1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57

General

Target

1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe
Size

2.6MB
MD5

2645613a023e767350badacdeb59ff28
SHA1

8c5cb46157fd7874b2b28392870d7d5d6bb10fc4
SHA256

1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57
SHA512

4594451eb5b65897d6b399cbeea707e6a2809fa452aa6b0c83b5c6eba7e3a27530b4d9196a494d3be0f172772e85f7d63057f65ae34705d617735860b1975305
SSDEEP

49152:yTGkQy5QZuTtS0rQMYOQ+q8CE0TG4QnTGHQc9KFeM:yKkVWsM0r1QnDK4uKHT0Fe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3296	e5bf8

Unexpected DNS network traffic destination 16 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\e5bf8	1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	e5bf8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	e5bf8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	e5bf8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	e5bf8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	e5bf8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	e5bf8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	e5bf8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	e5bf8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	e5bf8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	e5bf8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	e5bf8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	e5bf8

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5012-0-0x0000000000D20000-0x0000000000DA9000-memory.dmp	upx
behavioral2/memory/3296-3-0x0000000000690000-0x0000000000719000-memory.dmp	upx
behavioral2/files/0x00080000000236ce-2.dat	upx
behavioral2/memory/5012-16-0x0000000000D20000-0x0000000000DA9000-memory.dmp	upx
behavioral2/memory/3296-18-0x0000000000690000-0x0000000000719000-memory.dmp	upx
behavioral2/memory/3296-19-0x0000000000690000-0x0000000000719000-memory.dmp	upx
behavioral2/memory/5012-36-0x0000000000D20000-0x0000000000DA9000-memory.dmp	upx
behavioral2/memory/3296-37-0x0000000000690000-0x0000000000719000-memory.dmp	upx
behavioral2/memory/5012-42-0x0000000000D20000-0x0000000000DA9000-memory.dmp	upx
behavioral2/memory/3296-43-0x0000000000690000-0x0000000000719000-memory.dmp	upx
behavioral2/memory/3296-45-0x0000000000690000-0x0000000000719000-memory.dmp	upx
behavioral2/memory/3296-46-0x0000000000690000-0x0000000000719000-memory.dmp	upx
behavioral2/memory/5012-50-0x0000000000D20000-0x0000000000DA9000-memory.dmp	upx
behavioral2/memory/5012-51-0x0000000000D20000-0x0000000000DA9000-memory.dmp	upx
behavioral2/memory/5012-52-0x0000000000D20000-0x0000000000DA9000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\386dc0	e5bf8
File opened for modification	C:\Windows\55cea8	1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5bf8

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	e5bf8
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	e5bf8
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	e5bf8
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	e5bf8
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	e5bf8
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	e5bf8
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	e5bf8
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	e5bf8
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	e5bf8

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3296	e5bf8
3296	e5bf8
3296	e5bf8
3296	e5bf8
3296	e5bf8
3296	e5bf8
3296	e5bf8
3296	e5bf8
5012	1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe
5012	1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe
5012	1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe
5012	1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe
5012	1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe
5012	1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe
Token: SeTcbPrivilege	5012	1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe
Token: SeDebugPrivilege	3296	e5bf8
Token: SeTcbPrivilege	3296	e5bf8

C:\Users\Admin\AppData\Local\Temp\1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe
"C:\Users\Admin\AppData\Local\Temp\1023b92bbb4164374d46bf060542dc5ecaf328a107ad3e95a2480437d161ec57.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\Syswow64\e5bf8
C:\Windows\Syswow64\e5bf8
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:8
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\e5bf8

Filesize
2.6MB

MD5
7f16e1f0c6f39bdacb6a640d5acd6ebd

SHA1
83cc4d8e58f1aad2f6799b6c4c56d9c25e792569

SHA256
1f27964160d5eaa725975f07cd21de01c6e7dbf84df978977853a96c05791a01

SHA512
3505a85360e3f63106eef2e9b46c3799bc22d0dc3d9e45afea27d957b2c585aaba51482fdc435c4938a203298f4c9f8955557f3e4e8ef781206eeaa5f165d346

Download Submit
memory/3296-43-0x0000000000690000-0x0000000000719000-memory.dmp

Filesize
548KB

Download
memory/3296-3-0x0000000000690000-0x0000000000719000-memory.dmp

Filesize
548KB

Download
memory/3296-46-0x0000000000690000-0x0000000000719000-memory.dmp

Filesize
548KB

Download
memory/3296-18-0x0000000000690000-0x0000000000719000-memory.dmp

Filesize
548KB

Download
memory/3296-19-0x0000000000690000-0x0000000000719000-memory.dmp

Filesize
548KB

Download
memory/3296-45-0x0000000000690000-0x0000000000719000-memory.dmp

Filesize
548KB

Download
memory/3296-37-0x0000000000690000-0x0000000000719000-memory.dmp

Filesize
548KB

Download
memory/5012-16-0x0000000000D20000-0x0000000000DA9000-memory.dmp

Filesize
548KB

Download
memory/5012-42-0x0000000000D20000-0x0000000000DA9000-memory.dmp

Filesize
548KB

Download
memory/5012-36-0x0000000000D20000-0x0000000000DA9000-memory.dmp

Filesize
548KB

Download
memory/5012-0-0x0000000000D20000-0x0000000000DA9000-memory.dmp

Filesize
548KB

Download
memory/5012-50-0x0000000000D20000-0x0000000000DA9000-memory.dmp

Filesize
548KB

Download
memory/5012-51-0x0000000000D20000-0x0000000000DA9000-memory.dmp

Filesize
548KB

Download
memory/5012-52-0x0000000000D20000-0x0000000000DA9000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing