998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9f

General

Target

998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
Size

774KB
MD5

8efed1f99efe3d9b0a0677803cca3e00
SHA1

96d4e25e11878444c5ca7d1e5c08ee1e2e8cfac9
SHA256

998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9f
SHA512

f41ada534c9cbd88f4a38cde6630cfb802efb3dbec30d9b45183095d7b6fc8eef6bdfacc81f9033b39f11aeb852a18b7f4e52b25bc1600c0dc6aaad064e72e60
SSDEEP

12288:7tKe6Zv23YLVFhBsC8iFHs+hsuQXIQRUP/g8t5P4SpUFjxTQe74CjQpf:v6Zv2ivhBVnFvh5Q44UP48Rp6x1b8f

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msfcy32.exe"	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msfcy32.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe

Executes dropped EXE 1 IoCs

pid	Process
2500	spoolsv.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	spoolsv.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vcl32.exe	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
File opened for modification	C:\Windows\SysWOW64\vcl32.exe	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
File created	C:\Windows\SysWOW64\msfcy32.exe	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
File opened for modification	C:\Windows\SysWOW64\msfcy32.exe	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
File created	C:\Windows\SysWOW64\concp32.exe	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
File opened for modification	C:\Windows\SysWOW64\concp32.exe	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1788-0-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/files/0x000800000001749c-5.dat	upx
behavioral1/files/0x00080000000173f6-14.dat	upx
behavioral1/memory/1788-15-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2500-16-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\spoolsv.exe	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
File opened for modification	C:\Windows\spoolsv.exe	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}\sm = 01b8ec350471bd332433eee476ebe1f3	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 513fdf4e03c9cf9ff7c99b3047c1fa5a	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADE3FF8-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165"	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1788	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2500	1788	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe	30
PID 1788 wrote to memory of 2500	1788	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe	30
PID 1788 wrote to memory of 2500	1788	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe	30
PID 1788 wrote to memory of 2500	1788	998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe	30

C:\Users\Admin\AppData\Local\Temp\998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe
"C:\Users\Admin\AppData\Local\Temp\998505cf1ae5a9c282656550da9fcf30dac90d0c90bef04f4826b2b001fb2a9fN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\spoolsv.exe
  C:\Windows\spoolsv.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\concp32.exe

Filesize
779KB

MD5
183ab4e7732dc02f570caaa6a04b87e5

SHA1
3587a2c1d450b5e8bf29bd2cbe9df27fed72d1c3

SHA256
b44f1d7c7db06261f3570f2be39408f3fc02b718e201397a709565bbbb6f4104

SHA512
417c0b7b96f50d0a4dd237b7b0d9d80da3e42debb06427e3d319ecfc6683343b0694a031c09b4b3688ba2da844ae987726b8fd8a4b19bdc14acf6e9e617d248e

Download Submit
C:\Windows\spoolsv.exe

Filesize
774KB

MD5
7ecc2917078619e4ec402c0d9e73307b

SHA1
29743a9d34228d7b0ecf31fdd884b4b1ad66f76d

SHA256
8513ae8143b31ff9339db8aec54761d7e3e50b7de64f8668d1c7a7bfe2dfe814

SHA512
ee24cd1f2f543d99252dc081ef11d641f2dc10e1cdb1344e8d154bbe7b83055ac7234ef019dfd3fabca47b2ffe5577927fb89b037b885890edfc1c113aaf9ce1

Download Submit
memory/1788-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1788-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1788-13-0x00000000002C0000-0x00000000002F9000-memory.dmp

Filesize
228KB

Download
memory/2500-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads