13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f

General

Target

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
Size

558KB
MD5

652d1c6b3324a9f38301e4dc47d4189e
SHA1

09e4b19b5fa435005d1fc34247902e9ab1f35bff
SHA256

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f
SHA512

28ab9fcaac62a57cd8e4a06e305a980fb19e9969549720e7b7607800abd25f3cb41bc25cb880464d213159ce36718779127c6d9a49de61fe22cb5102bf765bcd
SSDEEP

12288:21+vKnoA0cdoIl9jmDBJ4Uh2DEq/51r575O65n9VG:e+vg0HU9EP4UheEq/B79u

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1724-0-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe	UPX
behavioral1/memory/1724-18-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
behavioral1/memory/1724-22-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
behavioral1/memory/1724-25-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
behavioral1/memory/1724-29-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
behavioral1/memory/1724-32-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
behavioral1/memory/1724-35-0x0000000000400000-0x0000000000551000-memory.dmp	UPX
behavioral1/memory/1724-38-0x0000000000400000-0x0000000000551000-memory.dmp	UPX

Drops startup file 1 IoCs

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

Loads dropped DLL 2 IoCs

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

pid	process
1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1724-0-0x0000000000400000-0x0000000000551000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe	upx
behavioral1/memory/1724-18-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/memory/1724-22-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/memory/1724-25-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/memory/1724-29-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/memory/1724-32-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/memory/1724-35-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/memory/1724-38-0x0000000000400000-0x0000000000551000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

pid	process
1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

pid process

1724 13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

pid	process
1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe

description	pid	process	target process
PID 1724 wrote to memory of 2136	1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe	WScript.exe
PID 1724 wrote to memory of 2136	1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe	WScript.exe
PID 1724 wrote to memory of 2136	1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe	WScript.exe
PID 1724 wrote to memory of 2136	1724	13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe
"C:\Users\Admin\AppData\Local\Temp\13e1c75290ab79cd8545ec0708e3dc20eb19237f2784af99de2af0f4b83bf59f.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
2004bcee923b0e0222f4cab87c2c2a3d

SHA1
0a3c122b7cfe403403d913ecc1b328480b1bfc2a

SHA256
f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77

SHA512
cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
54b9da8596e5d0082d20734362a964be

SHA1
fd26162c9cd70d73e332d9d7c88e438cf3e369ff

SHA256
ef071d3f4a93c91349c499b35234668dac5ff9b121f2c14f0a1b939c74afeaa5

SHA512
c527e8a3cb14ad17581f3590c4b9dfe7f780245ea22b099202ee8225bf275f4fca13fe41c8765c57cada1a4fc34403b4a272e9a3e6b68aee4b69f56a3e70436f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
558KB

MD5
a00da5a818adcd1ce96a0f3f88ff2589

SHA1
2bb40a7192dae0f6d40f2bc4924870956db5c24b

SHA256
16e60e37f9bd8276ebcef7122de8af8b801cc39db6b7d41078eac1c237a179a7

SHA512
bef75b4dfb05cf5196340d9ddc966ee9ae705fc63fecab0646277bc3efb7f94d4cb85edb553da3c26921e7494d88378a2e0f40ba2420812f534700ea70b982b4

Download Submit
memory/1724-20-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/1724-16-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/1724-18-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1724-0-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1724-22-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1724-25-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1724-29-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1724-10-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/1724-32-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1724-35-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1724-38-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads