656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730e

General

Target

656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe
Size

308KB
MD5

de6a17d6e89d790f087c75e8c3fd1470
SHA1

89e9f07116b2cab77e0881498770d9185b3f4afc
SHA256

656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730e
SHA512

3bf7b341f7c7f0058b872d5c39f49cfff9d0f4996d80640ef70dee938de939a78f5c41f5b9fb08c0e2accdc98b2a26f033e35c08022b2f5728ab72057a83c9d7
SSDEEP

3072:pxfHaRTE5TJf+jwB2ydTL5cFRu81Y2gK7UMCO05n05ghA/0Oz4ZhzSWlrSgswYCf:pZ6ogjnE8HmMCT0wJZhzAwfjRDT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
131168	skyrpe.exe

Loads dropped DLL 5 IoCs

pid	Process
29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe
29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe
29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe
29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe
29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\skype\\skyrpe.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2616 set thread context of 29084	2616	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	30
PID 131168 set thread context of 0	131168	skyrpe.exe
PID 131168 set thread context of 0	131168	skyrpe.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/29084-73961-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/29084-73963-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/29084-73966-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/29084-73967-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/29084-73968-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/29084-74159-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skyrpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2616	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe
29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe
131168	skyrpe.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 29084	2616	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	30
PID 2616 wrote to memory of 29084	2616	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	30
PID 2616 wrote to memory of 29084	2616	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	30
PID 2616 wrote to memory of 29084	2616	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	30
PID 2616 wrote to memory of 29084	2616	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	30
PID 2616 wrote to memory of 29084	2616	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	30
PID 2616 wrote to memory of 29084	2616	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	30
PID 2616 wrote to memory of 29084	2616	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	30
PID 29084 wrote to memory of 29268	29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	31
PID 29084 wrote to memory of 29268	29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	31
PID 29084 wrote to memory of 29268	29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	31
PID 29084 wrote to memory of 29268	29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	31
PID 29268 wrote to memory of 131136	29268	cmd.exe	33
PID 29268 wrote to memory of 131136	29268	cmd.exe	33
PID 29268 wrote to memory of 131136	29268	cmd.exe	33
PID 29268 wrote to memory of 131136	29268	cmd.exe	33
PID 29084 wrote to memory of 131168	29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	34
PID 29084 wrote to memory of 131168	29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	34
PID 29084 wrote to memory of 131168	29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	34
PID 29084 wrote to memory of 131168	29084	656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe	34

C:\Users\Admin\AppData\Local\Temp\656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe
"C:\Users\Admin\AppData\Local\Temp\656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe
  "C:\Users\Admin\AppData\Local\Temp\656983f86603152e5f5706b132f802bd42de5ad68923494c29d8a9e8bd5b730eN.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:29084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\QUGHE.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:29268
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:131136
- - C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe
    "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:131168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QUGHE.bat

Filesize
139B

MD5
0654f004b2e314bad7f75867e91da37d

SHA1
4232c22e7340b12108d86e3cb35ed288a3dbc7f1

SHA256
ead325a060300a9606a3f0f14694be39a3e4006a60c6c3eb0bea5d6f98192249

SHA512
dda135cdfca90a742d42b4c7a5e7f5df6580ec428302a8f0c311f5b92eb08dda75774e0c7497110faffbe2dfa02b30d2dfe35ec2848a275f53be8d930c7aa553

Download Submit
\Users\Admin\AppData\Roaming\skype\skyrpe.exe

Filesize
308KB

MD5
54b8ea87092a8398ad979e685762e2e9

SHA1
d100ec77c885f8253cbd5a83428e1f1dbbbdfdc0

SHA256
875305f15a6d0dfc2422536bf845ae6e3537e7efdc0c36ed0c115d24d56740f7

SHA512
c00595e848ac7cc3328ab90f2b1a0ae1702f45b4d42c0720ad491ec8d3f938131e4ce9249a867891b495622352cca7ed0377936397450082cbf0c245e3b9310f

Download Submit
memory/2616-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/29084-73959-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/29084-73961-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/29084-73963-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/29084-73965-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/29084-73966-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/29084-73967-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/29084-73968-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/29084-74159-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/29084-147905-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads