c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd

Analysis

max time kernel
36s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Size

127KB
MD5

d1dfbe80d81eba051f9cef1de620f5cc
SHA1

7a2d29bf6dfa3c917cd458dedc7c1a874fcd21cf
SHA256

c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd
SHA512

6031930042bd971613d7b464835d00e4477f06d060c269add38afce6c6d8f5beb6dad6c18d3f938d3c88404871d015e3e9467841a57feb017fa65eb664c4d653
SSDEEP

3072:RjIvDjdc1aLfUUPDxgXRMmvsX8zg8e65Z5ebRDZD52wH/AUx:REPdLDUUrxmM8s846v5ebRDtl/Rx

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2040	apocalyps32.exe
1324	apocalyps32.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1028-55-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1028-58-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1028-60-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1028-64-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1028-65-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1028-68-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1324-87-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1324-84-0x0000000040010000-0x000000004004B000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 1028	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe	27
PID 2040 set thread context of 1324	2040	apocalyps32.exe	29

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\apocalyps32.exe	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
File opened for modification	C:\Windows\apocalyps32.exe	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
File created	C:\Windows\apocalyps32.exe	apocalyps32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: 33	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
Token: SeIncBasePriorityPrivilege	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1028	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe	27
PID 1712 wrote to memory of 1028	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe	27
PID 1712 wrote to memory of 1028	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe	27
PID 1712 wrote to memory of 1028	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe	27
PID 1712 wrote to memory of 1028	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe	27
PID 1712 wrote to memory of 1028	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe	27
PID 1712 wrote to memory of 1028	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe	27
PID 1712 wrote to memory of 1028	1712	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe	27
PID 1028 wrote to memory of 2040	1028	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe	28
PID 1028 wrote to memory of 2040	1028	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe	28
PID 1028 wrote to memory of 2040	1028	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe	28
PID 1028 wrote to memory of 2040	1028	c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe	28
PID 2040 wrote to memory of 1324	2040	apocalyps32.exe	29
PID 2040 wrote to memory of 1324	2040	apocalyps32.exe	29
PID 2040 wrote to memory of 1324	2040	apocalyps32.exe	29
PID 2040 wrote to memory of 1324	2040	apocalyps32.exe	29
PID 2040 wrote to memory of 1324	2040	apocalyps32.exe	29
PID 2040 wrote to memory of 1324	2040	apocalyps32.exe	29
PID 2040 wrote to memory of 1324	2040	apocalyps32.exe	29
PID 2040 wrote to memory of 1324	2040	apocalyps32.exe	29
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30
PID 1324 wrote to memory of 908	1324	apocalyps32.exe	30

C:\Users\Admin\AppData\Local\Temp\c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
"C:\Users\Admin\AppData\Local\Temp\c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
  C:\Users\Admin\AppData\Local\Temp\c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\apocalyps32.exe
    -bs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\apocalyps32.exe
      C:\Windows\apocalyps32.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apocalyps32.exe

Filesize
127KB

MD5
d1dfbe80d81eba051f9cef1de620f5cc

SHA1
7a2d29bf6dfa3c917cd458dedc7c1a874fcd21cf

SHA256
c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd

SHA512
6031930042bd971613d7b464835d00e4477f06d060c269add38afce6c6d8f5beb6dad6c18d3f938d3c88404871d015e3e9467841a57feb017fa65eb664c4d653

Download Submit
C:\Windows\apocalyps32.exe

Filesize
127KB

MD5
d1dfbe80d81eba051f9cef1de620f5cc

SHA1
7a2d29bf6dfa3c917cd458dedc7c1a874fcd21cf

SHA256
c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd

SHA512
6031930042bd971613d7b464835d00e4477f06d060c269add38afce6c6d8f5beb6dad6c18d3f938d3c88404871d015e3e9467841a57feb017fa65eb664c4d653

Download Submit
C:\Windows\apocalyps32.exe

Filesize
127KB

MD5
d1dfbe80d81eba051f9cef1de620f5cc

SHA1
7a2d29bf6dfa3c917cd458dedc7c1a874fcd21cf

SHA256
c1835d5a6c4348f351658e269b22e3e960ea3d8f856688319022b26856ae01cd

SHA512
6031930042bd971613d7b464835d00e4477f06d060c269add38afce6c6d8f5beb6dad6c18d3f938d3c88404871d015e3e9467841a57feb017fa65eb664c4d653

Download Submit
memory/1028-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1028-64-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1028-63-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1028-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1028-68-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1028-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1028-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1028-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1324-87-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1324-84-0x0000000040010000-0x000000004004B000-memory.dmp

Filesize
236KB

Download