82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68

Analysis

max time kernel
149s
max time network
57s
platform
windows10_x64
resource
win10v20210408
submitted
15-05-2021 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
Size

1.5MB
MD5

823f26a80be46a78c0165bff11c19070
SHA1

d580906a344590011caf1f980143887a4a903c58
SHA256

82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68
SHA512

440b0721f5739c3310f73788809619c0cea0f7a46dabe7eb7cd69a99373cd8dda2876b7e49be0d7eaa9d1c7e89dda406e3659be7500050d90f8e707a6998d377

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3572-119-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/3572-120-0x0000000000400000-0x0000000000504000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url	wscript.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 800 set thread context of 3572	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	81
PID 800 set thread context of 2256	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	84
PID 800 set thread context of 2120	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	86
PID 800 set thread context of 3872	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	88
PID 800 set thread context of 684	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	90
PID 800 set thread context of 2648	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	92
PID 800 set thread context of 3180	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	94
PID 800 set thread context of 512	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	96
PID 800 set thread context of 2896	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	98
PID 800 set thread context of 1852	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	100

Program crash 10 IoCs

pid	pid_target	Process	procid_target
1260	3572	WerFault.exe	81
912	2256	WerFault.exe	84
3528	2120	WerFault.exe	86
2012	3872	WerFault.exe	88
3380	684	WerFault.exe	90
3908	2648	WerFault.exe	92
1420	3180	WerFault.exe	94
2920	512	WerFault.exe	96
2044	2896	WerFault.exe	98
3468	1852	WerFault.exe	100

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
Token: SeDebugPrivilege	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
Token: SeDebugPrivilege	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
Token: SeDebugPrivilege	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
Token: SeDebugPrivilege	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
Token: SeDebugPrivilege	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
Token: SeDebugPrivilege	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
Token: SeDebugPrivilege	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
Token: SeDebugPrivilege	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
Token: SeDebugPrivilege	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 200	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	78
PID 800 wrote to memory of 200	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	78
PID 800 wrote to memory of 200	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	78
PID 200 wrote to memory of 2036	200	cmd.exe	80
PID 200 wrote to memory of 2036	200	cmd.exe	80
PID 200 wrote to memory of 2036	200	cmd.exe	80
PID 800 wrote to memory of 3572	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	81
PID 800 wrote to memory of 3572	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	81
PID 800 wrote to memory of 3572	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	81
PID 800 wrote to memory of 3572	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	81
PID 800 wrote to memory of 3572	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	81
PID 800 wrote to memory of 3572	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	81
PID 800 wrote to memory of 3572	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	81
PID 800 wrote to memory of 3572	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	81
PID 800 wrote to memory of 2256	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	84
PID 800 wrote to memory of 2256	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	84
PID 800 wrote to memory of 2256	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	84
PID 800 wrote to memory of 2256	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	84
PID 800 wrote to memory of 2256	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	84
PID 800 wrote to memory of 2256	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	84
PID 800 wrote to memory of 2256	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	84
PID 800 wrote to memory of 2256	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	84
PID 800 wrote to memory of 2120	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	86
PID 800 wrote to memory of 2120	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	86
PID 800 wrote to memory of 2120	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	86
PID 800 wrote to memory of 2120	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	86
PID 800 wrote to memory of 2120	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	86
PID 800 wrote to memory of 2120	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	86
PID 800 wrote to memory of 2120	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	86
PID 800 wrote to memory of 2120	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	86
PID 800 wrote to memory of 3872	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	88
PID 800 wrote to memory of 3872	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	88
PID 800 wrote to memory of 3872	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	88
PID 800 wrote to memory of 3872	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	88
PID 800 wrote to memory of 3872	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	88
PID 800 wrote to memory of 3872	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	88
PID 800 wrote to memory of 3872	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	88
PID 800 wrote to memory of 3872	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	88
PID 800 wrote to memory of 684	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	90
PID 800 wrote to memory of 684	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	90
PID 800 wrote to memory of 684	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	90
PID 800 wrote to memory of 684	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	90
PID 800 wrote to memory of 684	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	90
PID 800 wrote to memory of 684	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	90
PID 800 wrote to memory of 684	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	90
PID 800 wrote to memory of 684	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	90
PID 800 wrote to memory of 2648	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	92
PID 800 wrote to memory of 2648	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	92
PID 800 wrote to memory of 2648	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	92
PID 800 wrote to memory of 2648	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	92
PID 800 wrote to memory of 2648	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	92
PID 800 wrote to memory of 2648	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	92
PID 800 wrote to memory of 2648	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	92
PID 800 wrote to memory of 2648	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	92
PID 800 wrote to memory of 3180	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	94
PID 800 wrote to memory of 3180	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	94
PID 800 wrote to memory of 3180	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	94
PID 800 wrote to memory of 3180	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	94
PID 800 wrote to memory of 3180	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	94
PID 800 wrote to memory of 3180	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	94
PID 800 wrote to memory of 3180	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	94
PID 800 wrote to memory of 3180	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	94
PID 800 wrote to memory of 512	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	96
PID 800 wrote to memory of 512	800	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	96

C:\Users\Admin\AppData\Local\Temp\82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
"C:\Users\Admin\AppData\Local\Temp\82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:200
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
    3⤵
    - Drops startup file
    PID:2036
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  PID:3572
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3572 -s 180
    3⤵
    - Program crash
    PID:1260
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  PID:2256
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2256 -s 180
    3⤵
    - Program crash
    PID:912
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  PID:2120
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2120 -s 180
    3⤵
    - Program crash
    PID:3528
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  PID:3872
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3872 -s 180
    3⤵
    - Program crash
    PID:2012
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  PID:684
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 684 -s 116
    3⤵
    - Program crash
    PID:3380
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  PID:2648
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2648 -s 180
    3⤵
    - Program crash
    PID:3908
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  PID:3180
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3180 -s 180
    3⤵
    - Program crash
    PID:1420
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  PID:512
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 512 -s 180
    3⤵
    - Program crash
    PID:2920
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  PID:2896
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2896 -s 180
    3⤵
    - Program crash
    PID:2044
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  PID:1852
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1852 -s 180
    3⤵
    - Program crash
    PID:3468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/800-114-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3572-120-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/3572-119-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download