4385a26c638a01f58cf874c20cdc234d8579ca0b1a4bd8e31c048064b7ab1b1a

General

Target

afc0bdda3856961163438e90ac87d670N.exe
Size

644KB
MD5

afc0bdda3856961163438e90ac87d670
SHA1

6f69edd87c78ea3c38b3fa43c3728db8c9d12976
SHA256

4385a26c638a01f58cf874c20cdc234d8579ca0b1a4bd8e31c048064b7ab1b1a
SHA512

a6b2b7071af06336a190523b533b8c839aa2b829e554f2bd8d178b971bc574be2f7761048957884243ca8f9bada24bbc3538d7fa5ea6728757abb469078c2279
SSDEEP

12288:7tKe6Zv23YLVFhBsC8iFHSs7xPY1f6HriPwU8mNCZQUEdsaj1k2CC9E:v6Zv2ivhBVnFys7xP86LkRCQsau2E

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msrcl32.exe"	afc0bdda3856961163438e90ac87d670N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msrcl32.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}	afc0bdda3856961163438e90ac87d670N.exe

Executes dropped EXE 1 IoCs

pid	Process
2408	spoolsv.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	afc0bdda3856961163438e90ac87d670N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	spoolsv.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3016-0-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/files/0x0007000000015cf9-5.dat	upx
behavioral1/files/0x0009000000015cc3-14.dat	upx
behavioral1/memory/3016-15-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2408-16-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/3016-10-0x00000000002D0000-0x0000000000309000-memory.dmp	upx
behavioral1/memory/2408-17-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	afc0bdda3856961163438e90ac87d670N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	afc0bdda3856961163438e90ac87d670N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	spoolsv.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vcl32.exe	afc0bdda3856961163438e90ac87d670N.exe
File opened for modification	C:\Windows\SysWOW64\vcl32.exe	afc0bdda3856961163438e90ac87d670N.exe
File created	C:\Windows\SysWOW64\msrcl32.exe	afc0bdda3856961163438e90ac87d670N.exe
File opened for modification	C:\Windows\SysWOW64\msrcl32.exe	afc0bdda3856961163438e90ac87d670N.exe
File created	C:\Windows\SysWOW64\concp32.exe	afc0bdda3856961163438e90ac87d670N.exe
File opened for modification	C:\Windows\SysWOW64\concp32.exe	afc0bdda3856961163438e90ac87d670N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\spoolsv.exe	afc0bdda3856961163438e90ac87d670N.exe
File opened for modification	C:\Windows\spoolsv.exe	afc0bdda3856961163438e90ac87d670N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afc0bdda3856961163438e90ac87d670N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 0f19d160e39a3bb2abd7b8e89bc5f0b9	afc0bdda3856961163438e90ac87d670N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165"	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}\sm = 01b8ec350471bd332433eee476ebe1f3	afc0bdda3856961163438e90ac87d670N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	afc0bdda3856961163438e90ac87d670N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	afc0bdda3856961163438e90ac87d670N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DF2198D-8B9A-11D5-EBA1-F78EEEEEE983}	afc0bdda3856961163438e90ac87d670N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3016	afc0bdda3856961163438e90ac87d670N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2408	3016	afc0bdda3856961163438e90ac87d670N.exe	30
PID 3016 wrote to memory of 2408	3016	afc0bdda3856961163438e90ac87d670N.exe	30
PID 3016 wrote to memory of 2408	3016	afc0bdda3856961163438e90ac87d670N.exe	30
PID 3016 wrote to memory of 2408	3016	afc0bdda3856961163438e90ac87d670N.exe	30

C:\Users\Admin\AppData\Local\Temp\afc0bdda3856961163438e90ac87d670N.exe
"C:\Users\Admin\AppData\Local\Temp\afc0bdda3856961163438e90ac87d670N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\spoolsv.exe
  C:\Windows\spoolsv.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\concp32.exe

Filesize
650KB

MD5
25d87241a65beeb2fbde15b2b650be15

SHA1
0c4857fc252092124571e50111ce91ca972251ae

SHA256
eb0d9a6ac0b3f2bb6a865331fcc369fc9b3e6dd275c98cb67d94635d381ecea7

SHA512
e854d872865290f8c691a4e03978d26b06a670e069bc0f76cc0d677e10701df47be8dabb05407b72ea1615a4c59abe2296579c4e6434f70a27e9945a460a8147

Download Submit
C:\Windows\spoolsv.exe

Filesize
645KB

MD5
c0267fb49e1bfd9c67d4d0bcf057f5fc

SHA1
9d1d82853729b46192a7105392e48b82e177c0c9

SHA256
ab814a78798b8afbf7688ab9aa9dccb5625720c0b456ce90793b326ad190a426

SHA512
354eabbf5ebb67f0b7b23b2d19b824e61a8757272389551939cb4161c1e283579f030e234ff543079cdeae023fae41cc90338fac8f8fcc06d0849a350164aa8f

Download Submit
memory/2408-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2408-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3016-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3016-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3016-10-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads