48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbb

General

Target

48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbb.exe
Size

2.0MB
MD5

0add0ec36c9d8afe9d376903dbcf66c0
SHA1

4e84bccb8d43ba5dc9c8d634e96a5a7095dde48d
SHA256

48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbb
SHA512

30c6f008de53a624ecf09933f75271c868b09bcab2c74c9d14c2c23fa1b80367d63f62ec340358dc5a56e3e2436e39d379c53fd46557245d82da749cc35e470b
SSDEEP

24576:BcrYuZqBOgoz2kCxfAuI4LxpStYFBIFkjvqqADqMhNyLhSbpS76TdHBtXf9Nt+iV:Bcp5CPAr4V3jvAQ9SbpS76TnZ1V1Dz28

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-57.dat	upx
behavioral1/files/0x000c0000000054a8-55.dat	upx
behavioral1/files/0x000c0000000054a8-54.dat	upx
behavioral1/memory/964-61-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/964-62-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1488	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbb.exe
1488	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbb.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe
964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe
964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe
964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe
964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe
964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe
964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe
964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 964	1488	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbb.exe	22
PID 1488 wrote to memory of 964	1488	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbb.exe	22
PID 1488 wrote to memory of 964	1488	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbb.exe	22
PID 1488 wrote to memory of 964	1488	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbb.exe	22
PID 964 wrote to memory of 980	964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe	20
PID 964 wrote to memory of 980	964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe	20
PID 964 wrote to memory of 980	964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe	20
PID 964 wrote to memory of 980	964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe	20
PID 964 wrote to memory of 940	964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe	21
PID 964 wrote to memory of 940	964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe	21
PID 964 wrote to memory of 940	964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe	21
PID 964 wrote to memory of 940	964	48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe	21

C:\Users\Admin\AppData\Local\Temp\48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbb.exe
"C:\Users\Admin\AppData\Local\Temp\48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe
  C:\Users\Admin\AppData\Local\Temp\48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:980
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:980 CREDAT:275457 /prefetch:2
  2⤵
  PID:1372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:940
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:940 CREDAT:275457 /prefetch:2
  2⤵
  PID:1860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4EA057D1-571B-11ED-9551-6E705F4A26E5}.dat

Filesize
3KB

MD5
c182c83aef2b5d0d221e3e54a8b39e63

SHA1
15108b80dd5c813308cf865ddb073a60a18c8bd4

SHA256
1c60f829be9b3e1bd151a7583508187d7fc29b1b2e4292de54922c1a7e6d83f3

SHA512
50d6e28e9b4685f99e8079ba608a866567a9e3d4569ddaf1368433725f5fac57255cb69b0ce5ece62f5c79a5911e76bc905cc20b8f78877ecddd7df7a25aeaff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4EA07EE1-571B-11ED-9551-6E705F4A26E5}.dat

Filesize
3KB

MD5
4e909b0411a403af150a1331a3a76ab7

SHA1
6706c380cf938c4e205d4cf1b82e26a4ca639cde

SHA256
07c3c3e10bb928eaa4dc878732b6ad721fcb445d5053b8749b5786b272ed4568

SHA512
5a176a535df3353c58c09c7f5b32e2f118313039c43b447141d637716cdcb8b58fe4608665a42f1d0b26c41be8de61ed595a8e61d659aaefe82a37a6cae0ea6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe

Filesize
82KB

MD5
eaec93d80a3e9e84ad749f961462ba77

SHA1
f9c54da01498ce70f2bca48d2a7d852c05d9cb65

SHA256
b560d1adbe2a686dc38fe3d344753e51717a6dd2e76eaf62e621fd3432606e04

SHA512
7b563f641ea213571bf14cc99e312a4d33eee3bfbc0881b3d858643c3cc17c10a51884a8502cc61cb8240b0be76b19e08520653c7c5c0b7c13e874125083bb65

Download Submit
\Users\Admin\AppData\Local\Temp\48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe

Filesize
76KB

MD5
e98f5428364bc9587dd5b4f7f48a3a94

SHA1
ff499536180ccfe2a349c0ac301522c754c5cef5

SHA256
b16be32fb2219b7c9825fd047ec9a711cb950f6bd436414b39e99223b79acbb7

SHA512
02335e29186dfad6b4907aeb1717ff6dc7a453f642ac72b1ffcbfb043b479be06ad9387f38271ffc269dcae9cfe3ba13c4af40df036728d4e4ad72e9744f3c00

Download Submit
\Users\Admin\AppData\Local\Temp\48743744280b16c9ba2b420395cdaa3a0904b21c5b21980e4dcff9c0486f5bbbmgr.exe

Filesize
34KB

MD5
203c93ed7ba9bc8feabe35fe19044c04

SHA1
807639e5f21b39b5eec962a44b3567fd9c8fabd4

SHA256
021eeff3ff8659f9b633568deac4f90a9cc23dd68ae4686dfa64249badbaf934

SHA512
fc75e602b25605b4c2cb54817204faf2cf031e317c3c692b6897d5343b55e6d58252c3761c8c705b2575cdeb9c1e46c1f362c7956edb916376853f4d49216c64

Download Submit
memory/964-61-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/964-62-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1488-60-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing