03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d

General

Target

03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe
Size

2.6MB
MD5

6d2a81a47521d781be5c1bf955b787e0
SHA1

1f0459a18c3e6d7c011ccc6662563e197f76fcf0
SHA256

03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d
SHA512

445b1cc094c38ff53a818e6d4a2db0fa6e6dd72146c327de3e577af1c0f87fba774100c14e41b4091487e638aa9627242f7c70384588e43d4753113ee4187ede
SSDEEP

49152:nTGkQD5QZuTtS0rQMYOQ+q8CEFTG4QXTGHQl9KFeMU:nKk8WsM0r1QnuK4yKHy0Fe5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
472	40239098

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\40239098	03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	40239098
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	40239098
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	40239098
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	40239098
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	40239098
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	40239098
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	40239098
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	40239098
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	40239098
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	40239098
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	40239098
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	40239098

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2520-0-0x0000000000D50000-0x0000000000DD9000-memory.dmp	upx
behavioral2/files/0x000c000000023429-2.dat	upx
behavioral2/memory/472-3-0x00000000002E0000-0x0000000000369000-memory.dmp	upx
behavioral2/memory/2520-16-0x0000000000D50000-0x0000000000DD9000-memory.dmp	upx
behavioral2/memory/472-18-0x00000000002E0000-0x0000000000369000-memory.dmp	upx
behavioral2/memory/472-22-0x00000000002E0000-0x0000000000369000-memory.dmp	upx
behavioral2/memory/2520-25-0x0000000000D50000-0x0000000000DD9000-memory.dmp	upx
behavioral2/memory/472-26-0x00000000002E0000-0x0000000000369000-memory.dmp	upx
behavioral2/memory/2520-37-0x0000000000D50000-0x0000000000DD9000-memory.dmp	upx
behavioral2/memory/472-38-0x00000000002E0000-0x0000000000369000-memory.dmp	upx
behavioral2/memory/2520-46-0x0000000000D50000-0x0000000000DD9000-memory.dmp	upx
behavioral2/memory/2520-52-0x0000000000D50000-0x0000000000DD9000-memory.dmp	upx
behavioral2/memory/2520-53-0x0000000000D50000-0x0000000000DD9000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2b24b0	03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe
File opened for modification	C:\Windows\814b0	40239098

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40239098

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	40239098
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	40239098
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	40239098
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	40239098
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	40239098
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	40239098
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	40239098
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	40239098
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	40239098

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
472	40239098
472	40239098
472	40239098
472	40239098
472	40239098
472	40239098
472	40239098
472	40239098
2520	03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe
2520	03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe
2520	03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe
2520	03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe
2520	03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe
2520	03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe
Token: SeTcbPrivilege	2520	03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe
Token: SeDebugPrivilege	472	40239098
Token: SeTcbPrivilege	472	40239098

C:\Users\Admin\AppData\Local\Temp\03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe
"C:\Users\Admin\AppData\Local\Temp\03a992c1c4464c9e4ec73ddea7548f7db8865cd60cba143236fec68e4f48946d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\Syswow64\40239098
C:\Windows\Syswow64\40239098
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\40239098

Filesize
2.6MB

MD5
2ff2eeffe63aada2c7653daf200ff2a8

SHA1
bfce743837c726fdb7384aec2b5525a0ee01563e

SHA256
409eb8559a80cb7d00783b9190671fcc1a928d99cd63ca9f7ab2d79d206fd92d

SHA512
a1831499fb0908ab21aef54cad83d9c23a78a7e1722a431af2e642fb7a106d7e5341cd7f2947510634c1250bfc0fd98427ac9ea940603e1bc6e303e0a82ff217

Download Submit
memory/472-26-0x00000000002E0000-0x0000000000369000-memory.dmp

Filesize
548KB

Download
memory/472-3-0x00000000002E0000-0x0000000000369000-memory.dmp

Filesize
548KB

Download
memory/472-38-0x00000000002E0000-0x0000000000369000-memory.dmp

Filesize
548KB

Download
memory/472-18-0x00000000002E0000-0x0000000000369000-memory.dmp

Filesize
548KB

Download
memory/472-22-0x00000000002E0000-0x0000000000369000-memory.dmp

Filesize
548KB

Download
memory/2520-16-0x0000000000D50000-0x0000000000DD9000-memory.dmp

Filesize
548KB

Download
memory/2520-25-0x0000000000D50000-0x0000000000DD9000-memory.dmp

Filesize
548KB

Download
memory/2520-37-0x0000000000D50000-0x0000000000DD9000-memory.dmp

Filesize
548KB

Download
memory/2520-0-0x0000000000D50000-0x0000000000DD9000-memory.dmp

Filesize
548KB

Download
memory/2520-46-0x0000000000D50000-0x0000000000DD9000-memory.dmp

Filesize
548KB

Download
memory/2520-52-0x0000000000D50000-0x0000000000DD9000-memory.dmp

Filesize
548KB

Download
memory/2520-53-0x0000000000D50000-0x0000000000DD9000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing