7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf

General

Target

7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe
Size

16KB
MD5

a3600853742246430b7f9f2c99713b9c
SHA1

0934faf31dc133410d2621cd275b7575b031c47f
SHA256

7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf
SHA512

e47aafb472b304aff96373d49640b1172e7c775493b4c7ce447f16d61ca3579d21ddf5cbfb6ab54108d011f6686500dc05da3252141febda3cdbd62edb413ff4
SSDEEP

384:oeNkg8RQISbUqWsfZ1RRdX69/hL/ktvFN297q:oeNk3RQISYqWiZHg/hQtvFN07

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4828-132-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/4828-135-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4640 rundll32.exe

pid	process
4640	rundll32.exe

Drops file in System32 directory 3 IoCs

Processes:

7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exerundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sgx.kml	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe
File created	C:\Windows\SysWOW64\lpk.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\lpk.dll	rundll32.exe

Drops file in Windows directory 3 IoCs

Processes:

7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe

description	ioc	process
File created	C:\Windows\sg.tmp	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe
File created	C:\Windows\sg.tmp1	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe
File opened for modification	C:\Windows\sg.tmp1	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1392 4640 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

4640 rundll32.exe
4640 rundll32.exe
4640 rundll32.exe
4640 rundll32.exe

pid	pid_target	process	target process
1392	4640	WerFault.exe	rundll32.exe

pid	process
4640	rundll32.exe
4640	rundll32.exe
4640	rundll32.exe
4640	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.execmd.exe

description	pid	process	target process
PID 4828 wrote to memory of 4768	4828	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 4828 wrote to memory of 4768	4828	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 4828 wrote to memory of 4768	4828	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 4828 wrote to memory of 4796	4828	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 4828 wrote to memory of 4796	4828	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 4828 wrote to memory of 4796	4828	7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe	cmd.exe
PID 4768 wrote to memory of 4640	4768	cmd.exe	rundll32.exe
PID 4768 wrote to memory of 4640	4768	cmd.exe	rundll32.exe
PID 4768 wrote to memory of 4640	4768	cmd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe
"C:\Users\Admin\AppData\Local\Temp\7d651f3d14f9afcc15ee8fc43f512ed1009f610fd160455f7b05e542481c99cf.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\cmd.exe
cmd /c rundll32.exe C:\Windows\sg.tmp1 Run
2⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\sg.tmp1 Run
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 716
4⤵
- Program crash
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat
2⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4640 -ip 4640
1⤵
PID:1400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
400B

MD5
06790da9b3fb8d84640f12585a82f907

SHA1
4afd282cf1368e8492f9522fc8962a3e4253b550

SHA256
2e04675561465c92490b587e4d28160069e7d614007f6ce5804e07f784b6739e

SHA512
d9b1e0d7a80bcf48c548a4b8a747d1eed6c04711c0cf37fa7691f69346f870ec78da57774ece2c095353ab0e2065562dab9cd8aa2eb4372538dc04975a48063f

Download Submit
C:\Windows\sg.tmp

Filesize
36KB

MD5
515cb16740c663e49b88979bc32b7b14

SHA1
d1bf5597d6bf039046d82d821708c4f821534c2a

SHA256
284728b356c91564e796a2f424d5e927e82896303ce4664d1e41735d1bba9bda

SHA512
f64099942a0d59110efcfcdaf2e7d0b7f47f8aaf39acb8a24bfeb2fc70cca188dbf1de544c7d83e7af4e74c98e1147dada93cd08a8b67763a3c69a331d957754

Download Submit
C:\Windows\sg.tmp1

Filesize
36KB

MD5
515cb16740c663e49b88979bc32b7b14

SHA1
d1bf5597d6bf039046d82d821708c4f821534c2a

SHA256
284728b356c91564e796a2f424d5e927e82896303ce4664d1e41735d1bba9bda

SHA512
f64099942a0d59110efcfcdaf2e7d0b7f47f8aaf39acb8a24bfeb2fc70cca188dbf1de544c7d83e7af4e74c98e1147dada93cd08a8b67763a3c69a331d957754

Download Submit
C:\Windows\sg.tmp1

Filesize
36KB

MD5
515cb16740c663e49b88979bc32b7b14

SHA1
d1bf5597d6bf039046d82d821708c4f821534c2a

SHA256
284728b356c91564e796a2f424d5e927e82896303ce4664d1e41735d1bba9bda

SHA512
f64099942a0d59110efcfcdaf2e7d0b7f47f8aaf39acb8a24bfeb2fc70cca188dbf1de544c7d83e7af4e74c98e1147dada93cd08a8b67763a3c69a331d957754

Download Submit
memory/4640-137-0x0000000000000000-mapping.dmp

Download
memory/4768-133-0x0000000000000000-mapping.dmp

Download
memory/4796-134-0x0000000000000000-mapping.dmp

Download
memory/4828-132-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4828-135-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads