c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d

Analysis

max time kernel
247s
max time network
266s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe
Size

508KB
MD5

44dba3fb55b165d5049b3685dd85cd89
SHA1

99beea819a71f2c68e8a73ded9820dd44f5a71f1
SHA256

c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d
SHA512

cd070e8cc13487317df6c10e69baeebf135a9dd18fd9a3977020833bde4390229547e0dc19d44bdaa9f88a2fe5eabde493e30db98e39fd54202498e65ab0374c
SSDEEP

6144:X3xV7htOfFiktSdWyKYAWFCbW7LYxLk+4MGT+N50cIXv+1coDdkozx3pypmlNH9J:X3xxPuFVtSdWJsuWXLGMvxsltRok/Gy

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

eosRo6jbz1.exe2veg.exe3veg.exe2veg.exe2veg.exe2veg.exe2veg.exe

pid process

3240 eosRo6jbz1.exe
1072 2veg.exe
4116 3veg.exe
764 2veg.exe
1368 2veg.exe
4688 2veg.exe
3496 2veg.exe

pid	process
3240	eosRo6jbz1.exe
1072	2veg.exe
4116	3veg.exe
764	2veg.exe
1368	2veg.exe
4688	2veg.exe
3496	2veg.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/764-147-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/764-151-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/764-153-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/1368-154-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1368-157-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1368-159-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4688-162-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3496-165-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/764-167-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/1368-168-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Suspicious use of SetThreadContext 4 IoCs

Processes:

2veg.exe

description	pid	process	target process
PID 1072 set thread context of 764	1072	2veg.exe	2veg.exe
PID 1072 set thread context of 1368	1072	2veg.exe	2veg.exe
PID 1072 set thread context of 4688	1072	2veg.exe	2veg.exe
PID 1072 set thread context of 3496	1072	2veg.exe	2veg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

eosRo6jbz1.exe

pid process

3240 eosRo6jbz1.exe
3240 eosRo6jbz1.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exeeosRo6jbz1.exe2veg.exe2veg.exe

pid process

204 c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe
3240 eosRo6jbz1.exe
1072 2veg.exe
764 2veg.exe

pid	process
3240	eosRo6jbz1.exe
3240	eosRo6jbz1.exe

pid	process
204	c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe
3240	eosRo6jbz1.exe
1072	2veg.exe
764	2veg.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe2veg.exe

description	pid	process	target process
PID 204 wrote to memory of 3240	204	c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe	eosRo6jbz1.exe
PID 204 wrote to memory of 3240	204	c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe	eosRo6jbz1.exe
PID 204 wrote to memory of 3240	204	c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe	eosRo6jbz1.exe
PID 204 wrote to memory of 1072	204	c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe	2veg.exe
PID 204 wrote to memory of 1072	204	c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe	2veg.exe
PID 204 wrote to memory of 1072	204	c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe	2veg.exe
PID 1072 wrote to memory of 764	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 764	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 764	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 764	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 764	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 764	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 764	1072	2veg.exe	2veg.exe
PID 204 wrote to memory of 4116	204	c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe	3veg.exe
PID 204 wrote to memory of 4116	204	c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe	3veg.exe
PID 204 wrote to memory of 4116	204	c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe	3veg.exe
PID 1072 wrote to memory of 764	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 1368	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 1368	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 1368	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 1368	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 1368	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 1368	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 1368	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 1368	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 4688	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 4688	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 4688	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 4688	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 4688	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 4688	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 4688	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 4688	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 3496	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 3496	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 3496	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 3496	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 3496	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 3496	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 3496	1072	2veg.exe	2veg.exe
PID 1072 wrote to memory of 3496	1072	2veg.exe	2veg.exe

C:\Users\Admin\AppData\Local\Temp\c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe
"C:\Users\Admin\AppData\Local\Temp\c50c6add28bdda1fc07e33a3bd97c885f0709410e6f4512b70bb149c00829f6d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:204

C:\Users\Admin\eosRo6jbz1.exe
C:\Users\Admin\eosRo6jbz1.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3240

C:\Users\Admin\2veg.exe
C:\Users\Admin\2veg.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\2veg.exe
"C:\Users\Admin\2veg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:764

C:\Users\Admin\2veg.exe
"C:\Users\Admin\2veg.exe"
3⤵
- Executes dropped EXE
PID:1368

C:\Users\Admin\2veg.exe
"C:\Users\Admin\2veg.exe"
3⤵
- Executes dropped EXE
PID:4688

C:\Users\Admin\2veg.exe
"C:\Users\Admin\2veg.exe"
3⤵
- Executes dropped EXE
PID:3496

C:\Users\Admin\3veg.exe
C:\Users\Admin\3veg.exe
2⤵
- Executes dropped EXE
PID:4116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2veg.exe

Filesize
124KB

MD5
116cdd8174ee4734183e8f019a548596

SHA1
d918d4e4bdaec0f4066c2285a5bd85903d92e23f

SHA256
dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

SHA512
377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

Download Submit
C:\Users\Admin\2veg.exe

Filesize
124KB

MD5
116cdd8174ee4734183e8f019a548596

SHA1
d918d4e4bdaec0f4066c2285a5bd85903d92e23f

SHA256
dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

SHA512
377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

Download Submit
C:\Users\Admin\2veg.exe

Filesize
124KB

MD5
116cdd8174ee4734183e8f019a548596

SHA1
d918d4e4bdaec0f4066c2285a5bd85903d92e23f

SHA256
dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

SHA512
377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

Download Submit
C:\Users\Admin\2veg.exe

Filesize
124KB

MD5
116cdd8174ee4734183e8f019a548596

SHA1
d918d4e4bdaec0f4066c2285a5bd85903d92e23f

SHA256
dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

SHA512
377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

Download Submit
C:\Users\Admin\2veg.exe

Filesize
124KB

MD5
116cdd8174ee4734183e8f019a548596

SHA1
d918d4e4bdaec0f4066c2285a5bd85903d92e23f

SHA256
dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

SHA512
377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

Download Submit
C:\Users\Admin\2veg.exe

Filesize
124KB

MD5
116cdd8174ee4734183e8f019a548596

SHA1
d918d4e4bdaec0f4066c2285a5bd85903d92e23f

SHA256
dc4a13e971df03dd33d12979f28cb17b17191a4d494a450c9d727d9843a9744a

SHA512
377822fd02c198c84a76408bb05a48de49329ba5ab7f39f42b055d8684b8bd35b8d5f76cfd933206da391d85236af3f7dbcbb9ee4b9e5b793e52265a10cc1933

Download Submit
C:\Users\Admin\3veg.exe

Filesize
287KB

MD5
357d9b4488d3191b0d6197015b326484

SHA1
057455015523d5b0b475dce4a49d510ba6a23ee4

SHA256
7444e14894fdd4a92bf4fc447ac8884c230730cbd0156e84d9c37f23db4b6c36

SHA512
f6e059efdbb604e3a2ad3a9d91d20061f03343dd387f2d88971a640a4fb142164c79ea275200a3dbe9ab2b21a16318b5fdd457c0464b900ea37497c7500373bc

Download Submit
C:\Users\Admin\3veg.exe

Filesize
287KB

MD5
357d9b4488d3191b0d6197015b326484

SHA1
057455015523d5b0b475dce4a49d510ba6a23ee4

SHA256
7444e14894fdd4a92bf4fc447ac8884c230730cbd0156e84d9c37f23db4b6c36

SHA512
f6e059efdbb604e3a2ad3a9d91d20061f03343dd387f2d88971a640a4fb142164c79ea275200a3dbe9ab2b21a16318b5fdd457c0464b900ea37497c7500373bc

Download Submit
C:\Users\Admin\eosRo6jbz1.exe

Filesize
180KB

MD5
582c4af3c13d489f7593c6655a9ed25f

SHA1
f920f89e59010c5d24507a3556cfa2b8ed406ddc

SHA256
560158f5874f861a9d2024e72d11dd6c8f730c67fead128818454989479b35c5

SHA512
f89286144121c22284dd9fc3b9e908d414b8d407c86f867e8485596ea847577b2a98dd8ab974ace842075c086f5aa80762e345d5f4487cb44a1ffafae6f3a21d

Download Submit
C:\Users\Admin\eosRo6jbz1.exe

Filesize
180KB

MD5
582c4af3c13d489f7593c6655a9ed25f

SHA1
f920f89e59010c5d24507a3556cfa2b8ed406ddc

SHA256
560158f5874f861a9d2024e72d11dd6c8f730c67fead128818454989479b35c5

SHA512
f89286144121c22284dd9fc3b9e908d414b8d407c86f867e8485596ea847577b2a98dd8ab974ace842075c086f5aa80762e345d5f4487cb44a1ffafae6f3a21d

Download Submit
memory/764-144-0x0000000000000000-mapping.dmp

Download
memory/764-167-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/764-147-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/764-151-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/764-153-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1072-139-0x0000000000000000-mapping.dmp

Download
memory/1368-159-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1368-157-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1368-152-0x0000000000000000-mapping.dmp

Download
memory/1368-154-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1368-168-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3240-134-0x0000000000000000-mapping.dmp

Download
memory/3496-164-0x0000000000000000-mapping.dmp

Download
memory/3496-165-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4116-145-0x0000000000000000-mapping.dmp

Download
memory/4688-161-0x0000000000000000-mapping.dmp

Download
memory/4688-162-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download