7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf

General

Target

7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe
Size

16KB
MD5

a3600853742246430b7f9f2c99713b9c
SHA1

0934faf31dc133410d2621cd275b7575b031c47f
SHA256

7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf
SHA512

e47aafb472b304aff96373d49640b1172e7c775493b4c7ce447f16d61ca3579d21ddf5cbfb6ab54108d011f6686500dc05da3252141febda3cdbd62edb413ff4
SSDEEP

384:oeNkg8RQISbUqWsfZ1RRdX69/hL/ktvFN297q:oeNk3RQISYqWiZHg/hQtvFN07

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2032-54-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

268 cmd.exe

pid	process
268	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exerundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sgx.kml	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe
File created	C:\Windows\SysWOW64\lpk.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\lpk.dll	rundll32.exe

Drops file in Windows directory 3 IoCs

Processes:

7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe

description	ioc	process
File opened for modification	C:\Windows\sg.tmp1	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe
File created	C:\Windows\sg.tmp	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe
File created	C:\Windows\sg.tmp1	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1304 520 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

520 rundll32.exe
520 rundll32.exe

pid	pid_target	process	target process
1304	520	WerFault.exe	rundll32.exe

pid	process
520	rundll32.exe
520	rundll32.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.execmd.exerundll32.exe

description	pid	process	target process
PID 2032 wrote to memory of 772	2032	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 2032 wrote to memory of 772	2032	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 2032 wrote to memory of 772	2032	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 2032 wrote to memory of 772	2032	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 2032 wrote to memory of 268	2032	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 2032 wrote to memory of 268	2032	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 2032 wrote to memory of 268	2032	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 2032 wrote to memory of 268	2032	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 772 wrote to memory of 520	772	cmd.exe	rundll32.exe
PID 772 wrote to memory of 520	772	cmd.exe	rundll32.exe
PID 772 wrote to memory of 520	772	cmd.exe	rundll32.exe
PID 772 wrote to memory of 520	772	cmd.exe	rundll32.exe
PID 772 wrote to memory of 520	772	cmd.exe	rundll32.exe
PID 772 wrote to memory of 520	772	cmd.exe	rundll32.exe
PID 772 wrote to memory of 520	772	cmd.exe	rundll32.exe
PID 520 wrote to memory of 1304	520	rundll32.exe	WerFault.exe
PID 520 wrote to memory of 1304	520	rundll32.exe	WerFault.exe
PID 520 wrote to memory of 1304	520	rundll32.exe	WerFault.exe
PID 520 wrote to memory of 1304	520	rundll32.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe
"C:\Users\Admin\AppData\Local\Temp\7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c rundll32.exe C:\Windows\sg.tmp1 Run
2⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\sg.tmp1 Run
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 244
4⤵
- Program crash
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\del.bat
2⤵
- Deletes itself
PID:268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
400B

MD5
06790da9b3fb8d84640f12585a82f907

SHA1
4afd282cf1368e8492f9522fc8962a3e4253b550

SHA256
2e04675561465c92490b587e4d28160069e7d614007f6ce5804e07f784b6739e

SHA512
d9b1e0d7a80bcf48c548a4b8a747d1eed6c04711c0cf37fa7691f69346f870ec78da57774ece2c095353ab0e2065562dab9cd8aa2eb4372538dc04975a48063f

Download Submit
C:\Windows\sg.tmp

Filesize
36KB

MD5
2b077dc59144302294856ab5dc3680d2

SHA1
31ce6fe7cb7ae9660c07eb1253707a0edc14aba9

SHA256
8df980987f3a9a2099daecf0de73a87c7e5e13f00ec684e33a14af10d82a0042

SHA512
0cf780fb6f06c8c69fc1e54cc4b468b9055d7d9aabfb14f4164cc871296e0a1c57077d4a851d37c7ab5b61acb0bba5bb1f0550e7225a6a39f8a6cb14faecf26b

Download Submit
C:\Windows\sg.tmp1

Filesize
36KB

MD5
2b077dc59144302294856ab5dc3680d2

SHA1
31ce6fe7cb7ae9660c07eb1253707a0edc14aba9

SHA256
8df980987f3a9a2099daecf0de73a87c7e5e13f00ec684e33a14af10d82a0042

SHA512
0cf780fb6f06c8c69fc1e54cc4b468b9055d7d9aabfb14f4164cc871296e0a1c57077d4a851d37c7ab5b61acb0bba5bb1f0550e7225a6a39f8a6cb14faecf26b

Download Submit
memory/268-56-0x0000000000000000-mapping.dmp

Download
memory/520-58-0x0000000000000000-mapping.dmp

Download
memory/520-59-0x0000000076B51000-0x0000000076B53000-memory.dmp

Filesize
8KB

Download
memory/772-55-0x0000000000000000-mapping.dmp

Download
memory/1304-62-0x0000000000000000-mapping.dmp

Download
memory/2032-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads