adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17

General

Target

adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe
Size

7.0MB
MD5

4ce3ce888b2db98296b84bc954482398
SHA1

cd5a2cfe8150bc391b52a614c317e6dc6c786b72
SHA256

adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17
SHA512

ed50ab3a098fc8170cc5ee1c6ddcef93582749661203c8b6ef9a13e9a6be533281f4441f52b9696309e7816cbb572d7eedc59cb7b2ba959b5aec37f86e26e9ea
SSDEEP

98304:7q5SvxVXQoWI/xedQtCFz501eP0LNhR5Kb3NhR5KbBPcn6:NgnI/cUCFz+9LNQ3NQBPcn6

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4200-132-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-133-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-134-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-136-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-138-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-140-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-142-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-144-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-146-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-154-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-158-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-160-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-164-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-166-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-168-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-170-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-172-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-174-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4200-178-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe
4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe
4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe
4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ESPI11.dll	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe
4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe
4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe
4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 1808	4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe	83
PID 4200 wrote to memory of 1808	4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe	83
PID 4200 wrote to memory of 1808	4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe	83
PID 4200 wrote to memory of 3124	4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe	84
PID 4200 wrote to memory of 3124	4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe	84
PID 4200 wrote to memory of 3124	4200	adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe	84
PID 1808 wrote to memory of 3616	1808	net.exe	87
PID 1808 wrote to memory of 3616	1808	net.exe	87
PID 1808 wrote to memory of 3616	1808	net.exe	87

C:\Users\Admin\AppData\Local\Temp\adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe
"C:\Users\Admin\AppData\Local\Temp\adf0844b1a8e29d390fca7364cf35b9a33b41546b13f0341a71c7cda4d3b1c17.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\SysWOW64\net.exe
  net start sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start sharedaccess
    3⤵
    PID:3616
- C:\Windows\SysWOW64\netsh.exe
  netsh winsock reset
  2⤵
  PID:3124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ESPI11.dll

Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
C:\ESPI11.dll

Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
C:\Windows\SysWOW64\ESPI11.dll

Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
C:\Windows\SysWOW64\ESPI11.dll

Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
memory/4200-146-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-170-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-154-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-158-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-160-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-164-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-166-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-168-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-132-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-172-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-174-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-144-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-142-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-140-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-178-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-181-0x0000000002B50000-0x0000000002B71000-memory.dmp

Filesize
132KB

Download
memory/4200-138-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-136-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-134-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4200-133-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing