f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b

General

Target

f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe
Size

2.6MB
MD5

65fb69f58da2be20c89c9a54f3fd87e7
SHA1

dc1917fe3da39779ac14868570bcbf39c7aa162e
SHA256

f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b
SHA512

368b9d4a91ccfdde015e71dd1c8b4903d35db1ea21594e705bd7cd6f4dc0431f540504d72e908a226d426bd341d28c72e5ca2e8327c3e9303644a37b8144afdf
SSDEEP

49152:QTGkQD5QZuTtS0rQMYOQ+q8CEFTG4QXTGHQl9KFeMU:QKk8WsM0r1QnuK4yKHy0Fe5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3628	62969f63

Unexpected DNS network traffic destination 12 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	62969f63
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	62969f63
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	62969f63
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	62969f63
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	62969f63
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	62969f63
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	62969f63
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	62969f63
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	62969f63
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	62969f63
File created	C:\Windows\SysWOW64\62969f63	f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	62969f63
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	62969f63

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3460-0-0x00000000009A0000-0x0000000000A29000-memory.dmp	upx
behavioral2/files/0x00080000000234dd-2.dat	upx
behavioral2/memory/3628-3-0x0000000000090000-0x0000000000119000-memory.dmp	upx
behavioral2/memory/3460-16-0x00000000009A0000-0x0000000000A29000-memory.dmp	upx
behavioral2/memory/3628-18-0x0000000000090000-0x0000000000119000-memory.dmp	upx
behavioral2/memory/3628-19-0x0000000000090000-0x0000000000119000-memory.dmp	upx
behavioral2/memory/3460-36-0x00000000009A0000-0x0000000000A29000-memory.dmp	upx
behavioral2/memory/3628-37-0x0000000000090000-0x0000000000119000-memory.dmp	upx
behavioral2/memory/3460-38-0x00000000009A0000-0x0000000000A29000-memory.dmp	upx
behavioral2/memory/3628-39-0x0000000000090000-0x0000000000119000-memory.dmp	upx
behavioral2/memory/3460-50-0x00000000009A0000-0x0000000000A29000-memory.dmp	upx
behavioral2/memory/3460-51-0x00000000009A0000-0x0000000000A29000-memory.dmp	upx
behavioral2/memory/3460-52-0x00000000009A0000-0x0000000000A29000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\3e1cd8	62969f63
File opened for modification	C:\Windows\3b3c88	f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62969f63

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	62969f63
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	62969f63
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	62969f63
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	62969f63
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	62969f63
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	62969f63
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	62969f63
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	62969f63
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	62969f63

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3628	62969f63
3628	62969f63
3628	62969f63
3628	62969f63
3628	62969f63
3628	62969f63
3628	62969f63
3628	62969f63
3460	f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe
3460	f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe
3460	f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe
3460	f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe
3460	f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe
3460	f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3460	f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe
Token: SeTcbPrivilege	3460	f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe
Token: SeDebugPrivilege	3628	62969f63
Token: SeTcbPrivilege	3628	62969f63

C:\Users\Admin\AppData\Local\Temp\f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe
"C:\Users\Admin\AppData\Local\Temp\f75b34adece3d9e9fb2fc972c0935eeefeac5de8af2fbc820dddf155d086d30b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\Syswow64\62969f63
C:\Windows\Syswow64\62969f63
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\62969f63

Filesize
2.6MB

MD5
74d450e3612b88eeeb62069dea1bf27c

SHA1
e57b3d1b1a9a539a406a447134cb201f173afb3f

SHA256
4fd682d6a2da13ad36f321dbc26d83318bead70bbf247b124003429db4215419

SHA512
1927e9bf7b6e2c0b9d414c519bac61dc57bd85af53989d864324b5a924130822068b6747bf49306685893443c2e16c770f45845b31a788c2143f91ad63fbaed5

Download Submit
memory/3460-36-0x00000000009A0000-0x0000000000A29000-memory.dmp

Filesize
548KB

Download
memory/3460-16-0x00000000009A0000-0x0000000000A29000-memory.dmp

Filesize
548KB

Download
memory/3460-0-0x00000000009A0000-0x0000000000A29000-memory.dmp

Filesize
548KB

Download
memory/3460-38-0x00000000009A0000-0x0000000000A29000-memory.dmp

Filesize
548KB

Download
memory/3460-50-0x00000000009A0000-0x0000000000A29000-memory.dmp

Filesize
548KB

Download
memory/3460-51-0x00000000009A0000-0x0000000000A29000-memory.dmp

Filesize
548KB

Download
memory/3460-52-0x00000000009A0000-0x0000000000A29000-memory.dmp

Filesize
548KB

Download
memory/3628-3-0x0000000000090000-0x0000000000119000-memory.dmp

Filesize
548KB

Download
memory/3628-18-0x0000000000090000-0x0000000000119000-memory.dmp

Filesize
548KB

Download
memory/3628-19-0x0000000000090000-0x0000000000119000-memory.dmp

Filesize
548KB

Download
memory/3628-37-0x0000000000090000-0x0000000000119000-memory.dmp

Filesize
548KB

Download
memory/3628-39-0x0000000000090000-0x0000000000119000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing