2205e931fcca292889c4845eb2b0e961fc7b598c276b6abf71bb5cf6c59c1132

Target

8 (21).exe
Size

3.0MB
MD5

bb072cad921aa5ce8b97706ce01bc570
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd
SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97
SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Score

10^/10

aspackv2 upx

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 4276 rUNdlL32.eXe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	4276	rUNdlL32.eXe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS01A58104\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS01A58104\setup_install.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS01A58104\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS01A58104\libcurl.dll	aspack_v212_v242

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ipinfo.io
19 ip-api.com
14 ipinfo.io
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3496 4048 WerFault.exe setup_install.exe

flow	ioc
15	ipinfo.io
19	ip-api.com
14	ipinfo.io

pid	pid_target	process	target process
3496	4048	WerFault.exe	setup_install.exe

C:\Users\Admin\AppData\Local\Temp\8 (21).exe
"C:\Users\Admin\AppData\Local\Temp\8 (21).exe"
1⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\7zS01A58104\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS01A58104\setup_install.exe"
3⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
4⤵
PID:508

C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_5.exe
sonia_5.exe
5⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 532
4⤵
- Program crash
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
4⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
4⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
4⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
4⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_1.exe
sonia_1.exe
1⤵
PID:352

C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_1.exe" -a
2⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_6.exe
sonia_6.exe
1⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_4.exe
sonia_4.exe
1⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_3.exe
sonia_3.exe
1⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_2.exe
sonia_2.exe
1⤵
PID:2080

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
PID:4348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4428

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:4328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS01A58104\setup_install.exe
MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A58104\setup_install.exe
MD5
a3ca32ebdba2c07c2d386bb31cbd6d51

SHA1
e7841e1f475f922d5264b5ce5d123a1b3927f9e6

SHA256
0ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b

SHA512
c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_1.exe
MD5
fa462c359e051adb045ab3daae96b9bf

SHA1
eb98daab0e5e9dfd46c129f3c3ddc7c3b983e542

SHA256
0caf0ddd249aa1f2982f11f903fd049881b62283c6e06e8d55395cf74ec62867

SHA512
f2ee29fe43edfa873f5345fba72c25a98dc0d1ec51f72fa11bd1b392c4f5ee07daa2d3eab3826da2c806a89716af5f69deb1eadbcdbfa48cfcad39e487726a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_1.exe
MD5
4c6423f9454cf6494320537f2f72ccd2

SHA1
2375df89d454ea2560595d60a3230e220b3b25e6

SHA256
3850460030ce3506ce3b68f6e0cfbad4afb6a6b432cb199c3545bd1f42460bd4

SHA512
7c0035f8e843a700416b606d3e6cac1032e81c7e7707d512c7ac44a7fbfaf14266b7c22d4e22e333773455ce86c29fe3a673f49ceeb07917e8420226eebecd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_2.exe
MD5
18ffdaa7a2c9906db10ffc13f7c73d23

SHA1
f195661bc0f9735d02fbe0e937bfd80cf0bcb11f

SHA256
365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3

SHA512
db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_2.txt
MD5
18ffdaa7a2c9906db10ffc13f7c73d23

SHA1
f195661bc0f9735d02fbe0e937bfd80cf0bcb11f

SHA256
365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3

SHA512
db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_3.exe
MD5
2d4cc9861d869b08e81401012f5dea00

SHA1
18715c699204c69a3b73a5631081d70faa5fab55

SHA256
1426c758daf05fefcf014b1e6c090a590c4a97984cde44cd878a2f1b91134601

SHA512
9149ffee53486d3dcd56e880ce8e9de6add0e2cd64d68b8d0a03434b8b7c021be067c91161d0020f68c4b4cc5aa0c2e561ad3a350c30d9d5cac0fee58f597be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_4.exe
MD5
6765fe4e4be8c4daf3763706a58f42d0

SHA1
cebb504bfc3097a95d40016f01123b275c97d58c

SHA256
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60

SHA512
c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_5.exe
MD5
1a543482d8181d8c6974f1b58828d1a1

SHA1
794fda5a981e9b633af0827d091fc4c8fac8bc3c

SHA256
f05c956f4d7d8d017f73b7ac7ee20ae52a0a9c5a75982ca3cd0da836ac8d2ca1

SHA512
16e03eb83aa164ed1b31909be7a91addcd6192d8f914c0912767af1eec71b852559f03ac8c75e23e1dae2527121079aaa4ad0239bba5ea9de16404a0e6fd67a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_5.txt
MD5
3915a3e28a2cea51062025ba4e3f0092

SHA1
ed6671c1042a2bfb4e32ba03fe08ccb439d62156

SHA256
8f0416eaf9d57746bfcf4df2ef06e36c61b4c220e99e9a67e7dc1a06219ce4c7

SHA512
8572bfe7fefb1116a644f162478a8922e23448150f8be48b9b89abf7f7c2322a7656736a6f0f676d0218c81ae5cf8f20d4c2af4b81f99885372c398db59dc19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_6.exe
MD5
4cc30f0b65e1535a0c4fbc8091c793ea

SHA1
e85ff3ba143060418b862bce9c620c4d3d474273

SHA256
e2341c140053bf06c8afe7e8d878a55a4ee6fa15de64d5b4ba7513b548be6cf1

SHA512
d23acb16e26897215a97d8a01a2ef18c187557981986e83fab805de5a0829b6652229a420af7b489a07ec72abc8d7a63f26302e87b7db1153984ebd129a12d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01A58104\sonia_6.txt
MD5
93875db0a61283a8a8f1ce0b39cf4a56

SHA1
b135025102894bf7b925da5944664c3219741502

SHA256
cc72f73a89d00ac1644bb2de4f0e1f8dcaafb230e1a4048f76926a0342ebd265

SHA512
ef300de1ba1e62dd65bc8bdba5412345e4c0e51f69e44bc2d5a2fa4ef6090ae3272737f8022d5659647d88cb287335091a3848798822025b1a67daec6489ba9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
67429d449202c8a47155de2d3c21f2fb

SHA1
6e404a9b4bd16078758c8275d91b15b61626f67a

SHA256
8aab3af9ad37ba7aeda153feac0bc7d5e2910fb995597e0aaa153b23a6c7f729

SHA512
2cd44839f5fce83f3548b6e9bc7e455ff64915779bb69404a0b9a5e57df5f340230188afca6cd0b39042bf67a0201389ff1a768500f42210313253b2d4dbbf6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
204e2ea0c196dc2f2aa23b213060c613

SHA1
dd6e9aa10a6d7765724d2805868a2b49a96d4f4f

SHA256
8f2c1c9c1c990f1b49a58e679545de40712e0690bb3938527e1b58cdf1cdb96f

SHA512
d4506a7b3f5532da10894e940d8cb86380c07c0faaf5916524c144c0c61d8047ae228e1f02339dca11810ff34afe5a2f5781434612cd237bcb310305b6022d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
41638e01a415150ed5e21d3fc01b31b3

SHA1
9a35e5bcc17f83515ee1a70d38e0ce5df2eb9a2b

SHA256
bc31dc090a7b60cd6164bb434e9b1c7573d417b0ab19aa0d24e2414d42206aed

SHA512
eed8ebf27fba966b25b46e2ee1b4744b860b7781e7aa603cdfec5987a0798ad0d76ace42b4d282757ec9171d48ab54d6adef4626c7e519eeb4781e36b1b2da29

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
9ec643b4dacc6fc0dece1eea84939ac8

SHA1
c584e05fdd04f91997068d84cd7f773b34943adf

SHA256
b3bbd0d5b394b9d08823a341c98bda61e8ce01185eac4ceaca9f1364fb698601

SHA512
765a567d07cc0dfa8e40c29f75257826872d07e45729cc61d15efbe37e492afa7fa1c9978c7df8820d53c3ad551a988cce6594013cd6919b3bc753328485aa2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
fd2e2ace184d3b58c7122a46e96b043c

SHA1
3abf7131a61f8d500a00b0f15cf65c6913855143

SHA256
29f84e28fa9d5c7fadbf675f958fde83cf4a5644c9249a4785b47b37e4a44be8

SHA512
6407a253948431c380c96e5493840bcd1a2ae6b00d4c33c183369fdfbe400b4406b17c18c332ce51fedea52f9341d4a495ba24efad2add0aedd140c730423bb0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS01A58104\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS01A58104\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS01A58104\libstdc++-6.dll
MD5
13489e943dad950efc9aa59301209c73

SHA1
ec2ce83c08329156f1b5836f4f25a82ddf2043c4

SHA256
73649a615fdf4f87321d6599b86bf480e4dd78b78a06b699b335ace4bd9418ab

SHA512
1a6efc7db5b8ed8cd35c0280fc42df07163fc6529e4672d2057e21bc606bd78c5e4f122c70438e93ac1e61bcc347f56010fd05c86743f7ad9aa23452ca23a0f0

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
6bfd15347f31c706b989602264d386e4

SHA1
772b6bf159f57c070073c8e89ef6d402bee01aef

SHA256
5a214e626b7683858abcffe0011b018c3ef034b62306a6c3d43d371d01f85d1c

SHA512
3fa37bfe94e793dbfcd337ed1e9cc7d3d86e410c3a811bbdccb44175dd9ad1a0b5b5edf181cbe1d5388d00c0843ea8bf347b40570637303b7314b63b1ad35172

Download Submit
\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
204e2ea0c196dc2f2aa23b213060c613

SHA1
dd6e9aa10a6d7765724d2805868a2b49a96d4f4f

SHA256
8f2c1c9c1c990f1b49a58e679545de40712e0690bb3938527e1b58cdf1cdb96f

SHA512
d4506a7b3f5532da10894e940d8cb86380c07c0faaf5916524c144c0c61d8047ae228e1f02339dca11810ff34afe5a2f5781434612cd237bcb310305b6022d5c

Download Submit
memory/352-156-0x0000000000000000-mapping.dmp

Download
memory/508-145-0x0000000000000000-mapping.dmp

Download
memory/1432-154-0x0000000000000000-mapping.dmp

Download
memory/1656-155-0x0000000000000000-mapping.dmp

Download
memory/2080-149-0x0000000000000000-mapping.dmp

Download
memory/2084-146-0x0000000000000000-mapping.dmp

Download
memory/2152-143-0x0000000000000000-mapping.dmp

Download
memory/2220-163-0x0000000000000000-mapping.dmp

Download
memory/2232-147-0x0000000000000000-mapping.dmp

Download
memory/2576-114-0x0000000000000000-mapping.dmp

Download
memory/2880-166-0x0000000002F00000-0x0000000002F02000-memory.dmp

Filesize
8KB

Download
memory/2880-162-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/2880-158-0x0000000000000000-mapping.dmp

Download
memory/3152-142-0x0000000000000000-mapping.dmp

Download
memory/4044-144-0x0000000000000000-mapping.dmp

Download
memory/4048-134-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4048-150-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4048-152-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4048-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4048-117-0x0000000000000000-mapping.dmp

Download
memory/4048-148-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4048-151-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4088-141-0x0000000000000000-mapping.dmp

Download
memory/4136-167-0x0000000000000000-mapping.dmp

Download
memory/4220-169-0x0000000000000000-mapping.dmp

Download
memory/4348-174-0x0000000000000000-mapping.dmp

Download
memory/4428-180-0x00007FF756E24060-mapping.dmp

Download