4748b94802d984b33b2fb85bf3b270825eb3eb021f7132d8ccdeca86863e95cd

General

Target

In012657AK.exe
Size

300.0MB
MD5

29845e4bb10cc5b292296e9ad7fb2796
SHA1

4ca80f348bf73f40da9d99861b9aeb721e4cffbd
SHA256

4748b94802d984b33b2fb85bf3b270825eb3eb021f7132d8ccdeca86863e95cd
SHA512

20d03122283459182ac5b74aa36b9cbd7af3a95d9e1695fd60ac8863f9ce2cbac3c1c09224711ed00370febd05d678acb7ad5907b71c56835cbc7fb95f803fb1
SSDEEP

24576:d5rVm/hz8mGTYKHvQoy17AmBr3xQctbOy8wqhzUujv+pPgJ6aIlGb4+Thid0YFB5:d52J6HYoyFA0rhQdm6+Hl7qk0Yl4mgS

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

4204 svchost.exe
396 svchost.exe
4940 svchost.exe

pid	process
4204	svchost.exe
396	svchost.exe
4940	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/208-138-0x00000000007C0000-0x0000000000BA4000-memory.dmp	upx
behavioral2/memory/208-139-0x00000000007C0000-0x0000000000BA4000-memory.dmp	upx
behavioral2/memory/748-145-0x0000000000770000-0x0000000000B54000-memory.dmp	upx
behavioral2/memory/748-146-0x0000000000770000-0x0000000000B54000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

In012657AK.exesvchost.exesvchost.exe

description	pid	process	target process
PID 3984 set thread context of 208	3984	In012657AK.exe	RegAsm.exe
PID 4204 set thread context of 748	4204	svchost.exe	RegAsm.exe
PID 396 set thread context of 3796	396	svchost.exe	RegAsm.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2768	208	WerFault.exe	RegAsm.exe
3516	208	WerFault.exe	RegAsm.exe
3636	748	WerFault.exe	RegAsm.exe
1420	748	WerFault.exe	RegAsm.exe
384	3796	WerFault.exe	RegAsm.exe
5068	3796	WerFault.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5116 schtasks.exe
3508 schtasks.exe
1660 schtasks.exe

pid	process
5116	schtasks.exe
3508	schtasks.exe
1660	schtasks.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

In012657AK.execmd.exesvchost.execmd.exesvchost.execmd.exe

description	pid	process	target process
PID 3984 wrote to memory of 208	3984	In012657AK.exe	RegAsm.exe
PID 3984 wrote to memory of 208	3984	In012657AK.exe	RegAsm.exe
PID 3984 wrote to memory of 208	3984	In012657AK.exe	RegAsm.exe
PID 3984 wrote to memory of 208	3984	In012657AK.exe	RegAsm.exe
PID 3984 wrote to memory of 208	3984	In012657AK.exe	RegAsm.exe
PID 3984 wrote to memory of 208	3984	In012657AK.exe	RegAsm.exe
PID 3984 wrote to memory of 208	3984	In012657AK.exe	RegAsm.exe
PID 3984 wrote to memory of 4228	3984	In012657AK.exe	cmd.exe
PID 3984 wrote to memory of 4228	3984	In012657AK.exe	cmd.exe
PID 3984 wrote to memory of 4228	3984	In012657AK.exe	cmd.exe
PID 3984 wrote to memory of 2092	3984	In012657AK.exe	cmd.exe
PID 3984 wrote to memory of 2092	3984	In012657AK.exe	cmd.exe
PID 3984 wrote to memory of 2092	3984	In012657AK.exe	cmd.exe
PID 3984 wrote to memory of 1048	3984	In012657AK.exe	cmd.exe
PID 3984 wrote to memory of 1048	3984	In012657AK.exe	cmd.exe
PID 3984 wrote to memory of 1048	3984	In012657AK.exe	cmd.exe
PID 2092 wrote to memory of 1660	2092	cmd.exe	schtasks.exe
PID 2092 wrote to memory of 1660	2092	cmd.exe	schtasks.exe
PID 2092 wrote to memory of 1660	2092	cmd.exe	schtasks.exe
PID 4204 wrote to memory of 748	4204	svchost.exe	RegAsm.exe
PID 4204 wrote to memory of 748	4204	svchost.exe	RegAsm.exe
PID 4204 wrote to memory of 748	4204	svchost.exe	RegAsm.exe
PID 4204 wrote to memory of 748	4204	svchost.exe	RegAsm.exe
PID 4204 wrote to memory of 748	4204	svchost.exe	RegAsm.exe
PID 4204 wrote to memory of 748	4204	svchost.exe	RegAsm.exe
PID 4204 wrote to memory of 748	4204	svchost.exe	RegAsm.exe
PID 4204 wrote to memory of 2580	4204	svchost.exe	cmd.exe
PID 4204 wrote to memory of 2580	4204	svchost.exe	cmd.exe
PID 4204 wrote to memory of 2580	4204	svchost.exe	cmd.exe
PID 4204 wrote to memory of 4236	4204	svchost.exe	cmd.exe
PID 4204 wrote to memory of 4236	4204	svchost.exe	cmd.exe
PID 4204 wrote to memory of 4236	4204	svchost.exe	cmd.exe
PID 4204 wrote to memory of 4616	4204	svchost.exe	cmd.exe
PID 4204 wrote to memory of 4616	4204	svchost.exe	cmd.exe
PID 4204 wrote to memory of 4616	4204	svchost.exe	cmd.exe
PID 4236 wrote to memory of 5116	4236	cmd.exe	schtasks.exe
PID 4236 wrote to memory of 5116	4236	cmd.exe	schtasks.exe
PID 4236 wrote to memory of 5116	4236	cmd.exe	schtasks.exe
PID 396 wrote to memory of 3796	396	svchost.exe	RegAsm.exe
PID 396 wrote to memory of 3796	396	svchost.exe	RegAsm.exe
PID 396 wrote to memory of 3796	396	svchost.exe	RegAsm.exe
PID 396 wrote to memory of 3796	396	svchost.exe	RegAsm.exe
PID 396 wrote to memory of 3796	396	svchost.exe	RegAsm.exe
PID 396 wrote to memory of 3796	396	svchost.exe	RegAsm.exe
PID 396 wrote to memory of 3796	396	svchost.exe	RegAsm.exe
PID 396 wrote to memory of 1744	396	svchost.exe	cmd.exe
PID 396 wrote to memory of 1744	396	svchost.exe	cmd.exe
PID 396 wrote to memory of 1744	396	svchost.exe	cmd.exe
PID 396 wrote to memory of 4244	396	svchost.exe	cmd.exe
PID 396 wrote to memory of 4244	396	svchost.exe	cmd.exe
PID 396 wrote to memory of 4244	396	svchost.exe	cmd.exe
PID 396 wrote to memory of 2632	396	svchost.exe	cmd.exe
PID 396 wrote to memory of 2632	396	svchost.exe	cmd.exe
PID 396 wrote to memory of 2632	396	svchost.exe	cmd.exe
PID 4244 wrote to memory of 3508	4244	cmd.exe	schtasks.exe
PID 4244 wrote to memory of 3508	4244	cmd.exe	schtasks.exe
PID 4244 wrote to memory of 3508	4244	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\In012657AK.exe
"C:\Users\Admin\AppData\Local\Temp\In012657AK.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 536
3⤵
- Program crash
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 540
3⤵
- Program crash
PID:3516

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1660

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\In012657AK.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 208 -ip 208
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 208 -ip 208
1⤵
PID:3120

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 536
3⤵
- Program crash
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 540
3⤵
- Program crash
PID:1420

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 748 -ip 748
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 748 -ip 748
1⤵
PID:1552

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 536
3⤵
- Program crash
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 540
3⤵
- Program crash
PID:5068

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3508

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3796 -ip 3796
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3796 -ip 3796
1⤵
PID:1556

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
PID:4940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
300.0MB

MD5
29845e4bb10cc5b292296e9ad7fb2796

SHA1
4ca80f348bf73f40da9d99861b9aeb721e4cffbd

SHA256
4748b94802d984b33b2fb85bf3b270825eb3eb021f7132d8ccdeca86863e95cd

SHA512
20d03122283459182ac5b74aa36b9cbd7af3a95d9e1695fd60ac8863f9ce2cbac3c1c09224711ed00370febd05d678acb7ad5907b71c56835cbc7fb95f803fb1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
300.0MB

MD5
29845e4bb10cc5b292296e9ad7fb2796

SHA1
4ca80f348bf73f40da9d99861b9aeb721e4cffbd

SHA256
4748b94802d984b33b2fb85bf3b270825eb3eb021f7132d8ccdeca86863e95cd

SHA512
20d03122283459182ac5b74aa36b9cbd7af3a95d9e1695fd60ac8863f9ce2cbac3c1c09224711ed00370febd05d678acb7ad5907b71c56835cbc7fb95f803fb1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
300.0MB

MD5
29845e4bb10cc5b292296e9ad7fb2796

SHA1
4ca80f348bf73f40da9d99861b9aeb721e4cffbd

SHA256
4748b94802d984b33b2fb85bf3b270825eb3eb021f7132d8ccdeca86863e95cd

SHA512
20d03122283459182ac5b74aa36b9cbd7af3a95d9e1695fd60ac8863f9ce2cbac3c1c09224711ed00370febd05d678acb7ad5907b71c56835cbc7fb95f803fb1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
36.1MB

MD5
0b787f316edd52c9996c226f77d1c201

SHA1
4100b29e939aeb029b0c1d78352c799f62f13434

SHA256
b8f765a50f64daf20ce0a157d8a475e7d6a970d70ff08b4c2dba914d854032db

SHA512
ca8a19e163448826f2299f2c412009e47afe524f705e09f266228338292cf041bd44030a144f10c2abf0da8a2a495b80cad637b47aea45f3ba93e77ddbde4ef7

Download Submit
memory/208-139-0x00000000007C0000-0x0000000000BA4000-memory.dmp

Filesize
3.9MB

Download
memory/208-133-0x0000000000000000-mapping.dmp

Download
memory/208-138-0x00000000007C0000-0x0000000000BA4000-memory.dmp

Filesize
3.9MB

Download
memory/748-145-0x0000000000770000-0x0000000000B54000-memory.dmp

Filesize
3.9MB

Download
memory/748-146-0x0000000000770000-0x0000000000B54000-memory.dmp

Filesize
3.9MB

Download
memory/748-143-0x0000000000000000-mapping.dmp

Download
memory/1048-137-0x0000000000000000-mapping.dmp

Download
memory/1660-140-0x0000000000000000-mapping.dmp

Download
memory/1744-157-0x0000000000000000-mapping.dmp

Download
memory/2092-136-0x0000000000000000-mapping.dmp

Download
memory/2580-147-0x0000000000000000-mapping.dmp

Download
memory/2632-159-0x0000000000000000-mapping.dmp

Download
memory/3508-160-0x0000000000000000-mapping.dmp

Download
memory/3796-153-0x0000000000000000-mapping.dmp

Download
memory/3984-132-0x00000000002A0000-0x0000000000454000-memory.dmp

Filesize
1.7MB

Download
memory/4228-135-0x0000000000000000-mapping.dmp

Download
memory/4236-148-0x0000000000000000-mapping.dmp

Download
memory/4244-158-0x0000000000000000-mapping.dmp

Download
memory/4616-149-0x0000000000000000-mapping.dmp

Download
memory/5116-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads