4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b

General

Target

4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
Size

318KB
MD5

80c07287a6f6176a47679c0e5ae76a0a
SHA1

a0a6f97c62845ca6675300f13542dd6d2d1adabd
SHA256

4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b
SHA512

cfd83d7eb90be2cef5d148c612efab674f04550126d073570ae4552d43c08c9687dcf421c3ef9506eef2b6c0a49320ece15240706875137f147094c4f9e73363
SSDEEP

6144:6G5BipkVg/mOQjjRQt/5BD6ZqRqmNN5tV8FJcFyt:N/Ha4jjRQB/8sEe

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1976-54-0x0000000001000000-0x0000000001078000-memory.dmp	upx
behavioral1/memory/1976-58-0x0000000001000000-0x0000000001078000-memory.dmp	upx

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A3371A60-04B2-4052-9103-9D664F911647}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A3371A60-04B2-4052-9103-9D664F911647}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1976	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1976	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
1976	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
1976	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1536	1976	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe	27
PID 1976 wrote to memory of 1536	1976	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe	27
PID 1976 wrote to memory of 1536	1976	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe	27
PID 1976 wrote to memory of 1536	1976	4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe	27

C:\Users\Admin\AppData\Local\Temp\4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe
"C:\Users\Admin\AppData\Local\Temp\4e50133e3304d1a1c0c1610887a1bd5abb8c3147d51aa742ad7604352d86c48b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1536

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:1692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1536-57-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1976-54-0x0000000001000000-0x0000000001078000-memory.dmp

Filesize
480KB

Download
memory/1976-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1976-58-0x0000000001000000-0x0000000001078000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing