eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775

General

Target

eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe
Size

1.7MB
MD5

fc14c1572cf090d3d6eefa22ff6ab01d
SHA1

6a8a4272121ea4be9f1c59eb3b3b6ba7b88ccb9d
SHA256

eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775
SHA512

458d63bec91145ea2a35f511cc815d45bf63dc0579a1eb5914e94dd163c6811dcad248d20b3a9b5fafd481b4701dc19a461e16ac095bd586a359cab3d7c783c3
SSDEEP

12288:6L3xYldHijkmQXdNQC5vNmWfGtOBMnb3/WOy7L:6L3WldH2QfQC5vNZOtOMPG

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1552-76-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1552-79-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1552-82-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1552-85-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1552-88-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1552-89-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1552-90-0x0000000001610000-0x0000000001720000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

Processes:

eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exevbc.exe

description	pid	process	target process
PID 1196 set thread context of 676	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe	vbc.exe
PID 676 set thread context of 1552	676	vbc.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exevbc.exe

pid process

1196 eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe
1552 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe

description pid process

Token: SeDebugPrivilege 1196 eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe

pid	process
1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe
1552	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exevbc.exe

description	pid	process	target process
PID 1196 wrote to memory of 676	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe	vbc.exe
PID 1196 wrote to memory of 676	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe	vbc.exe
PID 1196 wrote to memory of 676	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe	vbc.exe
PID 1196 wrote to memory of 676	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe	vbc.exe
PID 1196 wrote to memory of 676	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe	vbc.exe
PID 1196 wrote to memory of 676	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe	vbc.exe
PID 1196 wrote to memory of 676	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe	vbc.exe
PID 1196 wrote to memory of 676	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe	vbc.exe
PID 1196 wrote to memory of 676	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe	vbc.exe
PID 1196 wrote to memory of 676	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe	vbc.exe
PID 1196 wrote to memory of 676	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe	vbc.exe
PID 1196 wrote to memory of 676	1196	eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe	vbc.exe
PID 676 wrote to memory of 1552	676	vbc.exe	vbc.exe
PID 676 wrote to memory of 1552	676	vbc.exe	vbc.exe
PID 676 wrote to memory of 1552	676	vbc.exe	vbc.exe
PID 676 wrote to memory of 1552	676	vbc.exe	vbc.exe
PID 676 wrote to memory of 1552	676	vbc.exe	vbc.exe
PID 676 wrote to memory of 1552	676	vbc.exe	vbc.exe
PID 676 wrote to memory of 1552	676	vbc.exe	vbc.exe
PID 676 wrote to memory of 1552	676	vbc.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe
"C:\Users\Admin\AppData\Local\Temp\eec8274ccb9fcbe7f2d6cdd9062319685d27c7d501fd4871f4ce97f527469775.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\fPRxu7\fPRxu7.nfo

Filesize
3KB

MD5
a55087f216e105abb2c757ff335dafe2

SHA1
d42c7098d53c91634e120ace6e77e29307da28cd

SHA256
bffa361e17adf72cca01380c6fa10670afe600467211641b44b1796158944f2f

SHA512
98fb2e2966be3abfe041e022c9c2126d0909bde73b38618f8212c7d310b0094e0047f0ab4f48890059291b4c68f8f5f998b30751157092989cc3f85f57347f3d

Download Submit
memory/676-73-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/676-65-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/676-74-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/676-58-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/676-60-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/676-62-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/676-57-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/676-63-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/676-64-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/676-86-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/676-67-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/676-68-0x0000000000408600-mapping.dmp

Download
memory/676-69-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1196-70-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-61-0x00000000005D5000-0x00000000005E6000-memory.dmp

Filesize
68KB

Download
memory/1196-72-0x00000000005D5000-0x00000000005E6000-memory.dmp

Filesize
68KB

Download
memory/1196-56-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-54-0x00000000754C1000-0x00000000754C3000-memory.dmp

Filesize
8KB

Download
memory/1196-55-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/1552-94-0x00000000016C5000-0x000000000171E000-memory.dmp

Filesize
356KB

Download
memory/1552-82-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1552-84-0x000000000171D0D0-mapping.dmp

Download
memory/1552-85-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1552-79-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1552-88-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1552-89-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1552-90-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1552-76-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1552-92-0x00000000016C5000-0x000000000171E000-memory.dmp

Filesize
356KB

Download
memory/1552-93-0x0000000001611000-0x00000000016C5000-memory.dmp

Filesize
720KB

Download
memory/1552-75-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads