ad722314183b7cd89c167ae725db00cfe96e6904ed83b09b7a8c6175b3a18718

General

Target

d0954e44eeb388cc941041f532be31a0N.exe
Size

48KB
MD5

d0954e44eeb388cc941041f532be31a0
SHA1

8f77bc4b9a9f96a6d34690c0cb8d01a2ad0897cb
SHA256

ad722314183b7cd89c167ae725db00cfe96e6904ed83b09b7a8c6175b3a18718
SHA512

8c444803b2df06898249d114b6004055d88724bca44c2b44cccb0646b74cb3635b5f61748bb0c3f5d1bfc4d8d3cd68a3e00ff9b18549d83f8a2a78e1968a204b
SSDEEP

1536:yoMuwospyudrnMjVhDIP4ka3q3oaQOF4nouy8BX:DMcsEknMLDIFEOKoutBX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2380	services.exe
2880	services.exe

Loads dropped DLL 6 IoCs

pid	Process
2592	d0954e44eeb388cc941041f532be31a0N.exe
2592	d0954e44eeb388cc941041f532be31a0N.exe
2592	d0954e44eeb388cc941041f532be31a0N.exe
2592	d0954e44eeb388cc941041f532be31a0N.exe
2592	d0954e44eeb388cc941041f532be31a0N.exe
2380	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2592-0-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/files/0x0009000000016d21-28.dat	upx
behavioral1/memory/2380-46-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2592-48-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2880-55-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-52-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-60-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-59-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2380-58-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2880-57-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-63-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-68-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-71-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-72-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-74-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-78-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-81-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-84-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-86-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-90-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-93-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-95-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2880-98-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\services.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	services.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2880	2380	services.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0954e44eeb388cc941041f532be31a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2592	d0954e44eeb388cc941041f532be31a0N.exe
2380	services.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 1932	2592	d0954e44eeb388cc941041f532be31a0N.exe	30
PID 2592 wrote to memory of 1932	2592	d0954e44eeb388cc941041f532be31a0N.exe	30
PID 2592 wrote to memory of 1932	2592	d0954e44eeb388cc941041f532be31a0N.exe	30
PID 2592 wrote to memory of 1932	2592	d0954e44eeb388cc941041f532be31a0N.exe	30
PID 1932 wrote to memory of 2196	1932	cmd.exe	32
PID 1932 wrote to memory of 2196	1932	cmd.exe	32
PID 1932 wrote to memory of 2196	1932	cmd.exe	32
PID 1932 wrote to memory of 2196	1932	cmd.exe	32
PID 2592 wrote to memory of 2380	2592	d0954e44eeb388cc941041f532be31a0N.exe	33
PID 2592 wrote to memory of 2380	2592	d0954e44eeb388cc941041f532be31a0N.exe	33
PID 2592 wrote to memory of 2380	2592	d0954e44eeb388cc941041f532be31a0N.exe	33
PID 2592 wrote to memory of 2380	2592	d0954e44eeb388cc941041f532be31a0N.exe	33
PID 2380 wrote to memory of 2880	2380	services.exe	34
PID 2380 wrote to memory of 2880	2380	services.exe	34
PID 2380 wrote to memory of 2880	2380	services.exe	34
PID 2380 wrote to memory of 2880	2380	services.exe	34
PID 2380 wrote to memory of 2880	2380	services.exe	34
PID 2380 wrote to memory of 2880	2380	services.exe	34
PID 2380 wrote to memory of 2880	2380	services.exe	34
PID 2380 wrote to memory of 2880	2380	services.exe	34
PID 2380 wrote to memory of 2880	2380	services.exe	34

C:\Users\Admin\AppData\Local\Temp\d0954e44eeb388cc941041f532be31a0N.exe
"C:\Users\Admin\AppData\Local\Temp\d0954e44eeb388cc941041f532be31a0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\bksxY.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\services.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2196
- C:\Users\Admin\AppData\Roaming\services.exe
  "C:\Users\Admin\AppData\Roaming\services.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Roaming\services.exe
    C:\Users\Admin\AppData\Roaming\services.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bksxY.bat

Filesize
150B

MD5
30158d29e765707d6c1f38d4ea60f91b

SHA1
e02d5cc507e7f77c0a7f879e3596bd279ddf1f97

SHA256
c64a62b30b3ef9c2bb43438659cbbe1d57c1c762d4d58ebf9d188d409421e6f9

SHA512
2e72f9529063d74530cc29d04b92837496983d9417c91890ce8a616076889a13f0b1cd7954390b83a3e2e946696e4b7bbb4605b145ad5aa7904f051068ff5ff1

Download Submit
\Users\Admin\AppData\Roaming\services.exe

Filesize
48KB

MD5
68340ba6c5a0ae88eea62ce3ea9d64f6

SHA1
604c8087ef12600edde44cafc14dbda757c85d40

SHA256
dde4e166e329c067addbf71b87b947437d9de37b55931201a9079668522f1392

SHA512
ec5afb1df62a119accd838ccba2654692a7cde52d1f52d90fc62d8bc0212f593ba4df455216363a68f3d46aa6bbaa77a1d93021385889c4970225174fec27151

Download Submit
memory/2380-58-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2380-46-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2380-51-0x0000000000250000-0x000000000029B000-memory.dmp

Filesize
300KB

Download
memory/2592-43-0x0000000003260000-0x00000000032AB000-memory.dmp

Filesize
300KB

Download
memory/2592-48-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2592-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2880-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-74-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-52-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-55-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-68-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-71-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-72-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-78-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-81-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-84-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-86-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-90-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-93-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-95-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2880-98-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads