5cf202837c24442de4f09ee9a152c77f911b405541fd30567bcc370ef61f5f75

General

Target

notepad.exe
Size

2.8MB
MD5

4930920087503d221d8bb13e1514620b
SHA1

07e2d9be6cce22e6b1b44992acf2d536c3675e07
SHA256

5cf202837c24442de4f09ee9a152c77f911b405541fd30567bcc370ef61f5f75
SHA512

9204d17902fb794600e5efb538f0269340393a84cf3c72ceb27884ab1f5f215a46c42a9f5de457167953d9bcdf7148d9a3b12d22812347af20e5e073a2802f0f

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4036-119-0x0000000000400000-0x0000000000A16000-memory.dmp	upx
behavioral2/memory/4036-120-0x0000000000400000-0x0000000000A16000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url	wscript.exe

Suspicious use of SetThreadContext 17 IoCs

Processes:

notepad.exenotepad.exe

description	pid	process	target process
PID 4084 set thread context of 1484	4084	notepad.exe	notepad.exe
PID 1484 set thread context of 4036	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 2792	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 3880	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 2440	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 4088	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 1192	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 784	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 3856	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 2192	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 184	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 636	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 4020	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 1556	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 4088	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 3692	1484	notepad.exe	notepad.exe
PID 1484 set thread context of 2740	1484	notepad.exe	notepad.exe

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2724	4036	WerFault.exe	notepad.exe
1136	2792	WerFault.exe	notepad.exe
4084	3880	WerFault.exe	notepad.exe
1000	2440	WerFault.exe	notepad.exe
1548	4088	WerFault.exe	notepad.exe
3944	1192	WerFault.exe	notepad.exe
2220	784	WerFault.exe	notepad.exe
1004	3856	WerFault.exe	notepad.exe
2652	2192	WerFault.exe	notepad.exe
4008	184	WerFault.exe	notepad.exe
4012	636	WerFault.exe	notepad.exe
2156	4020	WerFault.exe	notepad.exe
3052	1556	WerFault.exe	notepad.exe
3944	4088	WerFault.exe	notepad.exe
2932	3692	WerFault.exe	notepad.exe
3860	2740	WerFault.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

notepad.exe

pid	process
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe
1484	notepad.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

notepad.exe

description	pid	process
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe
Token: SeDebugPrivilege	1484	notepad.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

notepad.exe

pid process

4084 notepad.exe

pid	process
4084	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

notepad.exenotepad.execmd.exe

description	pid	process	target process
PID 4084 wrote to memory of 1484	4084	notepad.exe	notepad.exe
PID 4084 wrote to memory of 1484	4084	notepad.exe	notepad.exe
PID 4084 wrote to memory of 1484	4084	notepad.exe	notepad.exe
PID 4084 wrote to memory of 1484	4084	notepad.exe	notepad.exe
PID 4084 wrote to memory of 1484	4084	notepad.exe	notepad.exe
PID 4084 wrote to memory of 1484	4084	notepad.exe	notepad.exe
PID 4084 wrote to memory of 1484	4084	notepad.exe	notepad.exe
PID 4084 wrote to memory of 1484	4084	notepad.exe	notepad.exe
PID 4084 wrote to memory of 1484	4084	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4036	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4036	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4036	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4036	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4036	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4036	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4036	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4036	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2792	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2792	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2792	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2792	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2792	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2792	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2792	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2792	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 3880	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 3880	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 3880	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 3880	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 3880	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 3880	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 3880	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 3880	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 1576	1484	notepad.exe	cmd.exe
PID 1484 wrote to memory of 1576	1484	notepad.exe	cmd.exe
PID 1484 wrote to memory of 1576	1484	notepad.exe	cmd.exe
PID 1576 wrote to memory of 3024	1576	cmd.exe	wscript.exe
PID 1576 wrote to memory of 3024	1576	cmd.exe	wscript.exe
PID 1576 wrote to memory of 3024	1576	cmd.exe	wscript.exe
PID 1484 wrote to memory of 1576	1484	notepad.exe	cmd.exe
PID 1484 wrote to memory of 1576	1484	notepad.exe	cmd.exe
PID 1484 wrote to memory of 2440	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2440	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2440	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2440	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2440	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2440	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2440	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 2440	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4088	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4088	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4088	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4088	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4088	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4088	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4088	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 4088	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 1192	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 1192	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 1192	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 1192	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 1192	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 1192	1484	notepad.exe	notepad.exe
PID 1484 wrote to memory of 1192	1484	notepad.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\notepad.exe
"C:\Users\Admin\AppData\Local\Temp\notepad.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\notepad.exe
"C:\Users\Admin\AppData\Local\Temp\notepad.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:4036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4036 -s 180
4⤵
- Program crash
PID:2724

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:2792

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2792 -s 180
4⤵
- Program crash
PID:1136

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:3880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3880 -s 180
4⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
4⤵
- Drops startup file
PID:3024

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:2440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2440 -s 180
4⤵
- Program crash
PID:1000

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:4088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4088 -s 180
4⤵
- Program crash
PID:1548

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:1192

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1192 -s 180
4⤵
- Program crash
PID:3944

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:784

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 784 -s 180
4⤵
- Program crash
PID:2220

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:3856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3856 -s 188
4⤵
- Program crash
PID:1004

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:2192

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2192 -s 180
4⤵
- Program crash
PID:2652

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 184 -s 192
4⤵
- Program crash
PID:4008

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 636 -s 180
4⤵
- Program crash
PID:4012

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:4020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4020 -s 180
4⤵
- Program crash
PID:2156

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:1556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1556 -s 180
4⤵
- Program crash
PID:3052

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:4088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4088 -s 180
4⤵
- Program crash
PID:3944

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:3692

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3692 -s 180
4⤵
- Program crash
PID:2932

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:2740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2740 -s 188
4⤵
- Program crash
PID:3860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LKBNMTFJgl\r.vbs
MD5
19b2d791962e01151e4b6a40a90e8cd8

SHA1
a1ee500267dd1d457b3f840f8a00ba808bb46eb3

SHA256
67824e30ec5d2b61ffb266e8a37e9b929e82d507d09d21961b8293c99816c664

SHA512
4d39fd8f11e86490041190f1419273c702ccd85dcc603e5d7acc9d55cc60031ef1f7cc901a2c09b46d6bdc560a4c81d464c8495e7f9e8707ec7cd999f49c49fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url
MD5
e03e6937ba1878ace3d849b233adecfe

SHA1
affbb4f8b53af6cf35660b775a0a8f70fb95f8b5

SHA256
9846a8975f8e2dbc96cd18d5015c03b4d8226fddf69bcb99a0610c855b0a9e6d

SHA512
99ea03b8635d89409c6e65dc1dd1e995eac8c02e373f3b01faa7d715f347722075cc0d5d629914399505a2ca8ffb80bfa8cafa9d99a2e702d1fcd94fb0baeca9

Download Submit
memory/184-171-0x0000000000A14AA0-mapping.dmp

Download
memory/636-176-0x0000000000A14AA0-mapping.dmp

Download
memory/784-156-0x0000000000A14AA0-mapping.dmp

Download
memory/1192-151-0x0000000000A14AA0-mapping.dmp

Download
memory/1484-116-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1484-118-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1484-117-0x0000000000404470-mapping.dmp

Download
memory/1556-186-0x0000000000A14AA0-mapping.dmp

Download
memory/1576-134-0x0000000000000000-mapping.dmp

Download
memory/1576-137-0x00000000036E0000-0x00000000038B4000-memory.dmp

Filesize
1.8MB

Download
memory/2192-166-0x0000000000A14AA0-mapping.dmp

Download
memory/2440-141-0x0000000000A14AA0-mapping.dmp

Download
memory/2740-200-0x0000000000A14AA0-mapping.dmp

Download
memory/2792-126-0x0000000000A14AA0-mapping.dmp

Download
memory/3024-135-0x0000000000000000-mapping.dmp

Download
memory/3692-196-0x0000000000A14AA0-mapping.dmp

Download
memory/3856-161-0x0000000000A14AA0-mapping.dmp

Download
memory/3880-131-0x0000000000A14AA0-mapping.dmp

Download
memory/4020-181-0x0000000000A14AA0-mapping.dmp

Download
memory/4036-121-0x0000000000A14AA0-mapping.dmp

Download
memory/4036-119-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4036-120-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4088-189-0x0000000000400000-0x0000000000400138-memory.dmp

Filesize
312B

Download
memory/4088-191-0x0000000000A14AA0-mapping.dmp

Download
memory/4088-146-0x0000000000A14AA0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads