f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317

General

Target

f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe
Size

4.6MB
MD5

8b7adc0b3a4475a3b97ec06913baf820
SHA1

d7894ca2f3c03d7b09c941d2255ef94e5be4db99
SHA256

f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317
SHA512

d016fe96c16c95c97144619559cd690ece276d00b9e05d61caf70ade24c47cf16591af7745dd743a3a9498016ba5b4ddced2ebc87bcb9d3ab7525cb29e15ad4d
SSDEEP

98304:nU13lh8mKKroU+4DNHeGeQhESJ5F6Wm7dRCJnqzFsXl:83wmfrFHNeC765dRCRqK1

Score

8^/10

evasion execution upx

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
2708	BY_PixArtMouseUpgradeTool.exe

Loads dropped DLL 6 IoCs

pid	Process
2720	f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe
2720	f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe
2720	f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe
2720	f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe
2708	BY_PixArtMouseUpgradeTool.exe
2708	BY_PixArtMouseUpgradeTool.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016141-14.dat	upx
behavioral1/memory/2708-22-0x0000000000A70000-0x0000000001536000-memory.dmp	upx
behavioral1/memory/2708-32-0x0000000000A70000-0x0000000001536000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2716	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2708	BY_PixArtMouseUpgradeTool.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2708	BY_PixArtMouseUpgradeTool.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2708	2720	f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe	30
PID 2720 wrote to memory of 2708	2720	f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe	30
PID 2720 wrote to memory of 2708	2720	f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe	30
PID 2720 wrote to memory of 2708	2720	f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe	30
PID 2720 wrote to memory of 2708	2720	f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe	30
PID 2720 wrote to memory of 2708	2720	f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe	30
PID 2720 wrote to memory of 2708	2720	f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe	30
PID 2708 wrote to memory of 2716	2708	BY_PixArtMouseUpgradeTool.exe	31
PID 2708 wrote to memory of 2716	2708	BY_PixArtMouseUpgradeTool.exe	31
PID 2708 wrote to memory of 2716	2708	BY_PixArtMouseUpgradeTool.exe	31
PID 2708 wrote to memory of 2716	2708	BY_PixArtMouseUpgradeTool.exe	31
PID 2708 wrote to memory of 2716	2708	BY_PixArtMouseUpgradeTool.exe	31
PID 2708 wrote to memory of 2716	2708	BY_PixArtMouseUpgradeTool.exe	31
PID 2708 wrote to memory of 2716	2708	BY_PixArtMouseUpgradeTool.exe	31

C:\Users\Admin\AppData\Local\Temp\f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe
"C:\Users\Admin\AppData\Local\Temp\f4509b61c382815c1da0d0bc6d5ed786c18b7295af1a91ed922d92512d0f2317.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\7zS0AA31456\BY_PixArtMouseUpgradeTool.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0AA31456\BY_PixArtMouseUpgradeTool.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\sc.exe
    sc stop PcaSvc
    3⤵
    - Launches sc.exe
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0AA31456\config.json

Filesize
666B

MD5
1794e3cbd96d48094fe011adc9a4dd92

SHA1
fabb275d4f2cfb55bc2bace051ba19c9fee062d9

SHA256
6fadc0e6b05a0d66f2f4f0f5a5108158a10f7172e161d407e06bb4aa8dde490f

SHA512
43b5001f2f8eecf280e54423e8de74c2f3308af6b267514191ba41ef2fed5a0b6a3460f171fa86455274c333cc651e53d9ae810ae3550d2e416673e89e7cf291

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0AA31456\BY_PixArtMouseUpgradeTool.exe

Filesize
4.5MB

MD5
6f628faec128cac9f8b2d23f72e8c040

SHA1
4f7bc5d45cadbafe1d1c393535bdbd5af07fc762

SHA256
c9ea930f6f2b1119bd9c477be0b9606c5dc0e08252a81230afbffbea93899c90

SHA512
7532d618a3e6f3a604b7fe409cbc7f8602cb47117204dca9b52d04b7156b0024771a602719b70766829590c7a475e0584418cfb1a09616047eac485445362a4e

Download Submit
memory/2708-27-0x0000000001540000-0x0000000002006000-memory.dmp

Filesize
10.8MB

Download
memory/2708-22-0x0000000000A70000-0x0000000001536000-memory.dmp

Filesize
10.8MB

Download
memory/2708-26-0x0000000001540000-0x0000000002006000-memory.dmp

Filesize
10.8MB

Download
memory/2708-30-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/2708-31-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/2708-32-0x0000000000A70000-0x0000000001536000-memory.dmp

Filesize
10.8MB

Download
memory/2708-34-0x0000000001540000-0x0000000002006000-memory.dmp

Filesize
10.8MB

Download
memory/2708-35-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/2708-36-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/2720-18-0x00000000038F0000-0x00000000043B6000-memory.dmp

Filesize
10.8MB

Download
memory/2720-19-0x00000000038F0000-0x00000000043B6000-memory.dmp

Filesize
10.8MB

Download
memory/2720-20-0x00000000038F0000-0x00000000043B6000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing