c236d2b1c61673115c1bea56ed4d80005ff34beae4cb5dd6fd67554fc2af40bf

General

Target

645a56cab20008b072427ab4c05e44a0N.exe
Size

166KB
MD5

645a56cab20008b072427ab4c05e44a0
SHA1

ee436b249cfa7b3a8c8247f8f4d5731355be5b83
SHA256

c236d2b1c61673115c1bea56ed4d80005ff34beae4cb5dd6fd67554fc2af40bf
SHA512

05a10c4d6014225a2af4616b8fec0343fd67396cf081c28bb338e3aa3bd5dda12c40dd3467709487946e5ccf54fc0a6d76a0a71ffa0d9c87510c64345ba0b85b
SSDEEP

1536:i2WDcOpULCH0a+TNXyyXetH28JZveKivnV:zWDuLzZXyyXeECveDnV

Score

8^/10

defense_evasion discovery evasion upx

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2316	attrib.exe

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2036	okehost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1696-0-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2036-5-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x00090000000120f9-4.dat	upx
behavioral1/memory/1696-6-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2036-7-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Debug\okehost.exe	645a56cab20008b072427ab4c05e44a0N.exe
File opened for modification	C:\Windows\Debug\okehost.exe	645a56cab20008b072427ab4c05e44a0N.exe
File opened for modification	C:\Windows\Debug\okehost.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	okehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	645a56cab20008b072427ab4c05e44a0N.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	okehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	okehost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1696	645a56cab20008b072427ab4c05e44a0N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2316	1696	645a56cab20008b072427ab4c05e44a0N.exe	29
PID 1696 wrote to memory of 2316	1696	645a56cab20008b072427ab4c05e44a0N.exe	29
PID 1696 wrote to memory of 2316	1696	645a56cab20008b072427ab4c05e44a0N.exe	29
PID 1696 wrote to memory of 2316	1696	645a56cab20008b072427ab4c05e44a0N.exe	29
PID 1696 wrote to memory of 2664	1696	645a56cab20008b072427ab4c05e44a0N.exe	32
PID 1696 wrote to memory of 2664	1696	645a56cab20008b072427ab4c05e44a0N.exe	32
PID 1696 wrote to memory of 2664	1696	645a56cab20008b072427ab4c05e44a0N.exe	32
PID 1696 wrote to memory of 2664	1696	645a56cab20008b072427ab4c05e44a0N.exe	32

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2316	attrib.exe

C:\Users\Admin\AppData\Local\Temp\645a56cab20008b072427ab4c05e44a0N.exe
"C:\Users\Admin\AppData\Local\Temp\645a56cab20008b072427ab4c05e44a0N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\attrib.exe
  attrib +a +s +h +r C:\Windows\Debug\okehost.exe
  2⤵
  - Sets file to hidden
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\645A56~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2664

C:\Windows\Debug\okehost.exe
C:\Windows\Debug\okehost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\okehost.exe

Filesize
166KB

MD5
80b760fb08fa316fd7b595efa29edc6f

SHA1
181183c8bb893771aff4bca1a4fbf9895cba993b

SHA256
80972cbdf3ed27e918c069b0e03b95ff333346b5a30c412b6761ed0a3d013d70

SHA512
09fead3d6863863b873295c6a20048cd8cbd3a9f1e6a3627a1ae17338d7ae7f99d4f45a34558c009cbef8721206523a944b8e5076b3405a1746fedae00d745a5

Download Submit
memory/1696-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads