b5edf17fc0400f93627aa9f042f3abf2a52fdacfda2cf2cd333edb84e7f5ed38

General

Target

db3800128f4313be08709acbbdc99460N.exe
Size

979KB
MD5

db3800128f4313be08709acbbdc99460
SHA1

db901b47a688a09a0045358708371eea5ea78006
SHA256

b5edf17fc0400f93627aa9f042f3abf2a52fdacfda2cf2cd333edb84e7f5ed38
SHA512

781bed6d92d97aae3ddb88d453ce1f193d7bad8fdc6941cb67c8d1e63fca38133a4920825c95ffaf73f252a33a66b45422ff40156ce22fd941e5dd1360c8d548
SSDEEP

24576:v6Zv2ivhBVnFys7xP86LXtqZEGuhQTvsJPIl4z4HV:vE2ivhQs7dLXOEvhQTiglj

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msknu32.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}	db3800128f4313be08709acbbdc99460N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msknu32.exe"	db3800128f4313be08709acbbdc99460N.exe

Executes dropped EXE 1 IoCs

pid	Process
2304	spoolsv.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	db3800128f4313be08709acbbdc99460N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	spoolsv.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1744-0-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/files/0x00070000000186d9-5.dat	upx
behavioral1/memory/1744-10-0x0000000000220000-0x0000000000259000-memory.dmp	upx
behavioral1/files/0x0035000000017530-15.dat	upx
behavioral1/memory/1744-14-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2304-16-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	db3800128f4313be08709acbbdc99460N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	db3800128f4313be08709acbbdc99460N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	spoolsv.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vcl32.exe	db3800128f4313be08709acbbdc99460N.exe
File opened for modification	C:\Windows\SysWOW64\vcl32.exe	db3800128f4313be08709acbbdc99460N.exe
File created	C:\Windows\SysWOW64\msknu32.exe	db3800128f4313be08709acbbdc99460N.exe
File opened for modification	C:\Windows\SysWOW64\msknu32.exe	db3800128f4313be08709acbbdc99460N.exe
File created	C:\Windows\SysWOW64\concp32.exe	db3800128f4313be08709acbbdc99460N.exe
File opened for modification	C:\Windows\SysWOW64\concp32.exe	db3800128f4313be08709acbbdc99460N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\spoolsv.exe	db3800128f4313be08709acbbdc99460N.exe
File opened for modification	C:\Windows\spoolsv.exe	db3800128f4313be08709acbbdc99460N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db3800128f4313be08709acbbdc99460N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}	db3800128f4313be08709acbbdc99460N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	db3800128f4313be08709acbbdc99460N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165"	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}\sm = 01b8ec350471bd332433eee476ebe1f3	db3800128f4313be08709acbbdc99460N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}\ax = b51db83c12ee608eae17682cd6194fba	db3800128f4313be08709acbbdc99460N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	db3800128f4313be08709acbbdc99460N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACFB4989-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1744	db3800128f4313be08709acbbdc99460N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2304	1744	db3800128f4313be08709acbbdc99460N.exe	29
PID 1744 wrote to memory of 2304	1744	db3800128f4313be08709acbbdc99460N.exe	29
PID 1744 wrote to memory of 2304	1744	db3800128f4313be08709acbbdc99460N.exe	29
PID 1744 wrote to memory of 2304	1744	db3800128f4313be08709acbbdc99460N.exe	29

C:\Users\Admin\AppData\Local\Temp\db3800128f4313be08709acbbdc99460N.exe
"C:\Users\Admin\AppData\Local\Temp\db3800128f4313be08709acbbdc99460N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\spoolsv.exe
  C:\Windows\spoolsv.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\concp32.exe

Filesize
983KB

MD5
2782964b597d9f1fddb7bc78ce1be213

SHA1
5d1e63f5f332ec94cef43aa2a62339803503d8a3

SHA256
314baccad461d54c4ca3976a28d1c25597c4ed1f504ae3c56dda23094ae7359e

SHA512
67236e537f7587e608b8893ee5733be19447ecf31d3b7bef80e45e0c52fe94cc6f7e9bacd03eb6878bbc2eb336620ce36f2ce578611e3e71b408cd3ba93a0b07

Download Submit
C:\Windows\spoolsv.exe

Filesize
984KB

MD5
0e65cbfab7ffeacc3dc35c8c2fdec883

SHA1
d86a8535695d2ea8d11a89d6813601ac6e9a6001

SHA256
2bdc0d0254934efc194f9fc0d4bc79dbbe5d33805924d999a3ed1a8dab2a9ad6

SHA512
4232b11fdc3cc871b53e8acdbeae76ac5b9b1cfbdc965aba2589a1007b7a139e14d60db708c1257d003458f452ba11db387d0bef49d5c53da3a4e99f3d53ba44

Download Submit
memory/1744-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1744-10-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1744-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2304-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads