e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f

General

Target

e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe
Size

1.5MB
MD5

7cc85df763a92dfc8c4102121b931cc2
SHA1

334842967271d72a6d5e12c60c484fd5acb92be1
SHA256

e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f
SHA512

3606a6d7d0850ba4b16b34e889b280c0a2ebf95c40e6b45cd6dec6a6103192c1d5a9819e7b9dd4dbf8dc04f034be468eda2a47ef8d745c0a4a66c4d405e07ce9

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1648-34-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1648-39-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1648-40-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe

description	pid	process	target process
PID 900 set thread context of 1072	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	svchost.exe
PID 900 set thread context of 1648	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe
1072	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exesvchost.exee03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe

pid	process
900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe
1072	svchost.exe
1648	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe

description	pid	process	target process
PID 900 wrote to memory of 1072	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	svchost.exe
PID 900 wrote to memory of 1072	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	svchost.exe
PID 900 wrote to memory of 1072	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	svchost.exe
PID 900 wrote to memory of 1072	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	svchost.exe
PID 900 wrote to memory of 1072	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	svchost.exe
PID 900 wrote to memory of 1072	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	svchost.exe
PID 900 wrote to memory of 1072	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	svchost.exe
PID 900 wrote to memory of 1072	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	svchost.exe
PID 900 wrote to memory of 1072	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	svchost.exe
PID 900 wrote to memory of 1072	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	svchost.exe
PID 900 wrote to memory of 1648	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe
PID 900 wrote to memory of 1648	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe
PID 900 wrote to memory of 1648	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe
PID 900 wrote to memory of 1648	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe
PID 900 wrote to memory of 1648	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe
PID 900 wrote to memory of 1648	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe
PID 900 wrote to memory of 1648	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe
PID 900 wrote to memory of 1648	900	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe	e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe

C:\Users\Admin\AppData\Local\Temp\e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe
"C:\Users\Admin\AppData\Local\Temp\e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Users\Admin\AppData\Local\Temp\e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe
"C:\Users\Admin\AppData\Local\Temp\e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-22-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-9-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-4-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-2-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-6-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-7-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-8-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-23-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-10-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-11-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-12-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-13-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-16-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-24-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-18-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-19-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-5-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-3-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-17-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-25-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-26-0x00000000002F8000-0x00000000002F9000-memory.dmp

Filesize
4KB

Download
memory/900-27-0x00000000002F8000-0x00000000002F9000-memory.dmp

Filesize
4KB

Download
memory/900-28-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-29-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/900-30-0x00000000002F6000-0x00000000002F7000-memory.dmp

Filesize
4KB

Download
memory/1072-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1072-32-0x000000000040B000-mapping.dmp

Download
memory/1072-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1072-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1648-34-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1648-37-0x00000000004085D0-mapping.dmp

Download
memory/1648-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1648-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads