b2ef8465be0b7cc5eae1a91a794efd72e8cc6e45574ae05b226e81d1c1b0faa6

General

Target

newbithere20054rfds.exe
Size

300.0MB
MD5

9edb373bba31ed74e5635c8ba1ccbc24
SHA1

7826110d94ad641b3cbed3eaa1c4e1ab5e329e26
SHA256

cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235
SHA512

90c56b8545767b8b3b3292ebc71d4683b6ff0c2e0fc1135159357707bfb462878c8044eced0f6138e7771d3db3c6e8a1b363d7663fd3e5e50f46254f22ee54e4
SSDEEP

24576:KQWUrKeG3ggoqRwkqbQsH50RPoE+G3ttsP2V4MM9obzQLAmLGAs4DyAunLw+6aI9:K2KtBCR3qP+JeO+/m6yDL9aITLUp

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

pojhg.exe

pid process

4752 pojhg.exe

pid	process
4752	pojhg.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4412-140-0x00000000005C0000-0x00000000009A4000-memory.dmp	upx
behavioral2/memory/4412-141-0x00000000005C0000-0x00000000009A4000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

newbithere20054rfds.exe

description pid process target process

PID 2468 set thread context of 4412 2468 newbithere20054rfds.exe RegAsm.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1540 4412 WerFault.exe RegAsm.exe
2500 4412 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1784 schtasks.exe

description	pid	process	target process
PID 2468 set thread context of 4412	2468	newbithere20054rfds.exe	RegAsm.exe

pid	pid_target	process	target process
1540	4412	WerFault.exe	RegAsm.exe
2500	4412	WerFault.exe	RegAsm.exe

pid	process
1784	schtasks.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

newbithere20054rfds.execmd.exe

description	pid	process	target process
PID 2468 wrote to memory of 3556	2468	newbithere20054rfds.exe	cmd.exe
PID 2468 wrote to memory of 3556	2468	newbithere20054rfds.exe	cmd.exe
PID 2468 wrote to memory of 3556	2468	newbithere20054rfds.exe	cmd.exe
PID 3556 wrote to memory of 1784	3556	cmd.exe	schtasks.exe
PID 3556 wrote to memory of 1784	3556	cmd.exe	schtasks.exe
PID 3556 wrote to memory of 1784	3556	cmd.exe	schtasks.exe
PID 2468 wrote to memory of 1988	2468	newbithere20054rfds.exe	cmd.exe
PID 2468 wrote to memory of 1988	2468	newbithere20054rfds.exe	cmd.exe
PID 2468 wrote to memory of 1988	2468	newbithere20054rfds.exe	cmd.exe
PID 2468 wrote to memory of 4412	2468	newbithere20054rfds.exe	RegAsm.exe
PID 2468 wrote to memory of 4412	2468	newbithere20054rfds.exe	RegAsm.exe
PID 2468 wrote to memory of 4412	2468	newbithere20054rfds.exe	RegAsm.exe
PID 2468 wrote to memory of 4412	2468	newbithere20054rfds.exe	RegAsm.exe
PID 2468 wrote to memory of 4412	2468	newbithere20054rfds.exe	RegAsm.exe
PID 2468 wrote to memory of 4412	2468	newbithere20054rfds.exe	RegAsm.exe
PID 2468 wrote to memory of 4412	2468	newbithere20054rfds.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\newbithere20054rfds.exe
"C:\Users\Admin\AppData\Local\Temp\newbithere20054rfds.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\pojhg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\pojhg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1784

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\newbithere20054rfds.exe" "C:\Users\Admin\AppData\Roaming\pojhg.exe"
2⤵
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 536
3⤵
- Program crash
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 540
3⤵
- Program crash
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4412 -ip 4412
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4412 -ip 4412
1⤵
PID:1524

C:\Users\Admin\AppData\Roaming\pojhg.exe
C:\Users\Admin\AppData\Roaming\pojhg.exe
1⤵
- Executes dropped EXE
PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\pojhg.exe
Filesize
289.9MB

MD5
369c133b2eda280b590ddd287bea9cc2

SHA1
2721a9498c556cf1a2fcecf0b5cade2a63f13cd6

SHA256
678b9591094140ba2017f2d4a7632f62b1cee76c0b0e85145f110db2a7464b42

SHA512
348f4f49249bfb96f2d4afd444e705c958d8fcc180f9fe4d6e439d35c697f4eeb4739a99f91fb734cc37fd2e9d334d538826b8d77b14b3b64b426a766d96288d

Download Submit
C:\Users\Admin\AppData\Roaming\pojhg.exe
Filesize
288.9MB

MD5
e8c48f407d70ba246ff818fd3320ef06

SHA1
f06488416b12a83eac6608ea89a2ddb9992efb39

SHA256
a06900bc010e4eccb237bcf6ccc2753e28bb9230ff61a96a6675b188d62f509c

SHA512
3d782002dd111bec0e0212d967e5129cdd4e820a40e0c03549f45533a7eb3d8d3866c7dd553554f8d9dcc4b3f49993175f6ad17a39297130cc960c8cd0f6ff85

Download Submit
memory/1784-135-0x0000000000000000-mapping.dmp

Download
memory/1988-137-0x0000000000000000-mapping.dmp

Download
memory/2468-132-0x0000000000320000-0x00000000004B2000-memory.dmp

Filesize
1.6MB

Download
memory/2468-133-0x0000000004DD0000-0x0000000004E36000-memory.dmp

Filesize
408KB

Download
memory/2468-136-0x00000000057B0000-0x0000000005D54000-memory.dmp

Filesize
5.6MB

Download
memory/3556-134-0x0000000000000000-mapping.dmp

Download
memory/4412-138-0x0000000000000000-mapping.dmp

Download
memory/4412-140-0x00000000005C0000-0x00000000009A4000-memory.dmp

Filesize
3.9MB

Download
memory/4412-141-0x00000000005C0000-0x00000000009A4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads