000000200000-0x000000000085C000-memory.dmp

Filesize
6.4MB

Download
memory/1312-10-0x00000000001D0000-0x00000000001E5000-memory.dmp

Filesize
84KB

Download
memory/1312-67-0x0000000000200000-0x000000000085C000-memory.dmp

Filesize
6.4MB

Download
memory/1312-1-0x0000000000200000-0x000000000085C000-memory.dmp

Filesize
6.4MB

Download
memory/2748-47-0x000007FEF5AF0000-0x000007FEF5F55000-memory.dmp

Filesize
4.4MB

Download
memory/2748-46-0x000007FEF5AF0000-0x000007FEF5F55000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing