7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3

General

Target

7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3.exe
Size

290KB
MD5

02dfa867589ff38a79833fd0052e2688
SHA1

0aa783b147efc26026f3ca6ca23f28ae6197b45b
SHA256

7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3
SHA512

7c05d70f4b6dbedf38d862562bc900d908893ec49b2ce2f804f90441bec137e48cfee301e797652b330c5ee1bc3e55af9b501c93576eb4ea0e5def70624e2db9
SSDEEP

6144:GuHDS0RiAOI0GOAus4UYB8ODg5NtP+AVqR7v7iFUhvRapQS0:ZHDSSiATyTUYBSNrIJjcUh86x

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3184	rejoice45.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1064-132-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/files/0x000c000000022f53-134.dat	upx
behavioral2/files/0x000c000000022f53-135.dat	upx
behavioral2/memory/5068-137-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/3184-138-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/1064-140-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_rejoice45.exe	rejoice45.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice45.exe	rejoice45.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3184 set thread context of 5068	3184	rejoice45.exe	80

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice45.exe	7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice45.exe	7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5020	5068	WerFault.exe	80

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 3184	1064	7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3.exe	79
PID 1064 wrote to memory of 3184	1064	7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3.exe	79
PID 1064 wrote to memory of 3184	1064	7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3.exe	79
PID 3184 wrote to memory of 5068	3184	rejoice45.exe	80
PID 3184 wrote to memory of 5068	3184	rejoice45.exe	80
PID 3184 wrote to memory of 5068	3184	rejoice45.exe	80
PID 3184 wrote to memory of 5068	3184	rejoice45.exe	80
PID 3184 wrote to memory of 5068	3184	rejoice45.exe	80
PID 3184 wrote to memory of 4996	3184	rejoice45.exe	82
PID 3184 wrote to memory of 4996	3184	rejoice45.exe	82
PID 1064 wrote to memory of 5032	1064	7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3.exe	84
PID 1064 wrote to memory of 5032	1064	7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3.exe	84
PID 1064 wrote to memory of 5032	1064	7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3.exe	84

C:\Users\Admin\AppData\Local\Temp\7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3.exe
"C:\Users\Admin\AppData\Local\Temp\7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice45.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice45.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:5068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 12
      4⤵
      Program crash
      PID:5020
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
  2⤵
  PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5068 -ip 5068
1⤵
PID:4556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat

Filesize
248B

MD5
30173a598957d04fee9152e7ae4984de

SHA1
c01f31d0a97a976f5fa6372ede2d7b8db5bf3f6b

SHA256
64ae7a11ff608ccd8216d69a130e95c0b65915fe6e3582a525fb4f1949b6dc2f

SHA512
42f62f81aa82c2e3ddf9e9700bb03e6baadec6efc0911c25d43e2bcfe2f454a50b69cefd9f40c9d08ad049dd27445f3a3d7997fc4a647210921e8481871af2aa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice45.exe

Filesize
290KB

MD5
02dfa867589ff38a79833fd0052e2688

SHA1
0aa783b147efc26026f3ca6ca23f28ae6197b45b

SHA256
7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3

SHA512
7c05d70f4b6dbedf38d862562bc900d908893ec49b2ce2f804f90441bec137e48cfee301e797652b330c5ee1bc3e55af9b501c93576eb4ea0e5def70624e2db9

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\rejoice45.exe

Filesize
290KB

MD5
02dfa867589ff38a79833fd0052e2688

SHA1
0aa783b147efc26026f3ca6ca23f28ae6197b45b

SHA256
7c5104b02b6219c881597474a5f7a8bfa7b5703122c81b30e39c0fe3fc7cb4f3

SHA512
7c05d70f4b6dbedf38d862562bc900d908893ec49b2ce2f804f90441bec137e48cfee301e797652b330c5ee1bc3e55af9b501c93576eb4ea0e5def70624e2db9

Download Submit
memory/1064-132-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1064-140-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3184-138-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/5068-137-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing