d5921c53db3576bb6959b28aa641f5163c39de4d16dd53332268ba0a0e5e9f63

General

Target

5x/1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
Size

3.3MB
MD5

858f22ea594a6a30a5b42dc6380d1e84
SHA1

ad9f83e2698bd5a380afd300225002d7875e08d2
SHA256

1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0
SHA512

33769894a2e63b0391f97bfcdf7d4df3207ac732434f1a4ee843eb3180cb7a788333d3fc5e0c445a98ed975287bb135dd5aa75ec0154da8876f13da749238182
SSDEEP

98304:4ExH12lFKTMMV7l80gN47cxmhZGUIWnGDHlg/Nzir:LxH125fpixZgWnilSk

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\autochk.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\autochk.sys	Explorer.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3932-0-0x0000000000200000-0x000000000085C000-memory.dmp	upx
behavioral2/memory/3932-1-0x0000000000200000-0x000000000085C000-memory.dmp	upx
behavioral2/files/0x000b00000001ea83-44.dat	upx
behavioral2/memory/5084-46-0x00007FFC8D210000-0x00007FFC8D675000-memory.dmp	upx
behavioral2/memory/5084-49-0x00007FFC8D210000-0x00007FFC8D675000-memory.dmp	upx
behavioral2/memory/3380-51-0x00007FFC8D210000-0x00007FFC8D675000-memory.dmp	upx
behavioral2/memory/3380-52-0x00007FFC8D210000-0x00007FFC8D675000-memory.dmp	upx
behavioral2/memory/3932-62-0x0000000000200000-0x000000000085C000-memory.dmp	upx
behavioral2/memory/3380-64-0x00007FFC8D210000-0x00007FFC8D675000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\mfc100usx.dll	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3932	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
5084	rundll32.exe
3380	Explorer.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Secur32.dll	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
File created	C:\Windows\Help\DirectX.msc	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
File opened for modification	C:\Windows\Help\DirectX.msc	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
File opened for modification	C:\Windows\Help\	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe

Executes dropped EXE 1 IoCs

pid	Process
3380	Explorer.EXE

Loads dropped DLL 2 IoCs

pid	Process
5084	rundll32.exe
3380	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5084	rundll32.exe
5084	rundll32.exe
3380	Explorer.EXE
3380	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	rundll32.exe
Token: SeShutdownPrivilege	3380	Explorer.EXE
Token: SeCreatePagefilePrivilege	3380	Explorer.EXE
Token: SeShutdownPrivilege	3380	Explorer.EXE
Token: SeCreatePagefilePrivilege	3380	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 1052	3932	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	91
PID 3932 wrote to memory of 1052	3932	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	91
PID 3932 wrote to memory of 3412	3932	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	93
PID 3932 wrote to memory of 3412	3932	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	93
PID 3932 wrote to memory of 5084	3932	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	95
PID 3932 wrote to memory of 5084	3932	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	95
PID 5084 wrote to memory of 3380	5084	rundll32.exe	57
PID 3932 wrote to memory of 5044	3932	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	96
PID 3932 wrote to memory of 5044	3932	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	96
PID 3932 wrote to memory of 5044	3932	1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe	96

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Drivers directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380
- C:\Users\Admin\AppData\Local\Temp\5x\1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe
  "C:\Users\Admin\AppData\Local\Temp\5x\1ff2743e1b20f9f98e4e02dd5eb9b293e72b6dab769272c194cef11adfbfd5d0.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\system32\Cacls.exe
    C:\Windows\system32\Cacls.exe "C:\Windows\Secur32.dll" /E /G everyone:F
    3⤵
    PID:1052
- - C:\Windows\system32\Cacls.exe
    C:\Windows\system32\Cacls.exe "C:\Windows\system32\mfc100usx.dll" /E /G everyone:F
    3⤵
    PID:3412
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe "C:\Windows\system32\mfc100usx.dll",ProxyDll
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\5x\\51FADBE.bat
    3⤵
    PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2596 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:1572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5x\51FADBE.bat

Filesize
331B

MD5
05ffc4a6f9508a5711a9ffac7a687128

SHA1
83d0c3acfc8acd3a867cc3e87aeaf88d0920545c

SHA256
7071cbeb156f30559dab5af6db326c7311ce932bebcac8a38a63210b94a31d98

SHA512
173a33e62651bee5b7e9fe25a33a35553c84daf012cb160d8bac6e81a6bee7dbb75325d73025bf1c8d691bc208e96c2a2fc62295ee139e72122fbd07d387f4d1

Download Submit
C:\Windows\Secur32.dll

Filesize
31KB

MD5
dab9b32f762a57a0e5ceea6d276a9535

SHA1
37b019281a9cd1dbd3e5bc3e77c331fa09d819b2

SHA256
2f15b18fdd2362fa2572e96fa65c09a3c8f8b7c48037b360a9eaef567755ed6a

SHA512
2c49e7756d6fd89fcfce5d7734824ccfe1f41b6e9cd3aefe8dc331d2f1c33b2759dffd8b5d32c1bc4792543c0237ba2446644fbe518b97a1f4748fc3e01750c5

Download Submit
C:\Windows\system32\mfc100usx.dll

Filesize
1.6MB

MD5
6d0c009eaa7925a99c1e1ab448e4fb23

SHA1
83fc0adf38ee9803fa545fc2e9989df81b22cc3f

SHA256
68357137268cf5bd92362e315f8a3fac91982bbcff167ef64a1c099441973bf8

SHA512
dc6fae8d7b9cd2b7cba1219b11541e6cb0f0656bf1e95fc76ffa968845a8a78499e4ca78a1d8786763f1c7bccf5d9babb72e9d03c4e1373dadaa39ad526a5d51

Download Submit
memory/3380-51-0x00007FFC8D210000-0x00007FFC8D675000-memory.dmp

Filesize
4.4MB

Download
memory/3380-64-0x00007FFC8D210000-0x00007FFC8D675000-memory.dmp

Filesize
4.4MB

Download
memory/3380-52-0x00007FFC8D210000-0x00007FFC8D675000-memory.dmp

Filesize
4.4MB

Download
memory/3932-10-0x0000000001020000-0x0000000001035000-memory.dmp

Filesize
84KB

Download
memory/3932-0-0x0000000000200000-0x000000000085C000-memory.dmp

Filesize
6.4MB

Download
memory/3932-62-0x0000000000200000-0x000000000085C000-memory.dmp

Filesize
6.4MB

Download
memory/3932-3-0x0000000001010000-0x0000000001017000-memory.dmp

Filesize
28KB

Download
memory/3932-1-0x0000000000200000-0x000000000085C000-memory.dmp

Filesize
6.4MB

Download
memory/5084-49-0x00007FFC8D210000-0x00007FFC8D675000-memory.dmp

Filesize
4.4MB

Download
memory/5084-46-0x00007FFC8D210000-0x00007FFC8D675000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing