fe94e38c55e7898102df2d3f3786b7c350bd098cd0906a101f7e4ec0a215cba0

General

Target

0f03ff57acdadda88791714ab37924e0N.exe
Size

762KB
MD5

0f03ff57acdadda88791714ab37924e0
SHA1

6047559b667a4173a684dd5cde6c42bb0d0d78b2
SHA256

fe94e38c55e7898102df2d3f3786b7c350bd098cd0906a101f7e4ec0a215cba0
SHA512

633b62897bd2a8c64eb74fc76ccc113948f04141a7ebb9c478a8f86980ea44cfa6c269997010f9a5f3135f94e39368cca4941af3a3a132de4e7462446a7a847d
SSDEEP

12288:7tKe6Zv23YLVFhBsC8iFHs+hsuQXIQRUP/g8t5/bIwYhT6xDA:v6Zv2ivhBVnFvh5Q44UP48ncwQT61A

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}	0f03ff57acdadda88791714ab37924e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "mseat32.exe"	0f03ff57acdadda88791714ab37924e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "mseat32.exe"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	svchost.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	0f03ff57acdadda88791714ab37924e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1848-0-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/files/0x0007000000016d58-5.dat	upx
behavioral1/memory/1848-10-0x0000000000220000-0x0000000000259000-memory.dmp	upx
behavioral1/memory/1848-14-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/files/0x0015000000016ceb-15.dat	upx
behavioral1/memory/3056-17-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	0f03ff57acdadda88791714ab37924e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	0f03ff57acdadda88791714ab37924e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\concp32.exe	0f03ff57acdadda88791714ab37924e0N.exe
File opened for modification	C:\Windows\SysWOW64\concp32.exe	0f03ff57acdadda88791714ab37924e0N.exe
File created	C:\Windows\SysWOW64\vcl32.exe	0f03ff57acdadda88791714ab37924e0N.exe
File opened for modification	C:\Windows\SysWOW64\vcl32.exe	0f03ff57acdadda88791714ab37924e0N.exe
File created	C:\Windows\SysWOW64\mseat32.exe	0f03ff57acdadda88791714ab37924e0N.exe
File opened for modification	C:\Windows\SysWOW64\mseat32.exe	0f03ff57acdadda88791714ab37924e0N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	0f03ff57acdadda88791714ab37924e0N.exe
File opened for modification	C:\Windows\svchost.exe	0f03ff57acdadda88791714ab37924e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f03ff57acdadda88791714ab37924e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	0f03ff57acdadda88791714ab37924e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	0f03ff57acdadda88791714ab37924e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}	0f03ff57acdadda88791714ab37924e0N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9	0f03ff57acdadda88791714ab37924e0N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 138f5e7ad8e8dd30e08135a3b4dd40d1	0f03ff57acdadda88791714ab37924e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5646A7-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1848	0f03ff57acdadda88791714ab37924e0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 3056	1848	0f03ff57acdadda88791714ab37924e0N.exe	30
PID 1848 wrote to memory of 3056	1848	0f03ff57acdadda88791714ab37924e0N.exe	30
PID 1848 wrote to memory of 3056	1848	0f03ff57acdadda88791714ab37924e0N.exe	30
PID 1848 wrote to memory of 3056	1848	0f03ff57acdadda88791714ab37924e0N.exe	30

C:\Users\Admin\AppData\Local\Temp\0f03ff57acdadda88791714ab37924e0N.exe
"C:\Users\Admin\AppData\Local\Temp\0f03ff57acdadda88791714ab37924e0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\concp32.exe

Filesize
771KB

MD5
9c10ee6083b9f907a31a34004c6bded4

SHA1
86a149e4d22740bce6fd5d63faa77e6af0817cb0

SHA256
2e8e5b1cf6bc05a806c678231ed60d65985fad15225393bdb6b8d3d18035e9ae

SHA512
881ffc5ae1de67cc13cf76395d63eeaa43ba55aa64186eb062d1f6361e60f713170a015508c597bdca955f8d4a04748ac0e46a9191873e3ca67a070bbb0ce32c

Download Submit
C:\Windows\svchost.exe

Filesize
764KB

MD5
c2773155224ef2bc1fcf8f2a4f6be802

SHA1
204627f86cb8fd432bddcc4c877cee6c9a2ea88d

SHA256
412a759713e6a2be1b5578a6ef5c44d77543094e2a11ac39244cfee4b88041c8

SHA512
9913f57e42cb1065226c10518f3c475fd42953e0f981edced9143d234404eb6498e87625a2c154047d196d88e4a9f74d1359343cc91b5c6e4a48640bb8fb580c

Download Submit
memory/1848-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1848-10-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1848-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1848-16-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/3056-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads