cf62d33cb26ac0a55e3cd529ea05d51580a22c4d5b421f7c0ed73a1af8b5e4b9

General

Target

40130a291cefeb3e7c3b829a4e64e500N.exe
Size

517KB
MD5

40130a291cefeb3e7c3b829a4e64e500
SHA1

76e1d91b224d4f3bdbc3556370bf4743d6c2c839
SHA256

cf62d33cb26ac0a55e3cd529ea05d51580a22c4d5b421f7c0ed73a1af8b5e4b9
SHA512

93aee1cfcc3c2ddb631aa7a9cea607fb535c9328a2b588db04d179413a6948f060545316f427c3e162734bb4b70538672c733ca103627e4ec0c9e5b07dd3b757
SSDEEP

6144:QdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70NqT:28kxNhOZElO5kkWjhD4AOj5lG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3964	NLRG.EXE

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NLRG.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	40130a291cefeb3e7c3b829a4e64e500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\UYUQEYK.EXE \"%1\" %*"	40130a291cefeb3e7c3b829a4e64e500N.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4356-0-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/files/0x00070000000234e7-10.dat	upx
behavioral2/files/0x0009000000023489-22.dat	upx
behavioral2/memory/4356-24-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/3964-25-0x0000000000400000-0x0000000000478000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UYUQEYK.EXE = "C:\\Windows\\UYUQEYK.EXE"	40130a291cefeb3e7c3b829a4e64e500N.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\K:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\L:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\N:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\O:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\R:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\H:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\I:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\P:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\G:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\J:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\S:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\U:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\V:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\M:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\Q:	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened (read-only)	\??\T:	40130a291cefeb3e7c3b829a4e64e500N.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\NLRG.EXE	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened for modification	C:\Program Files\NLRG.EXE	40130a291cefeb3e7c3b829a4e64e500N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\UYUQEYK.EXE	40130a291cefeb3e7c3b829a4e64e500N.exe
File opened for modification	C:\Windows\UYUQEYK.EXE	40130a291cefeb3e7c3b829a4e64e500N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40130a291cefeb3e7c3b829a4e64e500N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NLRG.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	40130a291cefeb3e7c3b829a4e64e500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	40130a291cefeb3e7c3b829a4e64e500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\UYUQEYK.EXE \"%1\" %*"	40130a291cefeb3e7c3b829a4e64e500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NLRG.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\UYUQEYK.EXE %1"	40130a291cefeb3e7c3b829a4e64e500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	40130a291cefeb3e7c3b829a4e64e500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Windows\\UYUQEYK.EXE \"%1\""	40130a291cefeb3e7c3b829a4e64e500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	40130a291cefeb3e7c3b829a4e64e500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Windows\\UYUQEYK.EXE %1"	40130a291cefeb3e7c3b829a4e64e500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	40130a291cefeb3e7c3b829a4e64e500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	40130a291cefeb3e7c3b829a4e64e500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	40130a291cefeb3e7c3b829a4e64e500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	40130a291cefeb3e7c3b829a4e64e500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	40130a291cefeb3e7c3b829a4e64e500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\UYUQEYK.EXE \"%1\""	40130a291cefeb3e7c3b829a4e64e500N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3964	NLRG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3964	4356	40130a291cefeb3e7c3b829a4e64e500N.exe	83
PID 4356 wrote to memory of 3964	4356	40130a291cefeb3e7c3b829a4e64e500N.exe	83
PID 4356 wrote to memory of 3964	4356	40130a291cefeb3e7c3b829a4e64e500N.exe	83

C:\Users\Admin\AppData\Local\Temp\40130a291cefeb3e7c3b829a4e64e500N.exe
"C:\Users\Admin\AppData\Local\Temp\40130a291cefeb3e7c3b829a4e64e500N.exe"
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Program Files\NLRG.EXE
  "C:\Program Files\NLRG.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NLRG.EXE

Filesize
517KB

MD5
87765b19fa22f722d42489477063babf

SHA1
aa260308efbea9c7500e9dc27e837460a5389c91

SHA256
0aa5a78716db7948ce1546e3ba9cdb2d22e988c149674108f89d7ae839fd9a01

SHA512
0aed4698a6a09cf69e277a24e852d7f2b3a0c78027b1b6a8a8df68d90b8928ce7eb68843fc4d3cf49455e4d2a4bab63e0d4fe9c0dcad6d8aea34cba7315e76ec

Download Submit
C:\Windows\UYUQEYK.EXE

Filesize
517KB

MD5
22179276bf33be800c29ab902165f212

SHA1
735f5bd14cef5e1a34e88bb01a65a922aadd5887

SHA256
2ad092dd9847317c1df29ea062cc2fca9656a15064c90671c22ac748c72c54b1

SHA512
4e7f2e8f8d8d6278b84f7d08a8aa6a4c96af430f9c2181d36cc675cba68a0e7a8ee6cca2a10e6e940ccfeb626425b03be39275e65fbd30a4a5057184e1c80e7a

Download Submit
C:\filedebug

Filesize
222B

MD5
833e628094c38bcb994bf16242bdfa87

SHA1
cd6292d7dc89b17947bec6c2c0b0d7a8bcf0ecb5

SHA256
63f167600def4a1395357d7bab36e381ca0f8c99315f0e53406862bf522bb522

SHA512
749f83f4582a618aada91e96057162f1c4d4dc86e678f0d22ac9c7679a8426fe07668c155c5bd0b128477dec9a81badcb6cb6f8ab98e4488b317d830cfaf76e7

Download Submit
memory/3964-23-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/3964-25-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4356-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4356-1-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/4356-24-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads