1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc

General

Target

1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe
Size

1.5MB
MD5

42d1afbca40a7d397d29386101bd4dd4
SHA1

be1187fc901b747ee1b32af6363eddc23fa56f94
SHA256

1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc
SHA512

a106e4525ae0f3c3ff7b80a71d05a9456cafdac6c7c10a08cc3b767441966dbdb77ae1a11431f37ac4946be175fe2f00f5c5f96234196f19d292b3397c11465d

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1836-35-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1836-39-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1836-40-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe

description	pid	process	target process
PID 112 set thread context of 1396	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	svchost.exe
PID 112 set thread context of 1836	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exesvchost.exe1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe

pid	process
112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe
1396	svchost.exe
1836	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe

description	pid	process	target process
PID 112 wrote to memory of 1396	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	svchost.exe
PID 112 wrote to memory of 1396	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	svchost.exe
PID 112 wrote to memory of 1396	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	svchost.exe
PID 112 wrote to memory of 1396	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	svchost.exe
PID 112 wrote to memory of 1396	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	svchost.exe
PID 112 wrote to memory of 1396	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	svchost.exe
PID 112 wrote to memory of 1396	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	svchost.exe
PID 112 wrote to memory of 1396	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	svchost.exe
PID 112 wrote to memory of 1396	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	svchost.exe
PID 112 wrote to memory of 1396	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	svchost.exe
PID 112 wrote to memory of 1836	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe
PID 112 wrote to memory of 1836	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe
PID 112 wrote to memory of 1836	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe
PID 112 wrote to memory of 1836	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe
PID 112 wrote to memory of 1836	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe
PID 112 wrote to memory of 1836	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe
PID 112 wrote to memory of 1836	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe
PID 112 wrote to memory of 1836	112	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe	1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe

C:\Users\Admin\AppData\Local\Temp\1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe
"C:\Users\Admin\AppData\Local\Temp\1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Users\Admin\AppData\Local\Temp\1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe
"C:\Users\Admin\AppData\Local\Temp\1baf22dc62474324dd17936b25c461beb7890d35c29df742f918764ffeb065bc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-2-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-3-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-4-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-5-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-6-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-7-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-8-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-9-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-10-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-11-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-12-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-13-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-16-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-17-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-18-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-19-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-22-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-23-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-24-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-25-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-26-0x0000000000758000-0x0000000000759000-memory.dmp

Filesize
4KB

Download
memory/112-27-0x0000000000758000-0x0000000000759000-memory.dmp

Filesize
4KB

Download
memory/112-28-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-29-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/112-30-0x0000000000756000-0x0000000000757000-memory.dmp

Filesize
4KB

Download
memory/1396-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1396-32-0x000000000040B000-mapping.dmp

Download
memory/1396-34-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1396-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1836-35-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1836-37-0x00000000004085D0-mapping.dmp

Download
memory/1836-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1836-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads