3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2

General

Target

3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
Size

93KB
MD5

a35fb3db2a4c592b19db3f8ac2f64bbc
SHA1

c3941549e5bc214fe8014b0b1ba4d25158a2530e
SHA256

3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2
SHA512

09513f52a128783e72f03819f50145ddc929254021737612922b1859de943a99ccaab2097f2382043c09b19eca99d8725a2143e1cc4ca80e7adaf6be388092f7
SSDEEP

1536:XEZFdJ1sQMwurs+p59VK1DAcwBGTHQk/TYNyZO6ZK+/e2roQLKtUNj81h9:srTMw2npL0VpxZDm2rZG4yh9

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmpku.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cmpku.exe

Executes dropped EXE 2 IoCs

pid	Process
5028	cmpku.exe
5000	cmpku.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\Shell = "c:\\windows\\system\\mainsv.exe"	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntcheck = "C:\\Windows\\mapserver.exe"	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Cmpnt = "c:\\windows\\system\\mainsv.exe"	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cmpnt = "C:\\Windows\\system\\cmpku.exe"	cmpku.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\Shell = "c:\\windows\\system\\mainsv.exe"	cmpku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntcheck = "C:\\Windows\\mapserver.exe"	cmpku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Cmpnt = "c:\\windows\\system\\mainsv.exe"	cmpku.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cmpnt = "C:\\Windows\\system\\cmpku.exe"	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	cmpku.exe
File opened (read-only)	\??\v:	cmpku.exe
File opened (read-only)	\??\a:	cmpku.exe
File opened (read-only)	\??\g:	cmpku.exe
File opened (read-only)	\??\k:	cmpku.exe
File opened (read-only)	\??\p:	cmpku.exe
File opened (read-only)	\??\q:	cmpku.exe
File opened (read-only)	\??\r:	cmpku.exe
File opened (read-only)	\??\y:	cmpku.exe
File opened (read-only)	\??\i:	cmpku.exe
File opened (read-only)	\??\j:	cmpku.exe
File opened (read-only)	\??\n:	cmpku.exe
File opened (read-only)	\??\s:	cmpku.exe
File opened (read-only)	\??\w:	cmpku.exe
File opened (read-only)	\??\t:	cmpku.exe
File opened (read-only)	\??\x:	cmpku.exe
File opened (read-only)	\??\b:	cmpku.exe
File opened (read-only)	\??\e:	cmpku.exe
File opened (read-only)	\??\h:	cmpku.exe
File opened (read-only)	\??\l:	cmpku.exe
File opened (read-only)	\??\m:	cmpku.exe
File opened (read-only)	\??\o:	cmpku.exe
File opened (read-only)	\??\z:	cmpku.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\f:\Autorun.inf	cmpku.exe
File opened for modification	\??\d:\autorun.inf	cmpku.exe
File created	\??\d:\autorun.inf	cmpku.exe
File opened for modification	\??\d:\Autorun.inf	cmpku.exe
File opened for modification	\??\f:\autorun.inf	cmpku.exe
File created	\??\f:\autorun.inf	cmpku.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2184-0-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/files/0x0008000000023c61-7.dat	upx
behavioral2/memory/5000-25-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5000-30-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2184-31-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5028-32-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5028-39-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5028-47-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5028-55-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5028-64-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5028-72-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5028-80-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5028-89-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5028-97-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\cmpku.exe	cmpku.exe
File opened for modification	C:\Windows\system\mainsv.exe	cmpku.exe
File opened for modification	C:\Windows\system\cmpkunt.exe	cmpku.exe
File created	C:\Windows\mapserver.exe	cmpku.exe
File created	C:\Windows\mapserver.exe	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
File opened for modification	C:\Windows\system\MSWINSCK.OCX	cmpku.exe
File opened for modification	C:\Windows\mapserver.exe	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
File created	C:\Windows\system\cmpkunt.exe	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
File opened for modification	C:\Windows\system\cmpkunt.exe	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
File created	C:\Windows\system\cmpku.exe	cmpku.exe
File created	C:\Windows\system\mainsv.exe	cmpku.exe
File opened for modification	C:\Windows\mapserver.exe	cmpku.exe
File opened for modification	C:\Windows\win.ini	cmpku.exe
File created	C:\Windows\system\MSWINSCK.OCX	cmpku.exe
File created	C:\Windows\system\cmpku.exe	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
File created	C:\Windows\system\mainsv.exe	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
File opened for modification	C:\Windows\system\mainsv.exe	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
File opened for modification	C:\Windows\MSWINSCK.OCX	cmpku.exe
File opened for modification	C:\Windows\system\cmpku.exe	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmpku.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmpku.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2184	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
5028	cmpku.exe
5000	cmpku.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 5028	2184	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe	84
PID 2184 wrote to memory of 5028	2184	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe	84
PID 2184 wrote to memory of 5028	2184	3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe	84
PID 5028 wrote to memory of 5000	5028	cmpku.exe	86
PID 5028 wrote to memory of 5000	5028	cmpku.exe	86
PID 5028 wrote to memory of 5000	5028	cmpku.exe	86

C:\Users\Admin\AppData\Local\Temp\3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe
"C:\Users\Admin\AppData\Local\Temp\3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\system\cmpku.exe
  C:\Windows\system\cmpku.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\system\cmpku.exe
    C:\Windows\system\cmpku.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\mainsv.exe

Filesize
93KB

MD5
a35fb3db2a4c592b19db3f8ac2f64bbc

SHA1
c3941549e5bc214fe8014b0b1ba4d25158a2530e

SHA256
3aa51a1301c959c76d2d0502b1c82f274365ba8044891e879cb04f9db76839e2

SHA512
09513f52a128783e72f03819f50145ddc929254021737612922b1859de943a99ccaab2097f2382043c09b19eca99d8725a2143e1cc4ca80e7adaf6be388092f7

Download Submit
F:\autorun.inf

Filesize
31B

MD5
eefb9ce493df51d7e13df5ba2c6cbdc4

SHA1
259565dd79e23a38931d3533b39cbfeeddeedc01

SHA256
f8e229a505c434c07def9f5d5982c060fd29a445a887499893059a1f47747549

SHA512
23f17169b06d18b6828462354fb586cbff7307a66598c2a888813d18a5eb24d504a89b73fd0c28e2e7c35cedb53c64faa39263f726eff28fc5b09477b5fa31f7

Download Submit
memory/2184-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2184-31-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5000-25-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5000-30-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5028-39-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5028-32-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5028-47-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5028-55-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5028-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5028-72-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5028-80-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5028-89-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5028-97-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads