caabf77a9917eb9786ec940d2afa72cd24e0f025ecbcf54fdb6923bdc7141c86

General

Target

caabf77a9917eb9786ec940d2afa72cd24e0f025ecbcf54fdb6923bdc7141c86.exe
Size

358KB
MD5

7868ee5930619ca40d669cac645dab96
SHA1

4d0e4fcca9b6a135d9f9d6032e056ce4a1d61489
SHA256

caabf77a9917eb9786ec940d2afa72cd24e0f025ecbcf54fdb6923bdc7141c86
SHA512

4d07f74f1e9d6d888ad73b0e6e7c5ed69d777830801e123b67042bac5deb71b9f12ba8b502d97a9903f9a4353f6a44c58ef139fcb48066de45c8060847a9adb5
SSDEEP

6144:nwTc//////CSBlbCjN+odbVtzEMw81Xs6oqqbY8MaGm3aGW/+dz0C8whYqan8yMh:Oc//////VWNnpvzY60bZqGa7+dz3Zh3n

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1064	GE.EXE
852	08.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001313e-62.dat	upx
behavioral1/files/0x000a00000001313e-61.dat	upx
behavioral1/files/0x000a00000001313e-63.dat	upx
behavioral1/files/0x000a00000001313e-65.dat	upx
behavioral1/memory/852-67-0x0000000000400000-0x0000000000449000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
864	cmd.exe
864	cmd.exe
576	cmd.exe
576	cmd.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1064	GE.EXE
1064	GE.EXE
1064	GE.EXE
1064	GE.EXE
1064	GE.EXE
1064	GE.EXE

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1064	GE.EXE
1064	GE.EXE
1064	GE.EXE
1064	GE.EXE
1064	GE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 864	1504	caabf77a9917eb9786ec940d2afa72cd24e0f025ecbcf54fdb6923bdc7141c86.exe	28
PID 1504 wrote to memory of 864	1504	caabf77a9917eb9786ec940d2afa72cd24e0f025ecbcf54fdb6923bdc7141c86.exe	28
PID 1504 wrote to memory of 864	1504	caabf77a9917eb9786ec940d2afa72cd24e0f025ecbcf54fdb6923bdc7141c86.exe	28
PID 1504 wrote to memory of 864	1504	caabf77a9917eb9786ec940d2afa72cd24e0f025ecbcf54fdb6923bdc7141c86.exe	28
PID 1504 wrote to memory of 576	1504	caabf77a9917eb9786ec940d2afa72cd24e0f025ecbcf54fdb6923bdc7141c86.exe	30
PID 1504 wrote to memory of 576	1504	caabf77a9917eb9786ec940d2afa72cd24e0f025ecbcf54fdb6923bdc7141c86.exe	30
PID 1504 wrote to memory of 576	1504	caabf77a9917eb9786ec940d2afa72cd24e0f025ecbcf54fdb6923bdc7141c86.exe	30
PID 1504 wrote to memory of 576	1504	caabf77a9917eb9786ec940d2afa72cd24e0f025ecbcf54fdb6923bdc7141c86.exe	30
PID 864 wrote to memory of 1064	864	cmd.exe	32
PID 864 wrote to memory of 1064	864	cmd.exe	32
PID 864 wrote to memory of 1064	864	cmd.exe	32
PID 864 wrote to memory of 1064	864	cmd.exe	32
PID 576 wrote to memory of 852	576	cmd.exe	33
PID 576 wrote to memory of 852	576	cmd.exe	33
PID 576 wrote to memory of 852	576	cmd.exe	33
PID 576 wrote to memory of 852	576	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\caabf77a9917eb9786ec940d2afa72cd24e0f025ecbcf54fdb6923bdc7141c86.exe
"C:\Users\Admin\AppData\Local\Temp\caabf77a9917eb9786ec940d2afa72cd24e0f025ecbcf54fdb6923bdc7141c86.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\GE.EXE"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\GE.EXE
    C:\Users\Admin\AppData\Local\Temp\\GE.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\08.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Users\Admin\AppData\Local\Temp\08.exe
    C:\Users\Admin\AppData\Local\Temp\\08.exe
    3⤵
    - Executes dropped EXE
    PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\08.exe

Filesize
18KB

MD5
f3c1fc246cdd2ad2ad952d1543e03a09

SHA1
44d73ba1ebf48137b7c713d0a037308f9d50dbc1

SHA256
f1e924c07e3029a2bfc7e859d08241c66d9413016a1dd4d5c39e50c544eb9882

SHA512
f75add417228df0542441a1bbec5363eac42983700fc265a774f2d8dc7dbbf085a85215be773d7e327f51d10a785d92807dfe5e02e5059cb781e5480fb696bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\08.exe

Filesize
18KB

MD5
f3c1fc246cdd2ad2ad952d1543e03a09

SHA1
44d73ba1ebf48137b7c713d0a037308f9d50dbc1

SHA256
f1e924c07e3029a2bfc7e859d08241c66d9413016a1dd4d5c39e50c544eb9882

SHA512
f75add417228df0542441a1bbec5363eac42983700fc265a774f2d8dc7dbbf085a85215be773d7e327f51d10a785d92807dfe5e02e5059cb781e5480fb696bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GE.EXE

Filesize
303KB

MD5
7ef96dc45298a52db0d1dc5d2e6e3707

SHA1
3f458c4c366538abc8450cf9fb227a1642c2680d

SHA256
257f4762be6d67f5c97580a676d56fc4bf6cdad221f507a56ee427fd8f36e9a3

SHA512
898054395e70fedcc1df400f3d06d717826a04c3273470433f57f8e5bfaab29e4c84d6eb7833933405d145314998149c8f32771cf0406d5102dab63019b26f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\GE.EXE

Filesize
303KB

MD5
7ef96dc45298a52db0d1dc5d2e6e3707

SHA1
3f458c4c366538abc8450cf9fb227a1642c2680d

SHA256
257f4762be6d67f5c97580a676d56fc4bf6cdad221f507a56ee427fd8f36e9a3

SHA512
898054395e70fedcc1df400f3d06d717826a04c3273470433f57f8e5bfaab29e4c84d6eb7833933405d145314998149c8f32771cf0406d5102dab63019b26f99

Download Submit
\Users\Admin\AppData\Local\Temp\08.exe

Filesize
18KB

MD5
f3c1fc246cdd2ad2ad952d1543e03a09

SHA1
44d73ba1ebf48137b7c713d0a037308f9d50dbc1

SHA256
f1e924c07e3029a2bfc7e859d08241c66d9413016a1dd4d5c39e50c544eb9882

SHA512
f75add417228df0542441a1bbec5363eac42983700fc265a774f2d8dc7dbbf085a85215be773d7e327f51d10a785d92807dfe5e02e5059cb781e5480fb696bb0

Download Submit
\Users\Admin\AppData\Local\Temp\08.exe

Filesize
18KB

MD5
f3c1fc246cdd2ad2ad952d1543e03a09

SHA1
44d73ba1ebf48137b7c713d0a037308f9d50dbc1

SHA256
f1e924c07e3029a2bfc7e859d08241c66d9413016a1dd4d5c39e50c544eb9882

SHA512
f75add417228df0542441a1bbec5363eac42983700fc265a774f2d8dc7dbbf085a85215be773d7e327f51d10a785d92807dfe5e02e5059cb781e5480fb696bb0

Download Submit
\Users\Admin\AppData\Local\Temp\GE.EXE

Filesize
303KB

MD5
7ef96dc45298a52db0d1dc5d2e6e3707

SHA1
3f458c4c366538abc8450cf9fb227a1642c2680d

SHA256
257f4762be6d67f5c97580a676d56fc4bf6cdad221f507a56ee427fd8f36e9a3

SHA512
898054395e70fedcc1df400f3d06d717826a04c3273470433f57f8e5bfaab29e4c84d6eb7833933405d145314998149c8f32771cf0406d5102dab63019b26f99

Download Submit
\Users\Admin\AppData\Local\Temp\GE.EXE

Filesize
303KB

MD5
7ef96dc45298a52db0d1dc5d2e6e3707

SHA1
3f458c4c366538abc8450cf9fb227a1642c2680d

SHA256
257f4762be6d67f5c97580a676d56fc4bf6cdad221f507a56ee427fd8f36e9a3

SHA512
898054395e70fedcc1df400f3d06d717826a04c3273470433f57f8e5bfaab29e4c84d6eb7833933405d145314998149c8f32771cf0406d5102dab63019b26f99

Download Submit
memory/852-67-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1064-66-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing