ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea

General

Target

ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe
Size

1.5MB
MD5

fd78708910a9b4dea60ac2bda5cf52d2
SHA1

17b2f6a68917fd55cdd9ddc532df9f18d3d93d83
SHA256

ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea
SHA512

71f92d4e5c50c88a5a3e7ec065991ea6d19cbd51e88efe1239dfd6463e372c22cbfbdf7d164006dc9eb358b5565e71b8d1603c2543e650bb940e3ecc3fa1c9ee
SSDEEP

49152:rcM0tiI9zlTsA8uzTbbyVD7eVcPfdXHMq:wLii6AV/6VD79lHMq

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1620-76-0x0000000000400000-0x000000000063E000-memory.dmp	upx
behavioral1/memory/1620-77-0x0000000000400000-0x000000000063E000-memory.dmp	upx
behavioral1/memory/1620-78-0x0000000000400000-0x000000000063E000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1620	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1140 set thread context of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1136	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	29
PID 1140 wrote to memory of 1136	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	29
PID 1140 wrote to memory of 1136	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	29
PID 1140 wrote to memory of 1136	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	29
PID 1140 wrote to memory of 1804	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	28
PID 1140 wrote to memory of 1804	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	28
PID 1140 wrote to memory of 1804	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	28
PID 1140 wrote to memory of 1804	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	28
PID 1140 wrote to memory of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27
PID 1140 wrote to memory of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27
PID 1140 wrote to memory of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27
PID 1140 wrote to memory of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27
PID 1140 wrote to memory of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27
PID 1140 wrote to memory of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27
PID 1140 wrote to memory of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27
PID 1140 wrote to memory of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27
PID 1140 wrote to memory of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27
PID 1140 wrote to memory of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27
PID 1140 wrote to memory of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27
PID 1140 wrote to memory of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27
PID 1140 wrote to memory of 1620	1140	ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe	27

C:\Users\Admin\AppData\Local\Temp\ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe
"C:\Users\Admin\AppData\Local\Temp\ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe
  C:\Users\Admin\AppData\Local\Temp\ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe
  C:\Users\Admin\AppData\Local\Temp\ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe
  2⤵
  PID:1804
- C:\Users\Admin\AppData\Local\Temp\ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe
  C:\Users\Admin\AppData\Local\Temp\ef66b18f33f616b3b48c27e1911e833d5b847a4ae16d3a7dd119622e522a8aea.exe
  2⤵
  PID:1136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-70-0x00000000002D0000-0x00000000002D4000-memory.dmp

Filesize
16KB

Download
memory/1140-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1620-66-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1620-64-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1620-72-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1620-62-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1620-68-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1620-58-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1620-65-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1620-60-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1620-57-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1620-55-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download
memory/1620-73-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1620-75-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1620-76-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1620-77-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1620-78-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing