702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d

General

Target

702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe
Size

4.7MB
MD5

549270da78bd70b2a24b36f2bd862793
SHA1

002e866313e1b66af7ede526a0e88242d7643442
SHA256

702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d
SHA512

ed2dcfc10fd15d2723236232c29476153dc5a827892c8835ca5223baf5ffaa069c428906caf7eb15b3d6be144c5daab540ab9e013d44eb528e97e111e01f4fe2
SSDEEP

49152:kTGkQv5QZuTtS0rQMYOQ+q8CEM4xTG4QPTGHQ29KFeMD///5:kKkgWsM0r1QnoK4GKHJ0FeM///5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3612	e3bbfdb

Unexpected DNS network traffic destination 18 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	e3bbfdb
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	e3bbfdb
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	e3bbfdb
File created	C:\Windows\SysWOW64\e3bbfdb	702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	e3bbfdb
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	e3bbfdb
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	e3bbfdb
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	e3bbfdb
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	e3bbfdb
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	e3bbfdb
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	e3bbfdb
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	e3bbfdb
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	e3bbfdb

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2796-0-0x0000000000E50000-0x0000000000ED9000-memory.dmp	upx
behavioral2/files/0x0009000000023490-2.dat	upx
behavioral2/memory/3612-4-0x0000000000E00000-0x0000000000E89000-memory.dmp	upx
behavioral2/memory/2796-16-0x0000000000E50000-0x0000000000ED9000-memory.dmp	upx
behavioral2/memory/3612-18-0x0000000000E00000-0x0000000000E89000-memory.dmp	upx
behavioral2/memory/3612-22-0x0000000000E00000-0x0000000000E89000-memory.dmp	upx
behavioral2/memory/2796-37-0x0000000000E50000-0x0000000000ED9000-memory.dmp	upx
behavioral2/memory/3612-38-0x0000000000E00000-0x0000000000E89000-memory.dmp	upx
behavioral2/memory/3612-42-0x0000000000E00000-0x0000000000E89000-memory.dmp	upx
behavioral2/memory/2796-45-0x0000000000E50000-0x0000000000ED9000-memory.dmp	upx
behavioral2/memory/2796-48-0x0000000000E50000-0x0000000000ED9000-memory.dmp	upx
behavioral2/memory/2796-49-0x0000000000E50000-0x0000000000ED9000-memory.dmp	upx
behavioral2/memory/2796-52-0x0000000000E50000-0x0000000000ED9000-memory.dmp	upx
behavioral2/memory/2796-59-0x0000000000E50000-0x0000000000ED9000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\3dd6b8	e3bbfdb
File opened for modification	C:\Windows\2fde58	702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3bbfdb

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	e3bbfdb
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	e3bbfdb
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	e3bbfdb
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	e3bbfdb
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	e3bbfdb
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	e3bbfdb
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	e3bbfdb
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	e3bbfdb
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	e3bbfdb

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3612	e3bbfdb
3612	e3bbfdb
3612	e3bbfdb
3612	e3bbfdb
3612	e3bbfdb
3612	e3bbfdb
3612	e3bbfdb
3612	e3bbfdb
2796	702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe
2796	702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe
2796	702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe
2796	702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe
2796	702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe
2796	702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe
Token: SeTcbPrivilege	2796	702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe
Token: SeDebugPrivilege	3612	e3bbfdb
Token: SeTcbPrivilege	3612	e3bbfdb

C:\Users\Admin\AppData\Local\Temp\702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe
"C:\Users\Admin\AppData\Local\Temp\702d2a0486d27443dbab59b7eed43fec7679596678976c73a37ce4fe5ccda48d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\Syswow64\e3bbfdb
C:\Windows\Syswow64\e3bbfdb
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\e3bbfdb

Filesize
4.7MB

MD5
4fa7bb797c36c24e92f1df741b600581

SHA1
933d6832ba01e3a91938f85b228c7618edff4369

SHA256
f781f1f79e1aa55f2fa6e92562cabd8fc5ac856f53d513091d5ae6a2cacbb619

SHA512
62bcbbeca31ee4b00bd8a4a05c4dcaaba15d6b5947b175607582e5b819a819bfbdde18706f6cda08dc79d4d3527bdde9c78617af7357ef46b013c15265d7aed7

Download Submit
memory/2796-37-0x0000000000E50000-0x0000000000ED9000-memory.dmp

Filesize
548KB

Download
memory/2796-16-0x0000000000E50000-0x0000000000ED9000-memory.dmp

Filesize
548KB

Download
memory/2796-0-0x0000000000E50000-0x0000000000ED9000-memory.dmp

Filesize
548KB

Download
memory/2796-45-0x0000000000E50000-0x0000000000ED9000-memory.dmp

Filesize
548KB

Download
memory/2796-48-0x0000000000E50000-0x0000000000ED9000-memory.dmp

Filesize
548KB

Download
memory/2796-49-0x0000000000E50000-0x0000000000ED9000-memory.dmp

Filesize
548KB

Download
memory/2796-52-0x0000000000E50000-0x0000000000ED9000-memory.dmp

Filesize
548KB

Download
memory/2796-59-0x0000000000E50000-0x0000000000ED9000-memory.dmp

Filesize
548KB

Download
memory/3612-4-0x0000000000E00000-0x0000000000E89000-memory.dmp

Filesize
548KB

Download
memory/3612-18-0x0000000000E00000-0x0000000000E89000-memory.dmp

Filesize
548KB

Download
memory/3612-22-0x0000000000E00000-0x0000000000E89000-memory.dmp

Filesize
548KB

Download
memory/3612-38-0x0000000000E00000-0x0000000000E89000-memory.dmp

Filesize
548KB

Download
memory/3612-42-0x0000000000E00000-0x0000000000E89000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing