6fb98833a3504121684eb7126eb60d3efa718000228c549790df0eae526315d2

General

Target

װ2.0.exe
Size

3.0MB
MD5

5b4176f16a2724fbf60583c6acded426
SHA1

ba93662d8e2f8d9e56b71c9256139680fc65d6ff
SHA256

7fa142160273541dfb7286ee0c483eaf59e5ad270eecb0e1933d2e8a04d6ecda
SHA512

79f6d4386e4ed4cd0de532f0c9c62472344a5c21971e686fbe1c49be6ac3bcb0be2bb7727f8968c188d5e90a3070345dd9549784a44ef1951ccda2487d351489
SSDEEP

49152:LMJEH6vSgbzuKPWPSi6qZnO7/3ood5LwzW2/3h/tOoyaPnkDLSpO:gJEHoSgPuKPWPP6qZO7/ZcdOGg7

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4788-1482-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1484-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1485-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1486-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1487-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1489-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1491-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1493-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1495-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1497-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1499-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1501-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1503-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1505-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1508-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1510-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1512-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1514-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1518-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1520-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1516-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1522-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1524-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1526-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1528-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4788-1530-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
4788	װ2.0.exe
4788	װ2.0.exe
4788	װ2.0.exe
4788	װ2.0.exe
4788	װ2.0.exe
4788	װ2.0.exe
4788	װ2.0.exe
4788	װ2.0.exe
4788	װ2.0.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2072	4788	WerFault.exe	82
1216	4788	WerFault.exe	82

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	װ2.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	װ2.0.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4788	װ2.0.exe
4788	װ2.0.exe
4788	װ2.0.exe

C:\Users\Admin\AppData\Local\Temp\װ2.0.exe
"C:\Users\Admin\AppData\Local\Temp\װ2.0.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 740
  2⤵
  - Program crash
  PID:2072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 760
  2⤵
  - Program crash
  PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4788 -ip 4788
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4788 -ip 4788
1⤵
PID:3632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4788-132-0x0000000000400000-0x00000000006F9000-memory.dmp

Filesize
3.0MB

Download
memory/4788-133-0x00000000775D0000-0x0000000077773000-memory.dmp

Filesize
1.6MB

Download
memory/4788-134-0x00000000765F0000-0x0000000076805000-memory.dmp

Filesize
2.1MB

Download
memory/4788-136-0x00000000768C0000-0x0000000076A60000-memory.dmp

Filesize
1.6MB

Download
memory/4788-137-0x0000000075A70000-0x0000000075AEA000-memory.dmp

Filesize
488KB

Download
memory/4788-1481-0x0000000002470000-0x0000000002570000-memory.dmp

Filesize
1024KB

Download
memory/4788-1482-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1484-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1485-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1486-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1487-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1489-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1491-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1493-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1495-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1497-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1499-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1501-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1503-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1505-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1508-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1510-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1512-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1514-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1518-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1520-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1516-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1522-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1524-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1526-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1528-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4788-1529-0x0000000000400000-0x00000000006F9000-memory.dmp

Filesize
3.0MB

Download
memory/4788-1530-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing