31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22

General

Target

31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe
Size

944KB
MD5

f5612f5b7080c3022867b23879accedd
SHA1

3569670f114f296e93e455c4607899183444de71
SHA256

31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22
SHA512

b7683f872d400bd2291956c447a4dc33b5c9cd8001e036518da976cef3caec4732adbf3f1acfb965e183396cd88280471aa8039ccff04585848aade8038293d8
SSDEEP

12288:XpkrMtjvLdJxSEdQTQyj+DaUoFFGSmADH/61TSK9y7FDqS5DvJkD564S67EkVIPP:aYLD0zK6FF1D/0vmDqAL28UQyVblm

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe

pid process

1892 31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe

pid	process
1892	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1892-57-0x0000000000400000-0x000000000063E000-memory.dmp	upx
behavioral1/memory/1892-59-0x0000000000400000-0x000000000063E000-memory.dmp	upx
behavioral1/memory/1892-60-0x0000000000400000-0x000000000063E000-memory.dmp	upx
behavioral1/memory/1892-64-0x0000000000400000-0x000000000063E000-memory.dmp	upx
behavioral1/memory/1892-66-0x0000000000400000-0x000000000063E000-memory.dmp	upx
behavioral1/memory/1892-67-0x0000000000400000-0x000000000063E000-memory.dmp	upx
behavioral1/memory/1892-68-0x0000000000400000-0x000000000063E000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe

pid process

1608 31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe

description	pid	process	target process
PID 1608 set thread context of 1892	1608	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe

pid	process
1608	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe
1608	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe

description	pid	process	target process
PID 1608 wrote to memory of 1892	1608	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe
PID 1608 wrote to memory of 1892	1608	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe
PID 1608 wrote to memory of 1892	1608	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe
PID 1608 wrote to memory of 1892	1608	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe
PID 1608 wrote to memory of 1892	1608	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe
PID 1608 wrote to memory of 1892	1608	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe
PID 1608 wrote to memory of 1892	1608	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe
PID 1608 wrote to memory of 1892	1608	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe	31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe

C:\Users\Admin\AppData\Local\Temp\31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe
"C:\Users\Admin\AppData\Local\Temp\31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe
C:\Users\Admin\AppData\Local\Temp\31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe
2⤵
- Executes dropped EXE
PID:1892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe

Filesize
944KB

MD5
f5612f5b7080c3022867b23879accedd

SHA1
3569670f114f296e93e455c4607899183444de71

SHA256
31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22

SHA512
b7683f872d400bd2291956c447a4dc33b5c9cd8001e036518da976cef3caec4732adbf3f1acfb965e183396cd88280471aa8039ccff04585848aade8038293d8

Download Submit
\Users\Admin\AppData\Local\Temp\31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22.exe

Filesize
944KB

MD5
f5612f5b7080c3022867b23879accedd

SHA1
3569670f114f296e93e455c4607899183444de71

SHA256
31cfd8ff4874c5057124d764638e5cb46c16531ee48d9258363afd32a3916b22

SHA512
b7683f872d400bd2291956c447a4dc33b5c9cd8001e036518da976cef3caec4732adbf3f1acfb965e183396cd88280471aa8039ccff04585848aade8038293d8

Download Submit
memory/1608-63-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/1608-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1892-57-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1892-60-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1892-61-0x000000000063C190-mapping.dmp

Download
memory/1892-64-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1892-59-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1892-56-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1892-66-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1892-67-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download
memory/1892-68-0x0000000000400000-0x000000000063E000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads