49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608

General

Target

49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe
Size

1.5MB
MD5

88d379f82097fdb50c0b9a55fdb9e2f5
SHA1

b8eccb9bbc517e6c13a7331fbf87b1b39cf2f477
SHA256

49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608
SHA512

38d7a88e2c68adc9e3968e781a51b1a9aa8249fdf6df53129bc82c104b77c1169852b545dc6c9a47855507487e5fd41c34c3a2f7b0510e4ac8c0589102337f6e
SSDEEP

49152:mcYTuIXq4/kdbS3/eE0XgvRt8eNZmeifNq4t:mXiEK8xggvhNZmeifNV

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

FB_8DF3.tmp.exeFB_A4E7.tmp.exeFB_A814.tmp.exeFB_8DF3.tmp.exeFB_A4E7.tmp.exe

pid process

4872 FB_8DF3.tmp.exe
5096 FB_A4E7.tmp.exe
928 FB_A814.tmp.exe
1656 FB_8DF3.tmp.exe
4484 FB_A4E7.tmp.exe

pid	process
4872	FB_8DF3.tmp.exe
5096	FB_A4E7.tmp.exe
928	FB_A814.tmp.exe
1656	FB_8DF3.tmp.exe
4484	FB_A4E7.tmp.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4484-161-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exeFB_8DF3.tmp.exeFB_A4E7.tmp.exe

description	pid	process	target process
PID 4632 set thread context of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	AppLaunch.exe
PID 4872 set thread context of 1656	4872	FB_8DF3.tmp.exe	FB_8DF3.tmp.exe
PID 5096 set thread context of 4484	5096	FB_A4E7.tmp.exe	FB_A4E7.tmp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exeFB_8DF3.tmp.exeFB_A4E7.tmp.exeFB_A814.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe
Token: SeDebugPrivilege	4872	FB_8DF3.tmp.exe
Token: SeDebugPrivilege	5096	FB_A4E7.tmp.exe
Token: SeDebugPrivilege	928	FB_A814.tmp.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exeAppLaunch.exeFB_8DF3.tmp.exeFB_A4E7.tmp.exe

description	pid	process	target process
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	AppLaunch.exe
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	AppLaunch.exe
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	AppLaunch.exe
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	AppLaunch.exe
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	AppLaunch.exe
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	AppLaunch.exe
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	AppLaunch.exe
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	AppLaunch.exe
PID 4632 wrote to memory of 5052	4632	49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe	AppLaunch.exe
PID 5052 wrote to memory of 4872	5052	AppLaunch.exe	FB_8DF3.tmp.exe
PID 5052 wrote to memory of 4872	5052	AppLaunch.exe	FB_8DF3.tmp.exe
PID 5052 wrote to memory of 4872	5052	AppLaunch.exe	FB_8DF3.tmp.exe
PID 5052 wrote to memory of 5096	5052	AppLaunch.exe	FB_A4E7.tmp.exe
PID 5052 wrote to memory of 5096	5052	AppLaunch.exe	FB_A4E7.tmp.exe
PID 5052 wrote to memory of 5096	5052	AppLaunch.exe	FB_A4E7.tmp.exe
PID 5052 wrote to memory of 928	5052	AppLaunch.exe	FB_A814.tmp.exe
PID 5052 wrote to memory of 928	5052	AppLaunch.exe	FB_A814.tmp.exe
PID 5052 wrote to memory of 928	5052	AppLaunch.exe	FB_A814.tmp.exe
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	FB_8DF3.tmp.exe
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	FB_8DF3.tmp.exe
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	FB_8DF3.tmp.exe
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	FB_8DF3.tmp.exe
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	FB_8DF3.tmp.exe
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	FB_8DF3.tmp.exe
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	FB_8DF3.tmp.exe
PID 4872 wrote to memory of 1656	4872	FB_8DF3.tmp.exe	FB_8DF3.tmp.exe
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	FB_A4E7.tmp.exe
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	FB_A4E7.tmp.exe
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	FB_A4E7.tmp.exe
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	FB_A4E7.tmp.exe
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	FB_A4E7.tmp.exe
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	FB_A4E7.tmp.exe
PID 5096 wrote to memory of 4484	5096	FB_A4E7.tmp.exe	FB_A4E7.tmp.exe

C:\Users\Admin\AppData\Local\Temp\49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe
"C:\Users\Admin\AppData\Local\Temp\49e147f16a5b0a8fb2230b87320f79256bcd74867fd0ef6f58db56bd4b63d608.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe"
4⤵
- Executes dropped EXE
PID:1656

C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe"
4⤵
- Executes dropped EXE
PID:4484

C:\Users\Admin\AppData\Local\Temp\FB_A814.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_A814.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe
Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe
Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_8DF3.tmp.exe
Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe
Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe
Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A4E7.tmp.exe
Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A814.tmp.exe
Filesize
897KB

MD5
2a7379159a848b79c2c572eb10111c90

SHA1
386edeaa78a8610ffc84b267c6f11cb66d13914d

SHA256
214cd649809bb59f310824dc79062b6da45f630063e9c81bea70d87de55eebe0

SHA512
480e34086e1d99bffebebc51537f3964366fbec49ab387eba9cb36507661ffe3d111c182a1e1e5c980a3df187ba26b2714f551ba5e4387bca567bbd3d5673f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A814.tmp.exe
Filesize
897KB

MD5
2a7379159a848b79c2c572eb10111c90

SHA1
386edeaa78a8610ffc84b267c6f11cb66d13914d

SHA256
214cd649809bb59f310824dc79062b6da45f630063e9c81bea70d87de55eebe0

SHA512
480e34086e1d99bffebebc51537f3964366fbec49ab387eba9cb36507661ffe3d111c182a1e1e5c980a3df187ba26b2714f551ba5e4387bca567bbd3d5673f3e

Download Submit
memory/928-157-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/928-153-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/928-146-0x0000000000000000-mapping.dmp

Download
memory/1656-154-0x0000000000000000-mapping.dmp

Download
memory/1656-159-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/1656-155-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4484-161-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4484-160-0x0000000000000000-mapping.dmp

Download
memory/4632-139-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4632-133-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4632-132-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4872-158-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/4872-140-0x0000000000000000-mapping.dmp

Download
memory/4872-149-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/4872-151-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/5052-137-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/5052-134-0x0000000000000000-mapping.dmp

Download
memory/5052-135-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/5052-138-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/5096-143-0x0000000000000000-mapping.dmp

Download
memory/5096-152-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/5096-150-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads