fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f

General

Target

fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.exe
Size

103KB
MD5

c4784dc9a2a18b33ae849e0708f30d6e
SHA1

b360e9b86c9b7c647835dded448bf27f9f4dc6d8
SHA256

fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f
SHA512

11d68f4ededf5c1731c175361a81b53150e2e79a0b4bbf6ea074868b066f5f6b025b9c0dd0f4b0f304d1864f48b5e393c1c5ebaf17c37a6c07af3edeb95040ba
SSDEEP

3072:g/N0LwH/hUmnWghcSMH9f4jIL7CdoMogJim2P28psn8:g/NxP0f4j27woMUP28a8

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1980	fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.~01

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/800-61-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/800-77-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
800	fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.exe
800	fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.exe
800	fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.exe
1980	fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.~01

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SYSLIB32.DLL	fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
800	fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.exe
800	fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 1980	800	fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.exe	28
PID 800 wrote to memory of 1980	800	fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.exe	28
PID 800 wrote to memory of 1980	800	fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.exe	28
PID 800 wrote to memory of 1980	800	fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.exe	28

C:\Users\Admin\AppData\Local\Temp\fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.exe
"C:\Users\Admin\AppData\Local\Temp\fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.~01
  C:\Users\Admin\AppData\Local\Temp\fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.~01
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.~01

Filesize
72KB

MD5
4ad3da672915db74b7673cfa211213fa

SHA1
06beb8444f05ccb1ba79bcb5f467717fe1992eba

SHA256
46e332b6dd6bd7436ba9fb1b7daf67259395adbdd5ca0596479d373d40a8636e

SHA512
7b33936b756d1695079dd988095fc2beeccd333da629782b480368f7e256aa1bf9541dcf129bd3e640e62eb79518e0acc7a85a3b86b1938d584d9ab3faf95d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.~01

Filesize
72KB

MD5
4ad3da672915db74b7673cfa211213fa

SHA1
06beb8444f05ccb1ba79bcb5f467717fe1992eba

SHA256
46e332b6dd6bd7436ba9fb1b7daf67259395adbdd5ca0596479d373d40a8636e

SHA512
7b33936b756d1695079dd988095fc2beeccd333da629782b480368f7e256aa1bf9541dcf129bd3e640e62eb79518e0acc7a85a3b86b1938d584d9ab3faf95d5d

Download Submit
C:\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
f14bd85eeba2b828a655fe62931035e5

SHA1
c6f962ab17705248f1c54675f3f02ee162d5a2b9

SHA256
78350b4add47b0ffa7ad91912fd3937afe19671b08df79463abcbedb12e470db

SHA512
9a825d7976e42259f7396e9bc174ae76a12e3464b7ea452270105a5510f97388c757c70d973fc94eefb715862e3b6c99edbd86b6ca936cd6670c7f3b7ea6fde2

Download Submit
\Users\Admin\AppData\Local\Temp\fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.~01

Filesize
72KB

MD5
4ad3da672915db74b7673cfa211213fa

SHA1
06beb8444f05ccb1ba79bcb5f467717fe1992eba

SHA256
46e332b6dd6bd7436ba9fb1b7daf67259395adbdd5ca0596479d373d40a8636e

SHA512
7b33936b756d1695079dd988095fc2beeccd333da629782b480368f7e256aa1bf9541dcf129bd3e640e62eb79518e0acc7a85a3b86b1938d584d9ab3faf95d5d

Download Submit
\Users\Admin\AppData\Local\Temp\fa60029e7a4d5545faca9a1aaa0bb9c257ebbfddf6b78a55383739734219d44f.~01

Filesize
72KB

MD5
4ad3da672915db74b7673cfa211213fa

SHA1
06beb8444f05ccb1ba79bcb5f467717fe1992eba

SHA256
46e332b6dd6bd7436ba9fb1b7daf67259395adbdd5ca0596479d373d40a8636e

SHA512
7b33936b756d1695079dd988095fc2beeccd333da629782b480368f7e256aa1bf9541dcf129bd3e640e62eb79518e0acc7a85a3b86b1938d584d9ab3faf95d5d

Download Submit
\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
f14bd85eeba2b828a655fe62931035e5

SHA1
c6f962ab17705248f1c54675f3f02ee162d5a2b9

SHA256
78350b4add47b0ffa7ad91912fd3937afe19671b08df79463abcbedb12e470db

SHA512
9a825d7976e42259f7396e9bc174ae76a12e3464b7ea452270105a5510f97388c757c70d973fc94eefb715862e3b6c99edbd86b6ca936cd6670c7f3b7ea6fde2

Download Submit
\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
f14bd85eeba2b828a655fe62931035e5

SHA1
c6f962ab17705248f1c54675f3f02ee162d5a2b9

SHA256
78350b4add47b0ffa7ad91912fd3937afe19671b08df79463abcbedb12e470db

SHA512
9a825d7976e42259f7396e9bc174ae76a12e3464b7ea452270105a5510f97388c757c70d973fc94eefb715862e3b6c99edbd86b6ca936cd6670c7f3b7ea6fde2

Download Submit
memory/800-62-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/800-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/800-77-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1980-63-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing