e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbf

General

Target

e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
Size

171KB
MD5

e4bab18853c1124af84cb34830a25940
SHA1

077cc65709ffe3b561ab773e1d3a6703e40ab8ba
SHA256

e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbf
SHA512

3b83848337547eb2394fa8024c84a297384f5e7d95d3e10a91d0269f770c27991eb106fb7496a8f5324ad26cc1dc269e662d225440006449cc97088e7824433e
SSDEEP

3072:rZcFmpOW3uUMKH83ECl9Zsows7T+gVTQ4e+9Ec0Daq56UfEvnbi:ln3NM2jC2ows7iuTJe+9E/ai61b

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\630AE\\F88D4.exe"	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3248-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4616-13-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4616-15-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3248-16-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3248-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1460-114-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1460-115-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3248-116-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3248-298-0x0000000000400000-0x0000000000491000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 4616	3248	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	84
PID 3248 wrote to memory of 4616	3248	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	84
PID 3248 wrote to memory of 4616	3248	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	84
PID 3248 wrote to memory of 1460	3248	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	90
PID 3248 wrote to memory of 1460	3248	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	90
PID 3248 wrote to memory of 1460	3248	e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe	90

C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
"C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
  C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe startC:\Program Files (x86)\LP\D4A6\9CB.exe%C:\Program Files (x86)\LP\D4A6
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4616
- C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
  C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe startC:\Program Files (x86)\AED55\lvvm.exe%C:\Program Files (x86)\AED55
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\630AE\ED55.30A

Filesize
996B

MD5
c2e79ae05971a43a94ea38d804ceaa86

SHA1
e32a304d3d10b7f826167e7a957ba6bda5a58278

SHA256
31de859396481458380a5c031cfa0f71b85419f13f9fcbcfae0e8b2477e284f8

SHA512
a8aec66451998561706dda507d49ee0ad6404acf5e500ed2baea04cd26d99622ee724c1d4477affac18c386646c3b491e990af59daafb9b6be852c0c74b1a74f

Download Submit
C:\Users\Admin\AppData\Roaming\630AE\ED55.30A

Filesize
600B

MD5
78b27c3ff8a95df02f5d0110bd2c0f80

SHA1
02855c8c9d2017935cbbfadfb12a06272f5420e2

SHA256
964f0e8bc42dfee87abd8f3ad70edbb38531d5935ca149b3e0df63c3dad03dc0

SHA512
6df571c9dc2070ba440a3051b9b981c002eb1654bb0eadae39d4358a1bdbb0f733f3affedcaca466f4ae177b86c04aa90c2a926a597d1fe2808721b9d481a5eb

Download Submit
C:\Users\Admin\AppData\Roaming\630AE\ED55.30A

Filesize
1KB

MD5
4e7010f744d2194c37693596e3aceebc

SHA1
7b33025267e64462ba1bced12d0e77b5e2ecf4ea

SHA256
32f4695e12321e3510c4cc2929a4b2e81b58b96fe8b6126f996483ede5e24cbc

SHA512
29db8034d91705131c9e7efcc2e9ceb1e5779168fbc29c4adc0b43ad4a5a9978275524c2beec6507a8251c6d81c5e693369613a60f1f5f999f7f036430e0008f

Download Submit
memory/1460-115-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1460-114-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3248-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3248-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3248-16-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3248-116-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3248-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3248-298-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4616-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4616-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4616-13-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads