a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce

General

Target

a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe
Size

104KB
MD5

912e33f92ee801299dd61db5c0348843
SHA1

f73ed7e4ddb6ea8384ff783d7d8cd6b82df2a235
SHA256

a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce
SHA512

d042700e557bc7395d32e7f5a84e9063654dd074e1110e983d37874a0f7ed0ec32506536595a4e6911f8ab313e1ffeff6c4258aa5c6d9e98ea5f14118959a41f
SSDEEP

768:Zjh8ixd0BzVqYmf4FUZeNZQEtR1vidJS2lbw7cdwsZCPiROd:Zjh8iQBzVqYT+ZeNZlR1vwH5ZU

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1304-66-0x00000000029C0000-0x00000000029CC000-memory.dmp	upx
behavioral1/memory/1168-67-0x0000000000400000-0x000000000041A200-memory.dmp	upx
behavioral1/memory/1640-72-0x0000000000080000-0x000000000008C000-memory.dmp	upx

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wwwrfd32.exe	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wwwrfd32.exe	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe

Loads dropped DLL 6 IoCs

pid	Process
1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe
1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe
1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe
1640	svchost.exe
1640	svchost.exe
1640	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe
1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe
1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe
1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1640	1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe	27
PID 1168 wrote to memory of 1640	1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe	27
PID 1168 wrote to memory of 1640	1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe	27
PID 1168 wrote to memory of 1640	1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe	27
PID 1168 wrote to memory of 1304	1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe	16
PID 1168 wrote to memory of 1304	1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe	16
PID 1168 wrote to memory of 1304	1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe	16
PID 1168 wrote to memory of 1304	1168	a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe	16

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe
  "C:\Users\Admin\AppData\Local\Temp\a3b580a326f0426b583035dbd2b607272e75c28b327b1eb59acab7f8f662d1ce.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious behavior: RenamesItself
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    - Loads dropped DLL
    PID:1640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\~TM742.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TM7C0.tmp

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
\Users\Admin\AppData\Local\Temp\~TM84D.tmp

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
\Users\Admin\AppData\Local\Temp\~TM8F7.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TM917.tmp

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
\Users\Admin\AppData\Local\Temp\~TM928.tmp

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/1168-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1168-70-0x0000000077550000-0x00000000776D0000-memory.dmp

Filesize
1.5MB

Download
memory/1168-67-0x0000000000400000-0x000000000041A200-memory.dmp

Filesize
104KB

Download
memory/1304-59-0x00000000029C0000-0x00000000029CC000-memory.dmp

Filesize
48KB

Download
memory/1304-66-0x00000000029C0000-0x00000000029CC000-memory.dmp

Filesize
48KB

Download
memory/1304-65-0x00000000029C0000-0x00000000029CC000-memory.dmp

Filesize
48KB

Download
memory/1304-64-0x00000000029C0000-0x00000000029CC000-memory.dmp

Filesize
48KB

Download
memory/1304-62-0x00000000029C0000-0x00000000029CC000-memory.dmp

Filesize
48KB

Download
memory/1640-72-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/1640-73-0x0000000077550000-0x00000000776D0000-memory.dmp

Filesize
1.5MB

Download
memory/1640-74-0x0000000077550000-0x00000000776D0000-memory.dmp

Filesize
1.5MB

Download
memory/1640-75-0x0000000077550000-0x00000000776D0000-memory.dmp

Filesize
1.5MB

Download
memory/1640-76-0x0000000077550000-0x00000000776D0000-memory.dmp

Filesize
1.5MB

Download
memory/1640-77-0x0000000077550000-0x00000000776D0000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing