d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f

General

Target

d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Size

1.2MB
MD5

9f4d2ee7a7b466b811135fb18bf8acb8
SHA1

19bd70e631677f90b1dab037b7d8ffccf7cf641b
SHA256

d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f
SHA512

a144b27c5069f2db1970b27e6211670105c280d698befe619e39ce2a770517b7c36b7c321533abec4d235ee70e2e20b3194aa49a19b9f601e561d4c624dd42a3
SSDEEP

24576:xiU7nuxInXjKzbHhzqfn7J21wivfPqNDe2E5gXPxzAGWqhBplV6SOLg:MxzbHhzq8nqNDqgX1gC67E

Score

8^/10

persistence upx

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GJlZidKEEJHymstQsFvhnZo\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\GJlZidKEEJHymstQsFvhnZo"	1.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	sg.tmp
2888	1.exe

Loads dropped DLL 3 IoCs

pid	Process
2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
2472	Process not Found
2448	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2996-0-0x0000000140000000-0x00000001401CB000-memory.dmp	upx
behavioral1/memory/2996-38-0x0000000140000000-0x00000001401CB000-memory.dmp	upx
behavioral1/memory/2636-37-0x0000000140000000-0x00000001401CB000-memory.dmp	upx
behavioral1/memory/2636-40-0x0000000140000000-0x00000001401CB000-memory.dmp	upx

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2876	powercfg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2712	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2888	1.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeBackupPrivilege	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: SeRestorePrivilege	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: 33	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: SeIncBasePriorityPrivilege	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: 33	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: SeIncBasePriorityPrivilege	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: 33	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: SeIncBasePriorityPrivilege	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: SeRestorePrivilege	2328	sg.tmp
Token: 35	2328	sg.tmp
Token: SeSecurityPrivilege	2328	sg.tmp
Token: SeSecurityPrivilege	2328	sg.tmp
Token: 33	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: SeIncBasePriorityPrivilege	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: SeShutdownPrivilege	2876	powercfg.exe
Token: SeShutdownPrivilege	2876	powercfg.exe
Token: SeShutdownPrivilege	2876	powercfg.exe
Token: SeShutdownPrivilege	2876	powercfg.exe
Token: SeShutdownPrivilege	2876	powercfg.exe
Token: SeCreatePagefilePrivilege	2876	powercfg.exe
Token: SeLoadDriverPrivilege	2888	1.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: 33	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: SeIncBasePriorityPrivilege	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: SeBackupPrivilege	2636	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: SeRestorePrivilege	2636	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: 33	2636	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
Token: SeIncBasePriorityPrivilege	2636	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 3016	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	30
PID 2996 wrote to memory of 3016	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	30
PID 2996 wrote to memory of 3016	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	30
PID 2996 wrote to memory of 2328	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	32
PID 2996 wrote to memory of 2328	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	32
PID 2996 wrote to memory of 2328	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	32
PID 2996 wrote to memory of 2448	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	34
PID 2996 wrote to memory of 2448	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	34
PID 2996 wrote to memory of 2448	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	34
PID 2448 wrote to memory of 2876	2448	cmd.exe	36
PID 2448 wrote to memory of 2876	2448	cmd.exe	36
PID 2448 wrote to memory of 2876	2448	cmd.exe	36
PID 2448 wrote to memory of 2888	2448	cmd.exe	37
PID 2448 wrote to memory of 2888	2448	cmd.exe	37
PID 2448 wrote to memory of 2888	2448	cmd.exe	37
PID 2448 wrote to memory of 2712	2448	cmd.exe	38
PID 2448 wrote to memory of 2712	2448	cmd.exe	38
PID 2448 wrote to memory of 2712	2448	cmd.exe	38
PID 2996 wrote to memory of 2636	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	41
PID 2996 wrote to memory of 2636	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	41
PID 2996 wrote to memory of 2636	2996	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	41
PID 2636 wrote to memory of 552	2636	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	42
PID 2636 wrote to memory of 552	2636	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	42
PID 2636 wrote to memory of 552	2636	d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe	42

C:\Users\Admin\AppData\Local\Temp\d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
"C:\Users\Admin\AppData\Local\Temp\d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\~5991378300257146535~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~2463469134776912369"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\~2463469134776912369\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\system32\powercfg.exe
    powercfg /h off
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Users\Admin\AppData\Local\Temp\~2463469134776912369\1.exe
    1.exe HKYP.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- C:\Users\Admin\AppData\Local\Temp\d086f5ae75cd8364e38ee520bac459f1b733e308859b8e2210cb5d983b604c6f.exe
  PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~2342072389461776729.cmd"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\~2342072389461776729.cmd"
    3⤵
    PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Power Settings

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~2342072389461776729.cmd

Filesize
373B

MD5
3677bc8546f8e1a9e293d391ea4c2e21

SHA1
b529fd6ce3a8ef2a78fc1f65fc82f4289dc95337

SHA256
40b465c0560ede5ff87d27b1060b1342c8ae073f24d8f91b843312e09be73b71

SHA512
6c00e73b30ef5833951bf1225fff894c0a180c520d09341ea0c5b039633bcddafa213a3ce862504988f69a5ef213f72e5a092a783977bb2a448ba8a0fd057a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2463469134776912369\1.bat

Filesize
139B

MD5
37ae2b48188ab4d4e73d267208192ec0

SHA1
a9968051a158a8844e33e4bd726917573855c88b

SHA256
171fde7cd005a4fa919d1e92e607c3c8b0993ec84012701ba454959c065139cd

SHA512
d515fed9fc16ee2a3729ea1ff75f31bc73f556ce638980048d519b555d93eebfd0c41039182349279339ca36e93233ac7c6f85c72a3fef4294ab96740321188d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2463469134776912369\1.exe

Filesize
134KB

MD5
3f69bcd2ab365cbd2ac3328b99123b83

SHA1
deb65ebfe716db9eb95ce4630c4b124e9f68618f

SHA256
49e79e780bdffbb236c7ec8fd08069330cf80ca37b5846f9d909631e10ebbce5

SHA512
ea6c7faa6bb2e13df24e0b195e300b9cce0b8a7b67a131352dedf97d8f5166d0523a646c676d6b5e1a1a4160752a10ca8490f09f1817b916df8b175c6e71c793

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2463469134776912369\HKYP.sys

Filesize
15KB

MD5
8c2a481026369dc55b8b2d8696f0f95e

SHA1
ae666c57c6876ba6e13687abad63e8380d100672

SHA256
54c29688ed7085eb79a7ca8d49e749f97e3f826d0f517c46f36ea1a233c4c514

SHA512
1d194a9afc01d061fd85a9df0d3287afbf355cca33888c0ab398db28e2ea28aacb22e7fa8859283686f98eeb012b4dca35623f6f76015013d93d1cac08f8da0d

Download Submit
\Users\Admin\AppData\Local\Temp\~5991378300257146535~\sg.tmp

Filesize
1.1MB

MD5
8a36dcd25ae8543d26b0a99b7d48864a

SHA1
72581de60cedf59b1b932f6201bafc7cb02bb56e

SHA256
b3daf97e499467c6337b4320059ac44bc7a949dc4e500eb0d2f79f900a229531

SHA512
26eecfa81f6c94a89d1f9be0224a3f36309a5c43d658055f48e6e7ee2847c29bddf665f077381ee5b318201bc7658f6cfc36d248f64f51302622e5e949f147ef

Download Submit
memory/2636-37-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download
memory/2636-40-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download
memory/2996-0-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download
memory/2996-35-0x0000000003400000-0x00000000035CB000-memory.dmp

Filesize
1.8MB

Download
memory/2996-38-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads