9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0

General

Target

9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0.exe
Size

559KB
MD5

20712697c36274e470bcaf43a813e8fc
SHA1

53da389ae9b176e2aa9ed49c098c79da120c14c8
SHA256

9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0
SHA512

e8c7ddad4d307f5a30ba8e63e53f8a59f4a8ae8e7324b7903ff741add5a0f57e0c54c0526838c8383f6c89797ac3cd8423905ac7b751037959e8e64c10d28630
SSDEEP

6144:9JV10cTrk/mWVqwvzJR6QLW4/ih5QDyU+FM8cEOkCybEaQRXr9HNdvOaZm:5t+aQa4/cQDy06Okx2LIaY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1384	d6500de8

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	d6500de8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	d6500de8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	d6500de8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	d6500de8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	d6500de8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	d6500de8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	d6500de8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	d6500de8
File created	C:\Windows\SysWOW64\d6500de8	9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	d6500de8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	d6500de8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	d6500de8
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	d6500de8

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5068-0-0x0000000000B60000-0x0000000000BF1000-memory.dmp	upx
behavioral2/files/0x000b000000023b72-2.dat	upx
behavioral2/memory/1384-4-0x0000000000900000-0x0000000000991000-memory.dmp	upx
behavioral2/memory/5068-11-0x0000000000B60000-0x0000000000BF1000-memory.dmp	upx
behavioral2/memory/1384-12-0x0000000000900000-0x0000000000991000-memory.dmp	upx
behavioral2/memory/1384-19-0x0000000000900000-0x0000000000991000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6500de8

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	d6500de8
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	d6500de8
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	d6500de8
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	d6500de8
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	d6500de8
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	d6500de8
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	d6500de8
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	d6500de8
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	d6500de8

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1384	d6500de8
1384	d6500de8
1384	d6500de8
1384	d6500de8
1384	d6500de8
1384	d6500de8
1384	d6500de8
1384	d6500de8
5068	9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0.exe
5068	9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0.exe
5068	9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0.exe
5068	9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0.exe
5068	9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0.exe
5068	9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0.exe
Token: SeTcbPrivilege	5068	9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0.exe
Token: SeDebugPrivilege	1384	d6500de8
Token: SeTcbPrivilege	1384	d6500de8

C:\Users\Admin\AppData\Local\Temp\9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0.exe
"C:\Users\Admin\AppData\Local\Temp\9fad31873e4dfc9a49788fd015320d3a47f4f6c1cfc519a6e99004814ca048b0.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\Syswow64\d6500de8
C:\Windows\Syswow64\d6500de8
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\d6500de8

Filesize
559KB

MD5
868c1d6d1dd207e3f19b2ab9dc960cbd

SHA1
f54591e5329cff02c48af5dce4c98803637af8bb

SHA256
5453b042007e51bf2dbd69d6ab5f83f748b8b27fccf3e1eb489f7e392e9ac161

SHA512
e77cb74471c8ad5efd41865d902ebf639148b68c53651dcac1463a8198e5ce01ab72b1ebae247df7f4539bc39aca5bdae307320b9ec868eef20f4ef629d6a31f

Download Submit
memory/1384-4-0x0000000000900000-0x0000000000991000-memory.dmp

Filesize
580KB

Download
memory/1384-12-0x0000000000900000-0x0000000000991000-memory.dmp

Filesize
580KB

Download
memory/1384-19-0x0000000000900000-0x0000000000991000-memory.dmp

Filesize
580KB

Download
memory/5068-0-0x0000000000B60000-0x0000000000BF1000-memory.dmp

Filesize
580KB

Download
memory/5068-11-0x0000000000B60000-0x0000000000BF1000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing