efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1

Analysis

max time kernel
149s
max time network
196s
platform
windows7_x64
resource
win7-en-20210920
submitted
21-10-2021 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe
Size

10.1MB
MD5

a65903fca5089fb8959cd9ea6c96da3b
SHA1

0937bbe1199fdca67cad8836e0b3b109aead8fb6
SHA256

efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1
SHA512

5522fed40404d9eebadf550daaa7461c49bd0f95e397cf4c6564d993306877259bd32c2ee1ee234a2e5210ee52bbc0aea8248c2f1556e77b321ebd93348f9dcd

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1660	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
1696	winhlp.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001265d-62.dat	upx
behavioral1/files/0x000500000001265d-64.dat	upx
behavioral1/files/0x000500000001265d-93.dat	upx

Loads dropped DLL 6 IoCs

pid	Process
1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe
1660	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
1696	winhlp.exe
1696	winhlp.exe
1696	winhlp.exe
1696	winhlp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\winhlp.job	notepad.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1696	winhlp.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	27
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	27
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	27
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	27
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	27
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	27
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	27
PID 1660 wrote to memory of 1696	1660	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	28
PID 1660 wrote to memory of 1696	1660	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	28
PID 1660 wrote to memory of 1696	1660	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	28
PID 1660 wrote to memory of 1696	1660	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	28
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1696 wrote to memory of 1524	1696	winhlp.exe	29
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1640	1524	dllhost.exe	31
PID 1524 wrote to memory of 1648	1524	dllhost.exe	32
PID 1524 wrote to memory of 1648	1524	dllhost.exe	32
PID 1524 wrote to memory of 1648	1524	dllhost.exe	32
PID 1524 wrote to memory of 1648	1524	dllhost.exe	32
PID 1524 wrote to memory of 1648	1524	dllhost.exe	32

C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe
"C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\is-T352E.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-T352E.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp" /SL5="$40118,9529176,831488,C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Roaming\winhlp.exe
    "C:\Users\Admin\AppData\Roaming\winhlp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\system32\dllhost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1172
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:2044
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        5⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        5⤵
        Drops file in Windows directory
        
        PID:1460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-53-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1112-60-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1460-86-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1460-87-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/1524-76-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1524-77-0x0000000002060000-0x0000000002095000-memory.dmp

Filesize
212KB

Download
memory/1524-78-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/1660-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download