35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5

General

Target

35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe
Size

1.3MB
MD5

db8795d2e483fcab4f4b39e212517fb0
SHA1

271076ae52089ac3928bfa7c6988f683a8efabe6
SHA256

35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5
SHA512

b41303da3c9ccfed2d11a09c133f218eb795874c33ebb3e2bd69eb7c88a5313296ab14765dc70b8cf9821029fb1a93aef0a1078fe3ca4ce79997f1cc5e4e975a
SSDEEP

24576:v6Zv2ivhBVnFys7xP86LXtqWJ/ej0umQf8/UWnxxWydqdSiEstRKU3Wo:vE2ivhQs7dLX/JkZ8/UWxwtdSWbKU3Wo

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DE4C4C4-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msagt32.exe"	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DE4C4C4-8B9A-11D5-EBA1-F78EEEEEE983}	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vcl32.exe	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe
File opened for modification	C:\Windows\SysWOW64\vcl32.exe	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe
File created	C:\Windows\SysWOW64\msagt32.exe	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe
File opened for modification	C:\Windows\SysWOW64\msagt32.exe	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe
File created	C:\Windows\SysWOW64\concp32.exe	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe
File opened for modification	C:\Windows\SysWOW64\concp32.exe	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4056-0-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/files/0x000a000000023b7a-5.dat	upx
behavioral2/memory/4056-7-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1992	4056	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE4C4C4-8B9A-11D5-EBA1-F78EEEEEE983}	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE4C4C4-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE4C4C4-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE4C4C4-8B9A-11D5-EBA1-F78EEEEEE983}\ax = b3bf875f2ffb39dbf7c2e9d87e7c002a	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4056	35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe

C:\Users\Admin\AppData\Local\Temp\35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe
"C:\Users\Admin\AppData\Local\Temp\35307a1139f24f901729617c011962bc0e2d0649fd79f87763815af1f37c53c5N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 744
  2⤵
  - Program crash
  PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4056 -ip 4056
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\concp32.exe

Filesize
1.3MB

MD5
289f4f56af717d122989ce3ffd7c9a27

SHA1
517e1fba80a47358da52b4fa58e5980c571e8060

SHA256
e0b0cb88e4dbac47d00ee223e822f09711bec1a50f633dcf6ecbcc0444a6d88b

SHA512
7807217048ef55a3ca17020ce32dc19eaf4bbb6f37440d0887ad36060f051d4565f8af93b64ada0002f6d1504d36ed38844b92dea32141273194ab61d729ac0b

Download Submit
memory/4056-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4056-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads