052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab

General

Target

052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe
Size

1.5MB
MD5

2b5fba7f10b88271d914c41b330435fd
SHA1

8099fa14e66909326124db5eba9e6c0cff13d90e
SHA256

052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab
SHA512

f3c8cab666c8ef74c93afd5ed8089ba79789adaedacacef1f5259833e4dc454b1b17ed7a3c87d4130dfb7569ba0cc61f2c6480796136ebc38df27a74915eb374

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2044-35-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2044-38-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2044-40-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe

description	pid	process	target process
PID 364 set thread context of 1116	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	svchost.exe
PID 364 set thread context of 2044	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exesvchost.exe052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe

pid	process
364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe
1116	svchost.exe
2044	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe

description	pid	process	target process
PID 364 wrote to memory of 1116	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	svchost.exe
PID 364 wrote to memory of 1116	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	svchost.exe
PID 364 wrote to memory of 1116	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	svchost.exe
PID 364 wrote to memory of 1116	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	svchost.exe
PID 364 wrote to memory of 1116	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	svchost.exe
PID 364 wrote to memory of 1116	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	svchost.exe
PID 364 wrote to memory of 1116	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	svchost.exe
PID 364 wrote to memory of 1116	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	svchost.exe
PID 364 wrote to memory of 1116	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	svchost.exe
PID 364 wrote to memory of 1116	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	svchost.exe
PID 364 wrote to memory of 2044	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe
PID 364 wrote to memory of 2044	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe
PID 364 wrote to memory of 2044	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe
PID 364 wrote to memory of 2044	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe
PID 364 wrote to memory of 2044	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe
PID 364 wrote to memory of 2044	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe
PID 364 wrote to memory of 2044	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe
PID 364 wrote to memory of 2044	364	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe	052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe

C:\Users\Admin\AppData\Local\Temp\052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe
"C:\Users\Admin\AppData\Local\Temp\052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Users\Admin\AppData\Local\Temp\052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe
"C:\Users\Admin\AppData\Local\Temp\052f94ad08bd9cee158f54a45c730567ebc2b4c21a856633591987062606b5ab.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2044

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PXLWM.bat
MD5
92353035f01403e26aa2ff51c3963238

SHA1
d13f167c73bfce23a2deab8ce7c4ce9f78759ff4

SHA256
2e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870

SHA512
74560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e10cbe30ca5ad3b219bcdbfccb588592

SHA1
4e98f34ad9a3d3fa5af2e3a3a07173e6f7f8f90b

SHA256
a73a21904b5c03e4f9289880a7fd9fc5e446d766da61b95d54fea0fd03139fad

SHA512
be9bda94381115659b7eb1c54116ee8c1e7381231e4902fe1fb96d4bbb0530a4626a24a26fc27423f1468712afea097bd5734aa7e1be208f36d367edebd08443

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e10cbe30ca5ad3b219bcdbfccb588592

SHA1
4e98f34ad9a3d3fa5af2e3a3a07173e6f7f8f90b

SHA256
a73a21904b5c03e4f9289880a7fd9fc5e446d766da61b95d54fea0fd03139fad

SHA512
be9bda94381115659b7eb1c54116ee8c1e7381231e4902fe1fb96d4bbb0530a4626a24a26fc27423f1468712afea097bd5734aa7e1be208f36d367edebd08443

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e10cbe30ca5ad3b219bcdbfccb588592

SHA1
4e98f34ad9a3d3fa5af2e3a3a07173e6f7f8f90b

SHA256
a73a21904b5c03e4f9289880a7fd9fc5e446d766da61b95d54fea0fd03139fad

SHA512
be9bda94381115659b7eb1c54116ee8c1e7381231e4902fe1fb96d4bbb0530a4626a24a26fc27423f1468712afea097bd5734aa7e1be208f36d367edebd08443

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e10cbe30ca5ad3b219bcdbfccb588592

SHA1
4e98f34ad9a3d3fa5af2e3a3a07173e6f7f8f90b

SHA256
a73a21904b5c03e4f9289880a7fd9fc5e446d766da61b95d54fea0fd03139fad

SHA512
be9bda94381115659b7eb1c54116ee8c1e7381231e4902fe1fb96d4bbb0530a4626a24a26fc27423f1468712afea097bd5734aa7e1be208f36d367edebd08443

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e10cbe30ca5ad3b219bcdbfccb588592

SHA1
4e98f34ad9a3d3fa5af2e3a3a07173e6f7f8f90b

SHA256
a73a21904b5c03e4f9289880a7fd9fc5e446d766da61b95d54fea0fd03139fad

SHA512
be9bda94381115659b7eb1c54116ee8c1e7381231e4902fe1fb96d4bbb0530a4626a24a26fc27423f1468712afea097bd5734aa7e1be208f36d367edebd08443

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e10cbe30ca5ad3b219bcdbfccb588592

SHA1
4e98f34ad9a3d3fa5af2e3a3a07173e6f7f8f90b

SHA256
a73a21904b5c03e4f9289880a7fd9fc5e446d766da61b95d54fea0fd03139fad

SHA512
be9bda94381115659b7eb1c54116ee8c1e7381231e4902fe1fb96d4bbb0530a4626a24a26fc27423f1468712afea097bd5734aa7e1be208f36d367edebd08443

Download Submit
memory/364-27-0x0000000000648000-0x0000000000649000-memory.dmp

Filesize
4KB

Download
memory/364-28-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-12-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-11-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-13-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-16-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-17-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-18-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-25-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-24-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-23-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-22-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-19-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-2-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-26-0x0000000000648000-0x0000000000649000-memory.dmp

Filesize
4KB

Download
memory/364-30-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-29-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-10-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-6-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-7-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-5-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-4-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-3-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-8-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/364-9-0x0000000000646000-0x0000000000647000-memory.dmp

Filesize
4KB

Download
memory/400-45-0x0000000000000000-mapping.dmp

Download
memory/1116-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1116-34-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1116-32-0x000000000040B000-mapping.dmp

Download
memory/1116-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1532-43-0x0000000000000000-mapping.dmp

Download
memory/1904-51-0x0000000000000000-mapping.dmp

Download
memory/2044-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2044-36-0x00000000004085D0-mapping.dmp

Download
memory/2044-38-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2044-35-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads