652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e

General

Target

652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe
Size

2.6MB
MD5

c57bbc2bbf4e05fbf5f321932619953e
SHA1

03f5817242adbc454acfa32b21a51f68222b309a
SHA256

652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e
SHA512

176bc9797f5ef7f14da4c5f773eefac03e933becd222cfde01515dd2cdf42fff5481fd61286b3be545f5cfec410817a0de27142a4bce6f6a47cde3dbe8a23229
SSDEEP

49152:5TGkQD5QZuTtS0rQMYOQ+q8CEFTG4QXTGHQl9KFeMU:5Kk8WsM0r1QnuK4yKHy0Fe5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2416	966fd56

Unexpected DNS network traffic destination 16 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	966fd56
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	966fd56
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	966fd56
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	966fd56
File created	C:\Windows\SysWOW64\966fd56	652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	966fd56
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	966fd56
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	966fd56
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	966fd56
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	966fd56
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	966fd56
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	966fd56
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	966fd56

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4204-0-0x0000000000610000-0x0000000000699000-memory.dmp	upx
behavioral2/memory/2416-3-0x0000000000570000-0x00000000005F9000-memory.dmp	upx
behavioral2/files/0x000c000000023b33-2.dat	upx
behavioral2/memory/4204-16-0x0000000000610000-0x0000000000699000-memory.dmp	upx
behavioral2/memory/2416-18-0x0000000000570000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/4204-37-0x0000000000610000-0x0000000000699000-memory.dmp	upx
behavioral2/memory/2416-38-0x0000000000570000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2416-42-0x0000000000570000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2416-44-0x0000000000570000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/4204-48-0x0000000000610000-0x0000000000699000-memory.dmp	upx
behavioral2/memory/4204-51-0x0000000000610000-0x0000000000699000-memory.dmp	upx
behavioral2/memory/4204-56-0x0000000000610000-0x0000000000699000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\295ce0	966fd56
File opened for modification	C:\Windows\47f958	652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	966fd56

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	966fd56
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	966fd56
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	966fd56
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	966fd56
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	966fd56
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	966fd56
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	966fd56
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	966fd56
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	966fd56

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2416	966fd56
2416	966fd56
2416	966fd56
2416	966fd56
2416	966fd56
2416	966fd56
2416	966fd56
2416	966fd56
4204	652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe
4204	652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe
4204	652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe
4204	652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe
4204	652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe
4204	652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4204	652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe
Token: SeTcbPrivilege	4204	652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe
Token: SeDebugPrivilege	2416	966fd56
Token: SeTcbPrivilege	2416	966fd56

C:\Users\Admin\AppData\Local\Temp\652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe
"C:\Users\Admin\AppData\Local\Temp\652d4933e569491bf5879832e1dd55e737f7898ba644d29048101ae08332b71e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\Syswow64\966fd56
C:\Windows\Syswow64\966fd56
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\966fd56

Filesize
2.6MB

MD5
f3021d7a48fabd5757272930a6d1eb15

SHA1
eb12b28676c6c6847fc72c0dfb628d1901973310

SHA256
064d6de1342756353251299a75391f7a6be442b7d135b2db99234a40f683f516

SHA512
0c8282cfea77dab4f132e8c4b9c0e871124035ecbf566bc97433d50cc82af7b7ca760799b291ccb63942fa43740c760dbbdae4feadc29f1c6f8333be8b939d26

Download Submit
memory/2416-3-0x0000000000570000-0x00000000005F9000-memory.dmp

Filesize
548KB

Download
memory/2416-18-0x0000000000570000-0x00000000005F9000-memory.dmp

Filesize
548KB

Download
memory/2416-38-0x0000000000570000-0x00000000005F9000-memory.dmp

Filesize
548KB

Download
memory/2416-42-0x0000000000570000-0x00000000005F9000-memory.dmp

Filesize
548KB

Download
memory/2416-44-0x0000000000570000-0x00000000005F9000-memory.dmp

Filesize
548KB

Download
memory/4204-0-0x0000000000610000-0x0000000000699000-memory.dmp

Filesize
548KB

Download
memory/4204-16-0x0000000000610000-0x0000000000699000-memory.dmp

Filesize
548KB

Download
memory/4204-37-0x0000000000610000-0x0000000000699000-memory.dmp

Filesize
548KB

Download
memory/4204-48-0x0000000000610000-0x0000000000699000-memory.dmp

Filesize
548KB

Download
memory/4204-51-0x0000000000610000-0x0000000000699000-memory.dmp

Filesize
548KB

Download
memory/4204-56-0x0000000000610000-0x0000000000699000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing