15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896

General

Target

15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe
Size

6.9MB
MD5

64c22f693cfbab08cebf09afccd7d583
SHA1

a4d3f952ab8d6d545448ee41d75a8783feff844e
SHA256

15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896
SHA512

582e97c8f6d12c21936cdc8cb10d6d87181ad4684f830171de849c11458fd55c0463c6f5a927d3c4d1a2746c4aa8cf08d1c2bb8038a9dd45421374811261990f
SSDEEP

98304:xfPYPxC92uxx0FhnIRPFzmN2R8xqUb8FdaLmowNLL49wzjwtArzQojzHFL2VihPs:xgxCjx0M/jYb8QwNnIPtAYojzlLeiNJq

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4088	15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4088-0-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-1-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-21-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-20-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-17-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-15-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-49-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-46-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-36-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-33-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-31-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-29-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-23-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-11-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-48-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-47-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-41-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-38-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-3-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-27-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-25-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-13-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-9-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-7-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-5-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-2-0x0000000001320000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/4088-52-0x0000000001320000-0x000000000135E000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\duokai.dll	15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4088	15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe
Token: SeDebugPrivilege	4088	15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4088	15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe
4088	15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe
4088	15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe
4088	15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe
4088	15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe

C:\Users\Admin\AppData\Local\Temp\15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe
"C:\Users\Admin\AppData\Local\Temp\15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15961b82cfe83fdce0c6c9dcabe12dac226c2c3bbd896307c237927eadbe7896.exe

Filesize
6.9MB

MD5
c587501620a4efc2c64e728d9460d429

SHA1
56e146821fdd89b973450c3cb242b01b7082bbc5

SHA256
0c1967f3fb813c7abbbc07766dcddeca2f7c35b8fc8c98b0db8c3dd4f399ff5b

SHA512
f2644838f733a159f604af4ddfbd28501a4c15ea369cbcd67a746dfc88f9959b0148f48def87efbd465c233cd2fecd61abb991ae333a32a1c6c36a0dc32b39a4

Download Submit
C:\Windows\duokai.dll

Filesize
155KB

MD5
7e288c629f2df794b9c7ae0dfc61531e

SHA1
1bdac38d968b5172c28f3d92ce2691b568c7f229

SHA256
f5e13c9d2826cf623522a4fa8d36ef271ce458d26d460a4fac373e4d81857d2d

SHA512
58fd8ccd2a885477d1a7bc2b0855b1b403b2fc0c0223ef3682808c3a8091a832c62819c3b2232d3d5ebd3df06971299cf85ee7e5ffccd2c81356b22fa8e4012a

Download Submit
memory/4088-48-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-52-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-17-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-15-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-49-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-46-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-36-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-33-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-31-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-29-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-23-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-41-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-20-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-0-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-11-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-38-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-3-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-27-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-25-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-13-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-9-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-7-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-5-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-2-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-47-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-21-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download
memory/4088-1-0x0000000001320000-0x000000000135E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing