39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466

General

Target

39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe
Size

134KB
MD5

42bc82cbc51846456552ef9857f3311c
SHA1

0270665b27de798e67d8b0cab3934427d7749295
SHA256

39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466
SHA512

e4994d99b0b5d182da251a2ef7d4614bb65e9d4a8350bad2791456edcfac47a07d2d9de9699e13084c68e35edfaa6dd9b0361d80e8ec14e81df2877d996c67c4
SSDEEP

1536:YGYU/W2/HG6QMauSV3ixJHABLrmhH7i9eNOOg00GqMIK7aGZh3SOa:YfU/WF6QMauSuiWNi9eNOl0007NZIOa

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1640-0-0x0000000000390000-0x00000000003B8000-memory.dmp	UPX
\ProgramData\Update\wuauclt.exe	UPX
behavioral1/memory/1640-4-0x0000000000130000-0x0000000000158000-memory.dmp	UPX
behavioral1/memory/1524-7-0x0000000000C90000-0x0000000000CB8000-memory.dmp	UPX
behavioral1/memory/1640-8-0x0000000000390000-0x00000000003B8000-memory.dmp	UPX
behavioral1/memory/1640-9-0x0000000000390000-0x00000000003B8000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2096 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

wuauclt.exe

pid process

1524 wuauclt.exe
Loads dropped DLL 1 IoCs

Processes:

39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe

pid process

1640 39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe

pid	process
2096	cmd.exe

pid	process
1524	wuauclt.exe

pid	process
1640	39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1640-0-0x0000000000390000-0x00000000003B8000-memory.dmp	upx
\ProgramData\Update\wuauclt.exe	upx
behavioral1/memory/1640-4-0x0000000000130000-0x0000000000158000-memory.dmp	upx
behavioral1/memory/1524-7-0x0000000000C90000-0x0000000000CB8000-memory.dmp	upx
behavioral1/memory/1640-8-0x0000000000390000-0x00000000003B8000-memory.dmp	upx
behavioral1/memory/1640-9-0x0000000000390000-0x00000000003B8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run"	39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe

description	pid	process	target process
PID 1640 wrote to memory of 1524	1640	39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe	wuauclt.exe
PID 1640 wrote to memory of 1524	1640	39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe	wuauclt.exe
PID 1640 wrote to memory of 1524	1640	39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe	wuauclt.exe
PID 1640 wrote to memory of 1524	1640	39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe	wuauclt.exe
PID 1640 wrote to memory of 2096	1640	39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe	cmd.exe
PID 1640 wrote to memory of 2096	1640	39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe	cmd.exe
PID 1640 wrote to memory of 2096	1640	39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe	cmd.exe
PID 1640 wrote to memory of 2096	1640	39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe
"C:\Users\Admin\AppData\Local\Temp\39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1640

C:\ProgramData\Update\wuauclt.exe
"C:\ProgramData\Update\wuauclt.exe" /run
2⤵
- Executes dropped EXE
PID:1524

C:\windows\SysWOW64\cmd.exe
"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\39c4c860bb70156ce79ab0e6d82472ca8699f715b2c01ceea3dde8b30ef99466.exe" >> NUL
2⤵
- Deletes itself
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Update\wuauclt.exe
Filesize
134KB

MD5
411dc618c6f6c011ccdbae69726f46d3

SHA1
71f9b513a63c5e3eb4a98bea0b3c30fc4332489a

SHA256
2d28b1a85c2542788dd98622fd4262797cca6a76c7fd839abffeacb99b48580d

SHA512
bbf338722af5bd46df372b37f9baf7fb18ff115612819705a9736cfb50acc2b600216a5f0c773e69753aed3a38c5aececc1ab941e1ebb3b868c946d26ab6ca46

Download Submit
memory/1524-7-0x0000000000C90000-0x0000000000CB8000-memory.dmp

Filesize
160KB

Download
memory/1640-0-0x0000000000390000-0x00000000003B8000-memory.dmp

Filesize
160KB

Download
memory/1640-4-0x0000000000130000-0x0000000000158000-memory.dmp

Filesize
160KB

Download
memory/1640-8-0x0000000000390000-0x00000000003B8000-memory.dmp

Filesize
160KB

Download
memory/1640-9-0x0000000000390000-0x00000000003B8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads