c9ca4d1d021404f175b5bd49a2f5168551b4049aedcf6bb6a6b28944a66635a1

General

Target

31d3cb71a1b6bfbb3f69f877c5c495d0N.exe
Size

155KB
MD5

31d3cb71a1b6bfbb3f69f877c5c495d0
SHA1

a23b933b989eba446ef1f455a3f4ac0bb4e7cb76
SHA256

c9ca4d1d021404f175b5bd49a2f5168551b4049aedcf6bb6a6b28944a66635a1
SHA512

5e28a4118230d1e0b6441fec7b8fd3927a8bcd260c956f6b1e7d38c23f0526f5018b68539334393729e88383f67347e59bff4ee5117ab463975edd4207757f97
SSDEEP

3072:e79l86WqGzIfjZAVPXwu7xXIeoutyR9QXh1aQ5:erzW/zeZqPpOeoSyQXh0Q5

Score

7^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
804	AhnSvc.exe

Loads dropped DLL 2 IoCs

pid	Process
1232	31d3cb71a1b6bfbb3f69f877c5c495d0N.exe
1232	31d3cb71a1b6bfbb3f69f877c5c495d0N.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1232-0-0x00000000011E0000-0x000000000120A000-memory.dmp	upx
behavioral1/files/0x0008000000015db6-2.dat	upx
behavioral1/memory/804-11-0x0000000000E30000-0x0000000000E5A000-memory.dmp	upx
behavioral1/memory/1232-12-0x00000000011E0000-0x000000000120A000-memory.dmp	upx
behavioral1/memory/804-14-0x0000000000E30000-0x0000000000E5A000-memory.dmp	upx
behavioral1/memory/1232-15-0x00000000011E0000-0x000000000120A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AhnUpadate = "\"C:\\ProgramData\\AhnLab\\AhnSvc.exe\" /run"	31d3cb71a1b6bfbb3f69f877c5c495d0N.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31d3cb71a1b6bfbb3f69f877c5c495d0N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	31d3cb71a1b6bfbb3f69f877c5c495d0N.exe
Token: SeDebugPrivilege	804	AhnSvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 804	1232	31d3cb71a1b6bfbb3f69f877c5c495d0N.exe	30
PID 1232 wrote to memory of 804	1232	31d3cb71a1b6bfbb3f69f877c5c495d0N.exe	30
PID 1232 wrote to memory of 804	1232	31d3cb71a1b6bfbb3f69f877c5c495d0N.exe	30
PID 1232 wrote to memory of 804	1232	31d3cb71a1b6bfbb3f69f877c5c495d0N.exe	30
PID 1232 wrote to memory of 2884	1232	31d3cb71a1b6bfbb3f69f877c5c495d0N.exe	32
PID 1232 wrote to memory of 2884	1232	31d3cb71a1b6bfbb3f69f877c5c495d0N.exe	32
PID 1232 wrote to memory of 2884	1232	31d3cb71a1b6bfbb3f69f877c5c495d0N.exe	32
PID 1232 wrote to memory of 2884	1232	31d3cb71a1b6bfbb3f69f877c5c495d0N.exe	32

C:\Users\Admin\AppData\Local\Temp\31d3cb71a1b6bfbb3f69f877c5c495d0N.exe
"C:\Users\Admin\AppData\Local\Temp\31d3cb71a1b6bfbb3f69f877c5c495d0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232
- C:\ProgramData\AhnLab\AhnSvc.exe
  "C:\ProgramData\AhnLab\AhnSvc.exe" /run
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\31d3cb71a1b6bfbb3f69f877c5c495d0N.exe" >> NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\AhnLab\AhnSvc.exe

Filesize
155KB

MD5
ab9b3b3418696c647a8f3915584876db

SHA1
677aa351864319826c2aedf3029c8e66e95a987d

SHA256
ef59bf917f03b8bd2bdc316e831a918265737cdd4023e1476c7396c4865b380c

SHA512
0dc84ef031f66da0713d968ff7f557908f89342064462bc520af3e3cffa0ca483852eea56165b5bb0708843834dcc4f1dabb3e6048d30f7ae1c7c138742c8750

Download Submit
memory/804-11-0x0000000000E30000-0x0000000000E5A000-memory.dmp

Filesize
168KB

Download
memory/804-14-0x0000000000E30000-0x0000000000E5A000-memory.dmp

Filesize
168KB

Download
memory/1232-0-0x00000000011E0000-0x000000000120A000-memory.dmp

Filesize
168KB

Download
memory/1232-10-0x0000000000E30000-0x0000000000E5A000-memory.dmp

Filesize
168KB

Download
memory/1232-9-0x0000000000E30000-0x0000000000E5A000-memory.dmp

Filesize
168KB

Download
memory/1232-12-0x00000000011E0000-0x000000000120A000-memory.dmp

Filesize
168KB

Download
memory/1232-13-0x0000000000E30000-0x0000000000E5A000-memory.dmp

Filesize
168KB

Download
memory/1232-15-0x00000000011E0000-0x000000000120A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads