38fa60d3a26f3a8f0105968a2128097c4d7ccc9de8d74ccd21bfe121f69c68d7

Analysis

max time kernel
25s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38fa60d3a26f3a8f0105968a2128097c4d7ccc9de8d74ccd21bfe121f69c68d7.exe
Size

362KB
MD5

65c55c564549220650581d920aa40630
SHA1

a28f4f07c503809f2b1dd3891633106a07c83709
SHA256

38fa60d3a26f3a8f0105968a2128097c4d7ccc9de8d74ccd21bfe121f69c68d7
SHA512

f9f4f4d340300ea5fe688b4b0e715d06ae6aee35e404f8e8978dd2ae61373415133f5cd0c51682de72c8c8d62e3c2f3d64e927f7788c43e359d73c6c9012d9b0
SSDEEP

6144:pDCh45Zb2WW6dY0Jrj7qhpCIDiuXwOTNx5ezuZk+S+BtE:XbysdY82hpHASn58EXlBK

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2036	apocalyps32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1952-55-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/files/0x000e0000000054a8-58.dat	upx
behavioral1/memory/1952-57-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/files/0x000e0000000054a8-60.dat	upx
behavioral1/memory/2036-61-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2036-63-0x0000000040010000-0x000000004004B000-memory.dmp	upx
behavioral1/memory/2036-66-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\apocalyps32.exe	38fa60d3a26f3a8f0105968a2128097c4d7ccc9de8d74ccd21bfe121f69c68d7.exe
File opened for modification	C:\Windows\apocalyps32.exe	38fa60d3a26f3a8f0105968a2128097c4d7ccc9de8d74ccd21bfe121f69c68d7.exe
File created	C:\Windows\apocalyps32.exe	apocalyps32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2036	1952	38fa60d3a26f3a8f0105968a2128097c4d7ccc9de8d74ccd21bfe121f69c68d7.exe	28
PID 1952 wrote to memory of 2036	1952	38fa60d3a26f3a8f0105968a2128097c4d7ccc9de8d74ccd21bfe121f69c68d7.exe	28
PID 1952 wrote to memory of 2036	1952	38fa60d3a26f3a8f0105968a2128097c4d7ccc9de8d74ccd21bfe121f69c68d7.exe	28
PID 1952 wrote to memory of 2036	1952	38fa60d3a26f3a8f0105968a2128097c4d7ccc9de8d74ccd21bfe121f69c68d7.exe	28
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29
PID 2036 wrote to memory of 2012	2036	apocalyps32.exe	29

C:\Users\Admin\AppData\Local\Temp\38fa60d3a26f3a8f0105968a2128097c4d7ccc9de8d74ccd21bfe121f69c68d7.exe
"C:\Users\Admin\AppData\Local\Temp\38fa60d3a26f3a8f0105968a2128097c4d7ccc9de8d74ccd21bfe121f69c68d7.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\apocalyps32.exe
  -bs
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apocalyps32.exe

Filesize
362KB

MD5
65c55c564549220650581d920aa40630

SHA1
a28f4f07c503809f2b1dd3891633106a07c83709

SHA256
38fa60d3a26f3a8f0105968a2128097c4d7ccc9de8d74ccd21bfe121f69c68d7

SHA512
f9f4f4d340300ea5fe688b4b0e715d06ae6aee35e404f8e8978dd2ae61373415133f5cd0c51682de72c8c8d62e3c2f3d64e927f7788c43e359d73c6c9012d9b0

Download Submit
C:\Windows\apocalyps32.exe

Filesize
362KB

MD5
65c55c564549220650581d920aa40630

SHA1
a28f4f07c503809f2b1dd3891633106a07c83709

SHA256
38fa60d3a26f3a8f0105968a2128097c4d7ccc9de8d74ccd21bfe121f69c68d7

SHA512
f9f4f4d340300ea5fe688b4b0e715d06ae6aee35e404f8e8978dd2ae61373415133f5cd0c51682de72c8c8d62e3c2f3d64e927f7788c43e359d73c6c9012d9b0

Download Submit
memory/1952-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1952-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1952-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2036-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2036-63-0x0000000040010000-0x000000004004B000-memory.dmp

Filesize
236KB

Download
memory/2036-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download