1c600c4ba397ebb4eea3f3878c0c75d3d46e0e109f84e6b62403d20b7f9e1a06

Analysis

max time kernel
92s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c600c4ba397ebb4eea3f3878c0c75d3d46e0e109f84e6b62403d20b7f9e1a06.exe
Size

106KB
MD5

61dbef74adaaa72089d6c2c4fb116d60
SHA1

a81dc53d9a23221c69785e88ca9716d930321ce9
SHA256

1c600c4ba397ebb4eea3f3878c0c75d3d46e0e109f84e6b62403d20b7f9e1a06
SHA512

da3eb848e4cabd898a15f03345400c48d5ec4ee8665175efc60278098e3d10772a5aee48cec7d13f2612d1b5c8d537faf6a422b961ac111a9ceb43050465106b
SSDEEP

1536:NayvRUVU3NDhANtSedolQT7MSbxNrCZD3o6tlqDygwfpJ5UiTA4MyvW833e1WtUp:keCeFhAb7NrP9ytfpDUGv9HDUi015v

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1396	apocalyps32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3420-135-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/files/0x0008000000022dc6-137.dat	upx
behavioral2/files/0x0008000000022dc6-138.dat	upx
behavioral2/memory/3420-139-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1396-140-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1396-142-0x0000000040010000-0x000000004004B000-memory.dmp	upx
behavioral2/memory/1396-145-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\apocalyps32.exe	1c600c4ba397ebb4eea3f3878c0c75d3d46e0e109f84e6b62403d20b7f9e1a06.exe
File opened for modification	C:\Windows\apocalyps32.exe	1c600c4ba397ebb4eea3f3878c0c75d3d46e0e109f84e6b62403d20b7f9e1a06.exe
File created	C:\Windows\apocalyps32.exe	apocalyps32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 1396	3420	1c600c4ba397ebb4eea3f3878c0c75d3d46e0e109f84e6b62403d20b7f9e1a06.exe	84
PID 3420 wrote to memory of 1396	3420	1c600c4ba397ebb4eea3f3878c0c75d3d46e0e109f84e6b62403d20b7f9e1a06.exe	84
PID 3420 wrote to memory of 1396	3420	1c600c4ba397ebb4eea3f3878c0c75d3d46e0e109f84e6b62403d20b7f9e1a06.exe	84
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85
PID 1396 wrote to memory of 5048	1396	apocalyps32.exe	85

C:\Users\Admin\AppData\Local\Temp\1c600c4ba397ebb4eea3f3878c0c75d3d46e0e109f84e6b62403d20b7f9e1a06.exe
"C:\Users\Admin\AppData\Local\Temp\1c600c4ba397ebb4eea3f3878c0c75d3d46e0e109f84e6b62403d20b7f9e1a06.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\apocalyps32.exe
  -bs
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:5048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apocalyps32.exe

Filesize
106KB

MD5
61dbef74adaaa72089d6c2c4fb116d60

SHA1
a81dc53d9a23221c69785e88ca9716d930321ce9

SHA256
1c600c4ba397ebb4eea3f3878c0c75d3d46e0e109f84e6b62403d20b7f9e1a06

SHA512
da3eb848e4cabd898a15f03345400c48d5ec4ee8665175efc60278098e3d10772a5aee48cec7d13f2612d1b5c8d537faf6a422b961ac111a9ceb43050465106b

Download Submit
C:\Windows\apocalyps32.exe

Filesize
106KB

MD5
61dbef74adaaa72089d6c2c4fb116d60

SHA1
a81dc53d9a23221c69785e88ca9716d930321ce9

SHA256
1c600c4ba397ebb4eea3f3878c0c75d3d46e0e109f84e6b62403d20b7f9e1a06

SHA512
da3eb848e4cabd898a15f03345400c48d5ec4ee8665175efc60278098e3d10772a5aee48cec7d13f2612d1b5c8d537faf6a422b961ac111a9ceb43050465106b

Download Submit
memory/1396-140-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1396-142-0x0000000040010000-0x000000004004B000-memory.dmp

Filesize
236KB

Download
memory/1396-145-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3420-135-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3420-139-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download