1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

Analysis

max time kernel
189s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6.exe
Size

95KB
MD5

3e07fd03fedbb0ee2ce9a259f32bde09
SHA1

1f23a321cc285c4758e887be69f050fcbde459b8
SHA256

1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6
SHA512

b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6
SSDEEP

1536:fPVcNBUum97yZcjM6rr6pY5CD8o48D5oC3NAVnCMcb6D6YdVD4qpViMASeL11KC0:lcLlqacjb6pqoloC3NAVn1KVYdSMVilb

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
3248	Lexplorer.exe
2816	Lexplorer.exe
3476	Lexplorer.exe
3808	Lexplorer.exe
3264	Lexplorer.exe
4480	Lexplorer.exe
5076	Lexplorer.exe
3276	Lexplorer.exe
4280	Lexplorer.exe
4184	Lexplorer.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4192-132-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x000200000001e72a-134.dat	upx
behavioral2/files/0x000200000001e72a-135.dat	upx
behavioral2/memory/4192-136-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/3248-137-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x000200000001e72a-139.dat	upx
behavioral2/memory/2816-140-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x000200000001e72a-142.dat	upx
behavioral2/memory/3476-143-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/3476-144-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x000200000001e72a-146.dat	upx
behavioral2/memory/3808-147-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x000200000001e72a-149.dat	upx
behavioral2/memory/3264-150-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x000200000001e72a-152.dat	upx
behavioral2/memory/4480-153-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x000200000001e72a-155.dat	upx
behavioral2/memory/5076-156-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x000200000001e72a-158.dat	upx
behavioral2/memory/3276-159-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x000200000001e72a-161.dat	upx
behavioral2/memory/4280-162-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x000200000001e72a-164.dat	upx
behavioral2/memory/4184-165-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lexplorer.exe	1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File created	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe
File opened for modification	C:\Windows\SysWOW64\Lexplorer.exe	Lexplorer.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 3248	4192	1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6.exe	78
PID 4192 wrote to memory of 3248	4192	1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6.exe	78
PID 4192 wrote to memory of 3248	4192	1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6.exe	78
PID 3248 wrote to memory of 2816	3248	Lexplorer.exe	79
PID 3248 wrote to memory of 2816	3248	Lexplorer.exe	79
PID 3248 wrote to memory of 2816	3248	Lexplorer.exe	79
PID 2816 wrote to memory of 3476	2816	Lexplorer.exe	82
PID 2816 wrote to memory of 3476	2816	Lexplorer.exe	82
PID 2816 wrote to memory of 3476	2816	Lexplorer.exe	82
PID 3476 wrote to memory of 3808	3476	Lexplorer.exe	83
PID 3476 wrote to memory of 3808	3476	Lexplorer.exe	83
PID 3476 wrote to memory of 3808	3476	Lexplorer.exe	83
PID 3808 wrote to memory of 3264	3808	Lexplorer.exe	84
PID 3808 wrote to memory of 3264	3808	Lexplorer.exe	84
PID 3808 wrote to memory of 3264	3808	Lexplorer.exe	84
PID 3264 wrote to memory of 4480	3264	Lexplorer.exe	85
PID 3264 wrote to memory of 4480	3264	Lexplorer.exe	85
PID 3264 wrote to memory of 4480	3264	Lexplorer.exe	85
PID 4480 wrote to memory of 5076	4480	Lexplorer.exe	86
PID 4480 wrote to memory of 5076	4480	Lexplorer.exe	86
PID 4480 wrote to memory of 5076	4480	Lexplorer.exe	86
PID 5076 wrote to memory of 3276	5076	Lexplorer.exe	87
PID 5076 wrote to memory of 3276	5076	Lexplorer.exe	87
PID 5076 wrote to memory of 3276	5076	Lexplorer.exe	87
PID 3276 wrote to memory of 4280	3276	Lexplorer.exe	88
PID 3276 wrote to memory of 4280	3276	Lexplorer.exe	88
PID 3276 wrote to memory of 4280	3276	Lexplorer.exe	88
PID 4280 wrote to memory of 4184	4280	Lexplorer.exe	89
PID 4280 wrote to memory of 4184	4280	Lexplorer.exe	89
PID 4280 wrote to memory of 4184	4280	Lexplorer.exe	89

C:\Users\Admin\AppData\Local\Temp\1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6.exe
"C:\Users\Admin\AppData\Local\Temp\1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\SysWOW64\Lexplorer.exe
  C:\Windows\system32\Lexplorer.exe 1152 "C:\Users\Admin\AppData\Local\Temp\1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\SysWOW64\Lexplorer.exe
    C:\Windows\system32\Lexplorer.exe 1120 "C:\Windows\SysWOW64\Lexplorer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\Lexplorer.exe
      C:\Windows\system32\Lexplorer.exe 1132 "C:\Windows\SysWOW64\Lexplorer.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3476
    - - C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 1124 "C:\Windows\SysWOW64\Lexplorer.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3808
      - C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 1136 "C:\Windows\SysWOW64\Lexplorer.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 976 "C:\Windows\SysWOW64\Lexplorer.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 1148 "C:\Windows\SysWOW64\Lexplorer.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 1140 "C:\Windows\SysWOW64\Lexplorer.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 1144 "C:\Windows\SysWOW64\Lexplorer.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Lexplorer.exe
        
        C:\Windows\system32\Lexplorer.exe 1116 "C:\Windows\SysWOW64\Lexplorer.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
C:\Windows\SysWOW64\Lexplorer.exe

Filesize
95KB

MD5
3e07fd03fedbb0ee2ce9a259f32bde09

SHA1
1f23a321cc285c4758e887be69f050fcbde459b8

SHA256
1336629ee7f118a02fb92d58cda63bdd7a59827de73cde5e31feb40f6452f3b6

SHA512
b51dd61b2e3f0f6d0d1e92ffa78f7e50f451bb47b5987c4ad63f18a1c5defc7ba097daba850069a2d8d9db9daf7247d0ddc3f952dcab89388aaaf85d705822b6

Download Submit
memory/2816-140-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3248-137-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3264-150-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3276-159-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3476-144-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3476-143-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3808-147-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4184-165-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4192-132-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4192-136-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4280-162-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4480-153-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5076-156-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download