7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6

General

Target

d9c7beeacdac2aae5d8c675556bfaae9.exe
Size

1.9MB
MD5

d9c7beeacdac2aae5d8c675556bfaae9
SHA1

b1c2dd3bd27624a8aa310cbb481b9a64fdbaf921
SHA256

7c2906c9277e39c2d1be87adbd342e6faba7b0aa593233663d0007cb4119ccc6
SHA512

498d3d7053cfb612cc91dc44483ab38431eb694a6aed2613b1d9ad9d90db89001e68fa07ead050fa56bbaa957276f9eea9fb985051d059df4553c66cde130e98
SSDEEP

49152:3rLGA8M9iYz45FWeYTZxTUxXpKg+fmjcozmKxS:65FWBTZxYxJo

Score

6^/10

discovery persistence upx

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d9c7beeacdac2aae5d8c675556bfaae9.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pigalicapi = "C:\\Users\\Admin\\pigalicapi.exe"	d9c7beeacdac2aae5d8c675556bfaae9.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d9c7beeacdac2aae5d8c675556bfaae9.exe

description	pid	Process	procid_target
PID 1884 set thread context of 1164	1884	d9c7beeacdac2aae5d8c675556bfaae9.exe	31

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1164-250-0x0000000004000000-0x000000000408E000-memory.dmp	upx
behavioral1/memory/1164-249-0x0000000004000000-0x000000000408E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.exed9c7beeacdac2aae5d8c675556bfaae9.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9c7beeacdac2aae5d8c675556bfaae9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d9c7beeacdac2aae5d8c675556bfaae9.exe

pid	Process
1884	d9c7beeacdac2aae5d8c675556bfaae9.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d9c7beeacdac2aae5d8c675556bfaae9.exe

description	pid	Process	procid_target
PID 1884 wrote to memory of 1164	1884	d9c7beeacdac2aae5d8c675556bfaae9.exe	31
PID 1884 wrote to memory of 1164	1884	d9c7beeacdac2aae5d8c675556bfaae9.exe	31
PID 1884 wrote to memory of 1164	1884	d9c7beeacdac2aae5d8c675556bfaae9.exe	31
PID 1884 wrote to memory of 1164	1884	d9c7beeacdac2aae5d8c675556bfaae9.exe	31
PID 1884 wrote to memory of 1164	1884	d9c7beeacdac2aae5d8c675556bfaae9.exe	31
PID 1884 wrote to memory of 1164	1884	d9c7beeacdac2aae5d8c675556bfaae9.exe	31

C:\Users\Admin\AppData\Local\Temp\d9c7beeacdac2aae5d8c675556bfaae9.exe
"C:\Users\Admin\AppData\Local\Temp\d9c7beeacdac2aae5d8c675556bfaae9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\c5d8393293ce2ba62f117b2c2d55bc3e_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
1KB

MD5
ac88c88d3a5734bdfe1d1929d5aae29f

SHA1
90a61c80432d64e01ddc853a9d3081210a96f2d8

SHA256
5513ba8333d8e7594d662b6717ed6067c82f3c0f63dbec9978ef3dbf9ac5b258

SHA512
e7e09ee37484edc6482807145aece048bbba1ca39e6edda4e6e62072e2c1da5fa0c35ff29c50e19793ee8b7550db1389878d20f69e43928acd9883bd6ae93ed1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\c5d8393293ce2ba62f117b2c2d55bc3e_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
1KB

MD5
d53f00c36f7d919887fe10948d86ff31

SHA1
a7129c3238539be78ba83a2b7080af04fcb0eb0c

SHA256
5a3fdcf011502154443a82ea7b45bde15d5188f94265f9a070c8cb3a5648d8cf

SHA512
087637a750e0e19b7e94fb7fd9487fc72218dacadc7b7e56de32e398a13660aa63af8649b283c8e7a332dd1871ed2b4f71d63e32b5a6c01571072d5ef3b456df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\c5d8393293ce2ba62f117b2c2d55bc3e_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
62B

MD5
60806f4f110a6f85831390dafbb98385

SHA1
9e27b0bad5f13310a1db8a0c155b3ad7c6b6e446

SHA256
219d1a0d4109122414a4ef1b17d392652e94e7492b490ec6ff33ef553d125a4d

SHA512
b56bf9de49451eded9debd004a8fd187e6af54a87ef8a1647b6d2f169fc8ef45fd5c6b118f46a4f587bb7f05a170d10cef80211a22d90612a7b6792d7494b6f2

Download Submit
memory/1164-242-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1164-244-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1164-240-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1164-247-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1164-250-0x0000000004000000-0x000000000408E000-memory.dmp

Filesize
568KB

Download
memory/1164-249-0x0000000004000000-0x000000000408E000-memory.dmp

Filesize
568KB

Download
memory/1884-12-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/1884-15-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads