21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578

General

Target

21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe
Size

1.7MB
MD5

65ddbe9b2581fb5acdfb40a27478ce59
SHA1

7c00e3d480ab839d1e7b51de4f31f08759ad7201
SHA256

21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578
SHA512

074c87912dedd24522b70ee8f32024613b97e7b5399ba5e6d1b7c0892f2918c3b956bdd5b4d556d195796b528de152d8cf47ae5f8ef45af169996808bfc29115
SSDEEP

49152:eTvt1GjeX+xaFTx+IJPPpU4XOulXn8djKj:eT7zOaaqPpv8d2

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4652	OneDrive.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/628-133-0x0000000000B00000-0x000000000114F000-memory.dmp	upx
behavioral2/memory/628-145-0x0000000000B00000-0x000000000114F000-memory.dmp	upx
behavioral2/memory/628-147-0x0000000000B00000-0x000000000114F000-memory.dmp	upx
behavioral2/files/0x0006000000022e27-148.dat	upx
behavioral2/files/0x0006000000022e27-149.dat	upx
behavioral2/memory/4652-150-0x0000000000BB0000-0x00000000011FF000-memory.dmp	upx
behavioral2/memory/4652-163-0x0000000000BB0000-0x00000000011FF000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 628 set thread context of 488	628	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	92
PID 4652 set thread context of 4872	4652	OneDrive.exe	97

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
632	schtasks.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 632	628	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	85
PID 628 wrote to memory of 632	628	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	85
PID 628 wrote to memory of 488	628	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	92
PID 628 wrote to memory of 488	628	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	92
PID 628 wrote to memory of 488	628	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	92
PID 628 wrote to memory of 488	628	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	92
PID 628 wrote to memory of 488	628	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	92
PID 628 wrote to memory of 488	628	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	92
PID 628 wrote to memory of 488	628	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	92
PID 628 wrote to memory of 488	628	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	92
PID 628 wrote to memory of 488	628	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	92
PID 628 wrote to memory of 488	628	21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe	92
PID 4652 wrote to memory of 4872	4652	OneDrive.exe	97
PID 4652 wrote to memory of 4872	4652	OneDrive.exe	97
PID 4652 wrote to memory of 4872	4652	OneDrive.exe	97
PID 4652 wrote to memory of 4872	4652	OneDrive.exe	97
PID 4652 wrote to memory of 4872	4652	OneDrive.exe	97
PID 4652 wrote to memory of 4872	4652	OneDrive.exe	97
PID 4652 wrote to memory of 4872	4652	OneDrive.exe	97
PID 4652 wrote to memory of 4872	4652	OneDrive.exe	97
PID 4652 wrote to memory of 4872	4652	OneDrive.exe	97
PID 4652 wrote to memory of 4872	4652	OneDrive.exe	97

C:\Users\Admin\AppData\Local\Temp\21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe
"C:\Users\Admin\AppData\Local\Temp\21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\system32\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn OneDrive /rl HIGHEST /tr C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
  2⤵
  - Creates scheduled task(s)
  PID:632
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==
  2⤵
  PID:488

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe YmMxcTVjZHZ1N3RlN2xmaDBkOWR4ZndoYTdmNXBzaHl2ZnB0NXVhaGVkLDQ0RHM4ZmJDM0hXUUNjd1FvdGdyTkRVV25tRGl4cFFQRzdZTGg1aDJyelNNUXJ4Q1JYZVNqUXZIOExSUE5HU3lxdlhjS2VFazN1bVo3VDJ3ekZBZ292RjE1VWNrQnhnLDB4MDNlQmFCNjg0ZDNmYjI0QmVERmMzMWREYTRGNTVjQzAyMkU1NzEwMSxYbURTUU1tVjV2eGo4Y3U4eFNraFVjZldmRndtc0FZdDNpLHIzeUExd2VvUlc1THdNY0xoelBvdG1xU3huMjRFNzZXdWgsRFNSRDd6WEtOVXJZZmtpUERTdTFYRFdyZ2dkRTlTTGNRVyxMVVE5SmVHMkpOOUQ1VHRLdnlQRFZ6cWpTUjV4V0h4a3VRLFRQc0xGMmVUVHExMTJVS2Vvb0xWNHFBZzN0b3lDNWg2VE0sR0FZSjZOVkxKM1ZZRVRGVU5JNkxBRDVFREVQRTVEUFhaV1dRUEZWNFlIRkdIU0YzNkc0TENSUE4sQVZENjlIZHF1WEJ1RWpma0FEV0JDcXM1bmVWQ2VXQjMxZyxxcHQ5bXNqaDN0N3VjOTJwbmx3a3NtOWRkbjJrcWhtNmc1ZjQzbWUyZHAsYWRkcjFxeWYyc244dWF6N2o0NDB2ZXM5NmFkZHB1ZWFtOGY5cjlndTh2NDVsc2p4bGw3cWo0cHgwZTY5YTl0MjdlbnF0NDY2NnJlbm1rd2oyeDIzY3dldGZscHlkbGx1cWtwOWszbix0MVNrUzJrS0dvSnRqcHFhUGVWQlltc2JHcXMyR1ZkMWRzbSxHUEpkSk5GS0RORjFKcnZORG5tUXRqNHA1cVJpNWRmWmo1LDEyaEc4S2V3VmtoS1JIZUhmWVFlZEpMSHViWWliTGNBa1h1bjc1ckY0Yld5OVJrUA==
  2⤵
  PID:4872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
65ddbe9b2581fb5acdfb40a27478ce59

SHA1
7c00e3d480ab839d1e7b51de4f31f08759ad7201

SHA256
21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578

SHA512
074c87912dedd24522b70ee8f32024613b97e7b5399ba5e6d1b7c0892f2918c3b956bdd5b4d556d195796b528de152d8cf47ae5f8ef45af169996808bfc29115

Download Submit
C:\Users\Admin\AppData\Local\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
65ddbe9b2581fb5acdfb40a27478ce59

SHA1
7c00e3d480ab839d1e7b51de4f31f08759ad7201

SHA256
21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578

SHA512
074c87912dedd24522b70ee8f32024613b97e7b5399ba5e6d1b7c0892f2918c3b956bdd5b4d556d195796b528de152d8cf47ae5f8ef45af169996808bfc29115

Download Submit
memory/488-140-0x00007FF691B50000-0x00007FF691CEF000-memory.dmp

Filesize
1.6MB

Download
memory/488-146-0x00007FF691B50000-0x00007FF691CEF000-memory.dmp

Filesize
1.6MB

Download
memory/488-134-0x00007FF691B50000-0x00007FF691CEF000-memory.dmp

Filesize
1.6MB

Download
memory/628-145-0x0000000000B00000-0x000000000114F000-memory.dmp

Filesize
6.3MB

Download
memory/628-147-0x0000000000B00000-0x000000000114F000-memory.dmp

Filesize
6.3MB

Download
memory/628-133-0x0000000000B00000-0x000000000114F000-memory.dmp

Filesize
6.3MB

Download
memory/4652-150-0x0000000000BB0000-0x00000000011FF000-memory.dmp

Filesize
6.3MB

Download
memory/4652-163-0x0000000000BB0000-0x00000000011FF000-memory.dmp

Filesize
6.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads