634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709

General

Target

634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe
Size

749KB
MD5

8e1b0a3e6f307506671a7b0a3ef10ac6
SHA1

d058ad9a176290d1b54208142c7d3291f8add355
SHA256

634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709
SHA512

b7b7301c77ba4d0ac8f6b67ebed140b6c0ed1f0b4c8186fec1cdbce88886fe53599bfe247aef0f76432de8b594640f512e968298d4ce182898cb42992f3e959f
SSDEEP

12288:7tKe6Zv23YLVFhBsC8iFHs+hsuQXIQVRpVnl3Bg5oiNIr2NU9DLWDNH3kTRH/GU:v6Zv2ivhBVnFvh5Q44+iisNLwHsOU

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{498A8486-8B9A-11D5-EBA1-F78EEEEEE983}	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{498A8486-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msjxk32.exe"	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1896-0-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/files/0x00070000000234ac-5.dat	upx
behavioral2/memory/1896-7-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vcl32.exe	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe
File opened for modification	C:\Windows\SysWOW64\vcl32.exe	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe
File created	C:\Windows\SysWOW64\msjxk32.exe	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe
File opened for modification	C:\Windows\SysWOW64\msjxk32.exe	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe
File created	C:\Windows\SysWOW64\concp32.exe	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe
File opened for modification	C:\Windows\SysWOW64\concp32.exe	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3616	1896	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{498A8486-8B9A-11D5-EBA1-F78EEEEEE983}	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{498A8486-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{498A8486-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{498A8486-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 3412ab5633fd771bff6032bcc04eb49b	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1896	634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe

C:\Users\Admin\AppData\Local\Temp\634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe
"C:\Users\Admin\AppData\Local\Temp\634233e57c1536876fab51bb4410375897aed30634cf72bd4aba4625a0fb1709.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 744
  2⤵
  - Program crash
  PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1896 -ip 1896
1⤵
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\concp32.exe

Filesize
756KB

MD5
c6fb414d7c199eff7c7c70d14a6214d4

SHA1
bd5e2b3a7e3dcff1313f9da09364352a55adb56f

SHA256
4716b4c1c202ffb04f66cec64d7837e299343345a0d83fd6de120a363c665bee

SHA512
a80d92c8f830c4424b3806c467ac6f5a8360e9463acde634eb291ff222e53dd21fabf803060167440d935a8e711da8e04e3456b528d27f5e08cf2ff537c8e172

Download Submit
memory/1896-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1896-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads