f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9

General

Target

f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe
Size

723KB
MD5

3184d45c1bb061f8c1d1aa33b1589af1
SHA1

e89858a93ad1e4553b9759a621d051a16385a848
SHA256

f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9
SHA512

415280e60b60f36f0c5d50d9b79e22f04bb91bfa265abea86fc73f01e5f5e4fba5a5325b401c236bcda00a6c2c4d79b85669c48659adffe757f49e67029366e8
SSDEEP

12288:h8INhSGjMnZdUZRAawpgBSthNw5x9uG/fMvQTQgNSQAR:OZGYZdwzcHtLwX9ugfMvQUgQb

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

xrmgrarilu.pre

pid process

1500 xrmgrarilu.pre

pid	process
1500	xrmgrarilu.pre

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1944-54-0x0000000000A00000-0x0000000000C94000-memory.dmp	upx
behavioral1/memory/1944-57-0x0000000000A00000-0x0000000000C94000-memory.dmp	upx
behavioral1/memory/1500-66-0x00000000013A0000-0x0000000001634000-memory.dmp	upx
behavioral1/memory/1500-69-0x00000000013A0000-0x0000000001634000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

dllhost.exe

pid process

948 dllhost.exe
Loads dropped DLL 1 IoCs

Processes:

dllhost.exe

pid process

948 dllhost.exe

pid	process
948	dllhost.exe

pid	process
948	dllhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ukuemmej = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wwspqc\\wvkjmmej.exe"	dllhost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exedllhost.exexrmgrarilu.pre

description	pid	process	target process
PID 1944 wrote to memory of 948	1944	f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe	dllhost.exe
PID 1944 wrote to memory of 948	1944	f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe	dllhost.exe
PID 1944 wrote to memory of 948	1944	f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe	dllhost.exe
PID 1944 wrote to memory of 948	1944	f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe	dllhost.exe
PID 1944 wrote to memory of 948	1944	f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe	dllhost.exe
PID 948 wrote to memory of 1500	948	dllhost.exe	xrmgrarilu.pre
PID 948 wrote to memory of 1500	948	dllhost.exe	xrmgrarilu.pre
PID 948 wrote to memory of 1500	948	dllhost.exe	xrmgrarilu.pre
PID 948 wrote to memory of 1500	948	dllhost.exe	xrmgrarilu.pre
PID 1500 wrote to memory of 772	1500	xrmgrarilu.pre	dllhost.exe
PID 1500 wrote to memory of 772	1500	xrmgrarilu.pre	dllhost.exe
PID 1500 wrote to memory of 772	1500	xrmgrarilu.pre	dllhost.exe
PID 1500 wrote to memory of 772	1500	xrmgrarilu.pre	dllhost.exe
PID 1500 wrote to memory of 772	1500	xrmgrarilu.pre	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe
"C:\Users\Admin\AppData\Local\Temp\f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\xrmgrarilu.pre
C:\Users\Admin\AppData\Local\Temp\xrmgrarilu.pre
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
4⤵
- Adds Run key to start application
PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xrmgrarilu.pre

Filesize
723KB

MD5
3184d45c1bb061f8c1d1aa33b1589af1

SHA1
e89858a93ad1e4553b9759a621d051a16385a848

SHA256
f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9

SHA512
415280e60b60f36f0c5d50d9b79e22f04bb91bfa265abea86fc73f01e5f5e4fba5a5325b401c236bcda00a6c2c4d79b85669c48659adffe757f49e67029366e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrmgrarilu.pre

Filesize
723KB

MD5
3184d45c1bb061f8c1d1aa33b1589af1

SHA1
e89858a93ad1e4553b9759a621d051a16385a848

SHA256
f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9

SHA512
415280e60b60f36f0c5d50d9b79e22f04bb91bfa265abea86fc73f01e5f5e4fba5a5325b401c236bcda00a6c2c4d79b85669c48659adffe757f49e67029366e8

Download Submit
\Users\Admin\AppData\Local\Temp\xrmgrarilu.pre

Filesize
723KB

MD5
3184d45c1bb061f8c1d1aa33b1589af1

SHA1
e89858a93ad1e4553b9759a621d051a16385a848

SHA256
f7454ef0023faf9ac319ef95c0dc99e84060db7bca2ec3778769d45ef8ea3ed9

SHA512
415280e60b60f36f0c5d50d9b79e22f04bb91bfa265abea86fc73f01e5f5e4fba5a5325b401c236bcda00a6c2c4d79b85669c48659adffe757f49e67029366e8

Download Submit
memory/772-76-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/772-74-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/772-72-0x0000000000000000-mapping.dmp

Download
memory/948-60-0x0000000000000000-mapping.dmp

Download
memory/948-62-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/948-61-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/948-73-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/948-58-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/1500-64-0x0000000000000000-mapping.dmp

Download
memory/1500-66-0x00000000013A0000-0x0000000001634000-memory.dmp

Filesize
2.6MB

Download
memory/1500-68-0x00000000007A0000-0x00000000007A5000-memory.dmp

Filesize
20KB

Download
memory/1500-69-0x00000000013A0000-0x0000000001634000-memory.dmp

Filesize
2.6MB

Download
memory/1944-54-0x0000000000A00000-0x0000000000C94000-memory.dmp

Filesize
2.6MB

Download
memory/1944-57-0x0000000000A00000-0x0000000000C94000-memory.dmp

Filesize
2.6MB

Download
memory/1944-56-0x0000000000470000-0x0000000000475000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads