a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3

General

Target

a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe
Size

1.8MB
MD5

02f813c6b622223a466d802718ff6cbc
SHA1

734d0bb7aa3a3a0dc2361b8e030050b30f2c4679
SHA256

a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3
SHA512

c6078cccb314792e281d3edddf6b6fdffe29d95491d139113bff07e2534d0a3ac953a0c418c59b495c2c304e640d1c707f686c857f68b077dda3cb81a8ad837d
SSDEEP

24576:zMb5VwldaJxVkUDIUVUubQwE2qr2dHlz8M3PcFikGQp0MIzSgMs2SF1P:z45immUDIUVUucwE3KzbHQp0WtSF

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
528	nz92.exe
4656	WinHvqf32.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1532-132-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-134-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-135-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-137-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-136-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-139-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-141-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-143-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-145-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-147-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-149-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-151-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-153-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-155-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-157-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-159-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-161-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-163-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-165-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-167-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-169-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-171-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-173-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-175-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/1532-177-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHvqf32.exe	nz92.exe
File opened for modification	C:\Windows\SysWOW64\WinHvqf32.exe	nz92.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\nz92.exe	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	528	nz92.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1532	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe
1532	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe
1532	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe
1532	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe
1532	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 528	1532	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe	83
PID 1532 wrote to memory of 528	1532	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe	83
PID 1532 wrote to memory of 528	1532	a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe	83
PID 528 wrote to memory of 4656	528	nz92.exe	84
PID 528 wrote to memory of 4656	528	nz92.exe	84
PID 528 wrote to memory of 4656	528	nz92.exe	84

C:\Users\Admin\AppData\Local\Temp\a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe
"C:\Users\Admin\AppData\Local\Temp\a7bd0f79fceac4f399e071400776b7d33909831f1ee3955b12f6ef48198f92b3.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532
- C:\WINDOWS\nz92.exe
  C:\WINDOWS\nz92.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\SysWOW64\WinHvqf32.exe
    "C:\Windows\system32\WinHvqf32.exe"
    3⤵
    - Executes dropped EXE
    PID:4656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\nz92.exe

Filesize
17KB

MD5
c7677623e4429d99e90ce71e90813c9d

SHA1
98498570715bd76735a08377a1cbf008780a3065

SHA256
68039b861f8426e90d1c2ce0bb21c922e7aeaecf5d8b90ce0c47d1ba61199267

SHA512
f40d8897822978bcd8e956fcad0f49f634a222b1998e4c5857f5ffc2afdda25c34e8e14fdf0c5f9aaa5e2009ce7bc8c7ccb62175c0641014acae4d4125f67b8f

Download Submit
C:\Windows\SysWOW64\WinHvqf32.exe

Filesize
17KB

MD5
c7677623e4429d99e90ce71e90813c9d

SHA1
98498570715bd76735a08377a1cbf008780a3065

SHA256
68039b861f8426e90d1c2ce0bb21c922e7aeaecf5d8b90ce0c47d1ba61199267

SHA512
f40d8897822978bcd8e956fcad0f49f634a222b1998e4c5857f5ffc2afdda25c34e8e14fdf0c5f9aaa5e2009ce7bc8c7ccb62175c0641014acae4d4125f67b8f

Download Submit
C:\Windows\SysWOW64\WinHvqf32.exe

Filesize
17KB

MD5
c7677623e4429d99e90ce71e90813c9d

SHA1
98498570715bd76735a08377a1cbf008780a3065

SHA256
68039b861f8426e90d1c2ce0bb21c922e7aeaecf5d8b90ce0c47d1ba61199267

SHA512
f40d8897822978bcd8e956fcad0f49f634a222b1998e4c5857f5ffc2afdda25c34e8e14fdf0c5f9aaa5e2009ce7bc8c7ccb62175c0641014acae4d4125f67b8f

Download Submit
C:\Windows\nz92.exe

Filesize
17KB

MD5
c7677623e4429d99e90ce71e90813c9d

SHA1
98498570715bd76735a08377a1cbf008780a3065

SHA256
68039b861f8426e90d1c2ce0bb21c922e7aeaecf5d8b90ce0c47d1ba61199267

SHA512
f40d8897822978bcd8e956fcad0f49f634a222b1998e4c5857f5ffc2afdda25c34e8e14fdf0c5f9aaa5e2009ce7bc8c7ccb62175c0641014acae4d4125f67b8f

Download Submit
memory/1532-157-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-165-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-143-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-145-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-147-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-149-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-151-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-153-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-155-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-132-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-159-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-161-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-163-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-141-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-167-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-169-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-171-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-173-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-175-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-177-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-139-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-136-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-137-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-134-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1532-135-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing