5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704

General

Target

5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Size

178KB
MD5

5a771635647f93c7491bd824ad007230
SHA1

5585f67f559d236b37e4a638693d30d166c97abd
SHA256

5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704
SHA512

c64ada4216f789c025adea828351f6b39afe1a46a6209f8775b73605b462beb841e791a9305148bc9d7268fae3996a77a6a596e44ccf675678cb2a9f0bd33fbe
SSDEEP

3072:pz+PxHXJYrdeBxMclE6wFp8osXEw6IIX3I038c+nyEkeIY2TPbum9Nlov6e:pz+pqwBOcu92o38czvPbPQvZ

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\TXP1atform.exe	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
File created	C:\Windows\SysWOW64\drivers\TXP1atform.exe	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe

Executes dropped EXE 2 IoCs

Processes:

TXP1atform.exe5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe

pid process

1132 TXP1atform.exe
2844 5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe

pid	process
1132	TXP1atform.exe
2844	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1964-132-0x0000000000400000-0x000000000044D000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\TXP1atform.exe	upx
C:\Windows\SysWOW64\drivers\TXP1atform.exe	upx
behavioral2/memory/1132-138-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/1964-139-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Modifies registry class 47 IoCs

Processes:

5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\ProgID	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\HELPDIR	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\ = "IApplication"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\TypeLib	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A9CB768C-86A2-479E-A7A2-6D9893F0BC39}	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A9CB768C-86A2-479E-A7A2-6D9893F0BC39}	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application\ = "Application Class"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\AppID = "{A9CB768C-86A2-479E-A7A2-6D9893F0BC39}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe\""	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\ = "launcher 1.0 Type Library"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\FLAGS\ = "0"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\ProxyStubClsid32	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A9CB768C-86A2-479E-A7A2-6D9893F0BC39}\ = "launcher"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\launcher.EXE	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application\CLSID\ = "{166F5F55-C747-4AD7-8D85-79E6BE7394B1}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\FLAGS	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\0\win32	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\TypeLib	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application.1\CLSID\ = "{166F5F55-C747-4AD7-8D85-79E6BE7394B1}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application\CLSID	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application.1\CLSID	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\ProxyStubClsid32	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\TypeLib\Version = "1.0"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\launcher.EXE\AppID = "{A9CB768C-86A2-479E-A7A2-6D9893F0BC39}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application.1\ = "Application Class"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\launcher.EXE	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\ProgID\ = "Launcher.Application.1"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\VersionIndependentProgID	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\LocalServer32	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0\0	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\ = "IApplication"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\TypeLib\ = "{FF67874D-356F-4B14-979C-020A01763691}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\TypeLib\Version = "1.0"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.Application.1	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\ = "Application Class"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{844E95E4-4989-4032-8063-48DD4B113D95}\TypeLib\ = "{FF67874D-356F-4B14-979C-020A01763691}"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166F5F55-C747-4AD7-8D85-79E6BE7394B1}\VersionIndependentProgID\ = "Launcher.Application"	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF67874D-356F-4B14-979C-020A01763691}\1.0	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exeTXP1atform.exe

pid	process
1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
1132	TXP1atform.exe
1132	TXP1atform.exe
1132	TXP1atform.exe
1132	TXP1atform.exe
1132	TXP1atform.exe
1132	TXP1atform.exe
1132	TXP1atform.exe
1132	TXP1atform.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.execmd.exe

description	pid	process	target process
PID 1964 wrote to memory of 2584	1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe	cmd.exe
PID 1964 wrote to memory of 2584	1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe	cmd.exe
PID 1964 wrote to memory of 2584	1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe	cmd.exe
PID 1964 wrote to memory of 1132	1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe	TXP1atform.exe
PID 1964 wrote to memory of 1132	1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe	TXP1atform.exe
PID 1964 wrote to memory of 1132	1964	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe	TXP1atform.exe
PID 2584 wrote to memory of 2844	2584	cmd.exe	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
PID 2584 wrote to memory of 2844	2584	cmd.exe	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
PID 2584 wrote to memory of 2844	2584	cmd.exe	5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe

C:\Users\Admin\AppData\Local\Temp\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
"C:\Users\Admin\AppData\Local\Temp\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\20$$.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe
"C:\Users\Admin\AppData\Local\Temp\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
PID:2844

C:\Windows\SysWOW64\drivers\TXP1atform.exe
C:\Windows\system32\drivers\TXP1atform.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20$$.bat

Filesize
677B

MD5
aa96f54cd180cce83794294fea661573

SHA1
cb6295f10693d4e590ff4455159e17c4950edf67

SHA256
aa1a768f5ff50bdd6fd44b739030f3bdfb1c229a7de555fd277dd6dc211fd401

SHA512
6d1b35b0355c335a377a52e9864019f82c7fd9b6a9bb84117802a7850226c1b04c685a89ccb005585bd5f9065b5a746d249e2126c49bcb12e38ba59e4e19b273

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe

Filesize
100KB

MD5
fb76d62d5357377b720264a80134c93d

SHA1
0b00534dcfd362ddfa10aea84b40b79e91747cd2

SHA256
af8484659848fc7989a2fba89a10dc00ac485905545a081941c56a1f397b0b5e

SHA512
1a840a4c9eae9e49a5b17b958a89d717845ebebe2fa34203042f52bc867c309b95a29553a65df70ec1b215821e0059de660f4d5b980752df9c61164d11b1c66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a3f7e88248073b73aacfeccdb0ac05c097374fb6da12066ef9075bfe5dee704.exe.exe

Filesize
100KB

MD5
fb76d62d5357377b720264a80134c93d

SHA1
0b00534dcfd362ddfa10aea84b40b79e91747cd2

SHA256
af8484659848fc7989a2fba89a10dc00ac485905545a081941c56a1f397b0b5e

SHA512
1a840a4c9eae9e49a5b17b958a89d717845ebebe2fa34203042f52bc867c309b95a29553a65df70ec1b215821e0059de660f4d5b980752df9c61164d11b1c66e

Download Submit
C:\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
78KB

MD5
dcac87c3ec93f39f5a0235a02a49f0d9

SHA1
957d14aba802bd93578b7a8c96035b8e01eb623f

SHA256
56facab9390d510f93d1654c6fda85a205d3b8f02691bb3829fdf5129638633f

SHA512
ca958849f7ae215b76837fbb4fffe84562a4212283af53aa04e138cd374280af6ce1d10b5b91c507fc87026ff56e8b27a1af7bf0cd8635c87ad1dff349ca00fb

Download Submit
C:\Windows\SysWOW64\drivers\TXP1atform.exe

Filesize
78KB

MD5
dcac87c3ec93f39f5a0235a02a49f0d9

SHA1
957d14aba802bd93578b7a8c96035b8e01eb623f

SHA256
56facab9390d510f93d1654c6fda85a205d3b8f02691bb3829fdf5129638633f

SHA512
ca958849f7ae215b76837fbb4fffe84562a4212283af53aa04e138cd374280af6ce1d10b5b91c507fc87026ff56e8b27a1af7bf0cd8635c87ad1dff349ca00fb

Download Submit
memory/1132-134-0x0000000000000000-mapping.dmp

Download
memory/1132-138-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1964-132-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1964-139-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2584-133-0x0000000000000000-mapping.dmp

Download
memory/2844-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads