b6637542dd94753d113a6784368449dd4b06308a01d1ad59b6e6361b915bf251

General

Target

8f23640c96b854103a11ea1da5396a00N.exe
Size

135KB
MD5

8f23640c96b854103a11ea1da5396a00
SHA1

26b96d74f73853b476a539e83216b5f452056661
SHA256

b6637542dd94753d113a6784368449dd4b06308a01d1ad59b6e6361b915bf251
SHA512

8020568a1bfe7977b17b072399f05841cc51539fe64975750543f5e0588e4cb0901062c97c62b09fad732fdb8bdfcff87454fee45b13cb1329a1ba6de3cb5d3d
SSDEEP

1536:cGYU/W2/HG6QMauSV3ixJHABLrmhH7i99ROOg00GqMIK7aGZh3EIp:cfU/WF6QMauSuiWNi97Ol0007NZ6Ip

Score

7^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2204	wuauclt.exe

Loads dropped DLL 1 IoCs

pid	Process
2408	8f23640c96b854103a11ea1da5396a00N.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-1-0x00000000000E0000-0x0000000000108000-memory.dmp	upx
behavioral1/files/0x00080000000170f2-2.dat	upx
behavioral1/memory/2204-7-0x0000000000B30000-0x0000000000B58000-memory.dmp	upx
behavioral1/memory/2408-6-0x0000000000080000-0x00000000000A8000-memory.dmp	upx
behavioral1/memory/2204-9-0x0000000000B30000-0x0000000000B58000-memory.dmp	upx
behavioral1/memory/2408-10-0x00000000000E0000-0x0000000000108000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run"	8f23640c96b854103a11ea1da5396a00N.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f23640c96b854103a11ea1da5396a00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuauclt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2204	2408	8f23640c96b854103a11ea1da5396a00N.exe	30
PID 2408 wrote to memory of 2204	2408	8f23640c96b854103a11ea1da5396a00N.exe	30
PID 2408 wrote to memory of 2204	2408	8f23640c96b854103a11ea1da5396a00N.exe	30
PID 2408 wrote to memory of 2204	2408	8f23640c96b854103a11ea1da5396a00N.exe	30
PID 2408 wrote to memory of 2744	2408	8f23640c96b854103a11ea1da5396a00N.exe	32
PID 2408 wrote to memory of 2744	2408	8f23640c96b854103a11ea1da5396a00N.exe	32
PID 2408 wrote to memory of 2744	2408	8f23640c96b854103a11ea1da5396a00N.exe	32
PID 2408 wrote to memory of 2744	2408	8f23640c96b854103a11ea1da5396a00N.exe	32

C:\Users\Admin\AppData\Local\Temp\8f23640c96b854103a11ea1da5396a00N.exe
"C:\Users\Admin\AppData\Local\Temp\8f23640c96b854103a11ea1da5396a00N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\ProgramData\Update\wuauclt.exe
  "C:\ProgramData\Update\wuauclt.exe" /run
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2204
- C:\windows\SysWOW64\cmd.exe
  "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\8f23640c96b854103a11ea1da5396a00N.exe" >> NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Update\wuauclt.exe

Filesize
135KB

MD5
52165f6c283a52e04252bfd3a978550b

SHA1
3b428b67a5de4d2649ddb82fd84ba1d7806d3495

SHA256
cb9d81a8c7a13e1cac73eac65ffe5b635162b1a92b5545c30dbc77320fea25cb

SHA512
cd6b62e91b40a2712c40a1918ef26cb4946b294e97e2c57439c3dfa243d1d9899f16a077a54f083dcab6290575c22024ccfd23ca7c350765470d8f09eb2ec0c4

Download Submit
memory/2204-7-0x0000000000B30000-0x0000000000B58000-memory.dmp

Filesize
160KB

Download
memory/2204-9-0x0000000000B30000-0x0000000000B58000-memory.dmp

Filesize
160KB

Download
memory/2408-1-0x00000000000E0000-0x0000000000108000-memory.dmp

Filesize
160KB

Download
memory/2408-6-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2408-8-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2408-10-0x00000000000E0000-0x0000000000108000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads